Jonathan Nieder <jrnie...@gmail.com> writes:

> Junio C Hamano wrote:
>>> Andrej Andb wrote:
>
>>>> --- a/gitweb/gitweb.perl
>>>> +++ b/gitweb/gitweb.perl
>>>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>>>    if (!$avatar_cache{$email}) {
>>>>            my ($user, $domain) = split('@', $email);
>>>>            $avatar_cache{$email} =
>>>> -                  
>>>> "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/"; .
>>>> +                  "//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" 
>>>> .
> [...]
>> Intuitively it feels strange that the above lets the site that gave
>> you the base URL dictate over what scheme sites unrelated to it has
>> to serve their resources.
>
> The main effect is to slightly improve privacy.  A man in the middle
> can still see the size of avatars and when you fetched them, but at
> least this way when you are using HTTPS they do not see the names of
> authors of commits you are looking at.
>
> It also avoids a mixed content warning.
>
> On the other hand, it hurts caching by proxies.

I am sure mixed content warning was the primary motivation of the
patch.  Do we know these external sites actually server what we want
over https://?

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to