v3.0 has hard-coded HTTPS references which causes IE11 security zone warnings/errors for on-prem TFS w/out HTTPS

[benark]

Scenario:

• On-prem TFS 2017 Update 1 server at http://tfs2017:8080/tfs
• Just updated to v3 of the Sprint Goal extension

Issue:
Looking at the Sprint Board causes a "Only secured content is shown" warning in IE11 which causes the board to not fully load and disables opening PBI/task details.

Proposed solution:
Do not assume the instance is being hosted on an HTTPS site; use protocol-agnostic URL references that begin with // instead of https:// or http://. This is now supposedly an anti-pattern however it maintains compatibility with on-prem instances not on HTTPS.

Workaround:
This is not an issue in Chrome.

[keesschollaart81]

I've tested this and you're right. The problem is, I dont know how to fix this. This extension is hosted remote which is configured in the manifest here. This variable is substituded in the release pipeline per environment (dev/test/prod) with the URL of the CDN. When VSTS loads the extension is uses this baseurl in the manifest XML. I've tried to change this to start with // instead of https:// but then the extension does not load any more...

I've created an issue in one of the VSTS repositories, let's see if we can fix this.

[keesschollaart81]

Fixed with #19