Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
(cc-ing some area experts)
Hi Andrej,
Andrej Andb wrote:
[Subject: remove protocol from gravatar and picon links for clear if
Gitweb is being called through a secure server]
Sounds good to me. May we have your signoff? (See
Documentation/SubmittingPatches for what this means.)
Thanks,
Jonathan
(patch left unsnipped for reference)
---
gitweb/gitweb.perl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..1309196 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
if (!$avatar_cache{$email}) {
my ($user, $domain) = split('@', $email);
$avatar_cache{$email} =
-
http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; .
+ //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/
.
$domain/$user/ .
users+domains+unknown/up/single;
}
@@ -2083,7 +2083,7 @@ sub gravatar_url {
my $email = lc shift;
my $size = shift;
$avatar_cache{$email} ||=
- http://www.gravatar.com/avatar/; .
+ //www.gravatar.com/avatar/ .
Digest::MD5::md5_hex($email) . ?s=;
return $avatar_cache{$email} . $size;
}
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Jonathan Nieder jrnie...@gmail.com writes:
(cc-ing some area experts)
Hi Andrej,
Andrej Andb wrote:
[Subject: remove protocol from gravatar and picon links for clear if
Gitweb is being called through a secure server]
Sounds good to me. May we have your signoff? (See
Documentation/SubmittingPatches for what this means.)
Thanks,
Jonathan
(patch left unsnipped for reference)
---
gitweb/gitweb.perl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..1309196 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
if (!$avatar_cache{$email}) {
my ($user, $domain) = split('@', $email);
$avatar_cache{$email} =
-
http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; .
+//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/
.
Hrmph. Is that even a valid URL to refer to that external site from
a https://my.site/some/where/ base URL? I wouldn't be surprised if
browsers allowed it, but I do not recall seeing such a use in RFCs.
Intuitively it feels strange that the above lets the site that gave
you the base URL dictate over what scheme sites unrelated to it has
to serve their resources.
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano gits...@pobox.com writes: - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . Hrmph. Is that even a valid URL to refer to that external site from a https://my.site/some/where/ base URL? I wouldn't be surprised if browsers allowed it, but I do not recall seeing such a use in RFCs. ah, nevermind. That's net_path in 1808. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano wrote:
Andrej Andb wrote:
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
if (!$avatar_cache{$email}) {
my ($user, $domain) = split('@', $email);
$avatar_cache{$email} =
-
http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; .
+ //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/
.
[...]
Intuitively it feels strange that the above lets the site that gave
you the base URL dictate over what scheme sites unrelated to it has
to serve their resources.
The main effect is to slightly improve privacy. A man in the middle
can still see the size of avatars and when you fetched them, but at
least this way when you are using HTTPS they do not see the names of
authors of commits you are looking at.
It also avoids a mixed content warning.
On the other hand, it hurts caching by proxies.
Jonathan
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Jonathan Nieder jrnie...@gmail.com writes:
Junio C Hamano wrote:
Andrej Andb wrote:
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
if (!$avatar_cache{$email}) {
my ($user, $domain) = split('@', $email);
$avatar_cache{$email} =
-
http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; .
+ //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/
.
[...]
Intuitively it feels strange that the above lets the site that gave
you the base URL dictate over what scheme sites unrelated to it has
to serve their resources.
The main effect is to slightly improve privacy. A man in the middle
can still see the size of avatars and when you fetched them, but at
least this way when you are using HTTPS they do not see the names of
authors of commits you are looking at.
It also avoids a mixed content warning.
On the other hand, it hurts caching by proxies.
I am sure mixed content warning was the primary motivation of the
patch. Do we know these external sites actually server what we want
over https://?
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Or maybe option like:
/etc/gitweb.conf:
$feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];
but it's hard for me :) i don't know perl
2013/1/29 Junio C Hamano gits...@pobox.com:
Jonathan Nieder jrnie...@gmail.com writes:
Junio C Hamano wrote:
Andrej Andb wrote:
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
if (!$avatar_cache{$email}) {
my ($user, $domain) = split('@', $email);
$avatar_cache{$email} =
-
http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; .
+
//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ .
[...]
Intuitively it feels strange that the above lets the site that gave
you the base URL dictate over what scheme sites unrelated to it has
to serve their resources.
The main effect is to slightly improve privacy. A man in the middle
can still see the size of avatars and when you fetched them, but at
least this way when you are using HTTPS they do not see the names of
authors of commits you are looking at.
It also avoids a mixed content warning.
On the other hand, it hurts caching by proxies.
I am sure mixed content warning was the primary motivation of the
patch. Do we know these external sites actually server what we want
over https://?
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano wrote: I am sure mixed content warning was the primary motivation of the patch. Sure, but that's not enough motivation for me to like it. ;-) The privacy aspect is enough to motivate it for me. Do we know these external sites actually server what we want over https://? Yep. cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi and www.gravatar.com/avatar both support https and return the expected responses for queries over https. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Андрей Баранов ad...@andrej-andb.ru writes:
Or maybe option like:
/etc/gitweb.conf:
$feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];
but it's hard for me :) i don't know perl
The effect is the same and your original patch is shorter and
cleaner to see what is going on; as far as the patch text is
concerned, the original one is just fine.
Except that we wanted a bit more stuff before --- line. How about
something like this?
Subject: [PATCH] gitweb: refer to picon/gravatar images over the same
scheme
The images from picon and gravatar are always used over
http://, and browsers give mixed contents warning when
gitweb is served over https://.
Just drop the scheme: part from the URL, so that these
external sites are accessed over https:// in such a case.
Signed-off-by: Your Name y...@addre.ss
---
gitweb/gitweb.perl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
...
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
re sended. Very big thanks for example :D
2013/1/29 Junio C Hamano gits...@pobox.com:
Андрей Баранов ad...@andrej-andb.ru writes:
Or maybe option like:
/etc/gitweb.conf:
$feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];
but it's hard for me :) i don't know perl
The effect is the same and your original patch is shorter and
cleaner to see what is going on; as far as the patch text is
concerned, the original one is just fine.
Except that we wanted a bit more stuff before --- line. How about
something like this?
Subject: [PATCH] gitweb: refer to picon/gravatar images over the same
scheme
The images from picon and gravatar are always used over
http://, and browsers give mixed contents warning when
gitweb is served over https://.
Just drop the scheme: part from the URL, so that these
external sites are accessed over https:// in such a case.
Signed-off-by: Your Name y...@addre.ss
---
gitweb/gitweb.perl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
...
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
