The protocol is never really required. You can start with "/" and it's taken as the root of the current domain (for example, "/foobar" is <current-protocol>://<current-domain>/foobar, so here on this site it would be http://www.gamedev.net/foobar). Alternatively, you can use "//" to inherit the protocol of the current page (that is, "//foobar" is <current-protocol>://foobar, which would be http://foobar here on GameDev.net).
Anyway, I imagine the reason the URLs are hardcoded is because without the protocol browsers can decide that the address is relative and not absolute and thereby break the whole thing (in other words, the protocol is required, pretty much).
Either way, HTTPS should be hard coded for a login POST with a password being sent.
(ugh, the editor ate my post, and I don't have time to retype it)