diff --git a/CHANGELOG.md b/CHANGELOG.md
index a818689b..b204a045 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ _Note: Gaps between patch versions are faulty, broken or test releases._
 <!-- Add changelog entries for new changes under this section -->
 
  * **Improvements**
+   * Use relative links for serving internal assets ([#261](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/254))
    * Properly escape embedded JS/JSON ([#262](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/262))
 
  * **Bug Fix**
diff --git a/src/viewer.js b/src/viewer.js
index ae4ab261..564039ac 100644
--- a/src/viewer.js
+++ b/src/viewer.js
@@ -14,6 +14,7 @@ const Logger = require('./Logger');
 const analyzer = require('./analyzer');
 
 const projectRoot = path.resolve(__dirname, '..');
+const assetsRoot = path.join(projectRoot, 'public');
 
 module.exports = {
   startServer,
@@ -169,7 +170,13 @@ async function generateReport(bundleStats, opts) {
 }
 
 function getAssetContent(filename) {
-  return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
+  const assetPath = path.join(assetsRoot, filename);
+
+  if (!assetPath.startsWith(assetsRoot)) {
+    throw new Error(`"${filename}" is outside of the assets root`);
+  }
+
+  return fs.readFileSync(assetPath, 'utf8');
 }
 
 /**
diff --git a/views/script.ejs b/views/script.ejs
index 718c954f..37976abf 100644
--- a/views/script.ejs
+++ b/views/script.ejs
@@ -4,5 +4,5 @@
     <%- escapeScript(assetContent(filename)) %>
   </script>
 <% } else { %>
-  <script src="/<%= filename %>"></script>
+  <script src="<%= filename %>"></script>
 <% } %>