Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
(cc-ing some area experts) Hi Andrej, Andrej Andb wrote: [Subject: remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server] Sounds good to me. May we have your signoff? (See Documentation/SubmittingPatches for what this means.) Thanks, Jonathan (patch left unsnipped for reference) --- gitweb/gitweb.perl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index c6bafe6..1309196 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2068,7 +2068,7 @@ sub picon_url { if (!$avatar_cache{$email}) { my ($user, $domain) = split('@', $email); $avatar_cache{$email} = - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . $domain/$user/ . users+domains+unknown/up/single; } @@ -2083,7 +2083,7 @@ sub gravatar_url { my $email = lc shift; my $size = shift; $avatar_cache{$email} ||= - http://www.gravatar.com/avatar/; . + //www.gravatar.com/avatar/ . Digest::MD5::md5_hex($email) . ?s=; return $avatar_cache{$email} . $size; } -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Jonathan Nieder jrnie...@gmail.com writes: (cc-ing some area experts) Hi Andrej, Andrej Andb wrote: [Subject: remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server] Sounds good to me. May we have your signoff? (See Documentation/SubmittingPatches for what this means.) Thanks, Jonathan (patch left unsnipped for reference) --- gitweb/gitweb.perl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index c6bafe6..1309196 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2068,7 +2068,7 @@ sub picon_url { if (!$avatar_cache{$email}) { my ($user, $domain) = split('@', $email); $avatar_cache{$email} = - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . +//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . Hrmph. Is that even a valid URL to refer to that external site from a https://my.site/some/where/ base URL? I wouldn't be surprised if browsers allowed it, but I do not recall seeing such a use in RFCs. Intuitively it feels strange that the above lets the site that gave you the base URL dictate over what scheme sites unrelated to it has to serve their resources. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano gits...@pobox.com writes: - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . Hrmph. Is that even a valid URL to refer to that external site from a https://my.site/some/where/ base URL? I wouldn't be surprised if browsers allowed it, but I do not recall seeing such a use in RFCs. ah, nevermind. That's net_path in 1808. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano wrote: Andrej Andb wrote: --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2068,7 +2068,7 @@ sub picon_url { if (!$avatar_cache{$email}) { my ($user, $domain) = split('@', $email); $avatar_cache{$email} = - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . [...] Intuitively it feels strange that the above lets the site that gave you the base URL dictate over what scheme sites unrelated to it has to serve their resources. The main effect is to slightly improve privacy. A man in the middle can still see the size of avatars and when you fetched them, but at least this way when you are using HTTPS they do not see the names of authors of commits you are looking at. It also avoids a mixed content warning. On the other hand, it hurts caching by proxies. Jonathan -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Jonathan Nieder jrnie...@gmail.com writes: Junio C Hamano wrote: Andrej Andb wrote: --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2068,7 +2068,7 @@ sub picon_url { if (!$avatar_cache{$email}) { my ($user, $domain) = split('@', $email); $avatar_cache{$email} = - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . [...] Intuitively it feels strange that the above lets the site that gave you the base URL dictate over what scheme sites unrelated to it has to serve their resources. The main effect is to slightly improve privacy. A man in the middle can still see the size of avatars and when you fetched them, but at least this way when you are using HTTPS they do not see the names of authors of commits you are looking at. It also avoids a mixed content warning. On the other hand, it hurts caching by proxies. I am sure mixed content warning was the primary motivation of the patch. Do we know these external sites actually server what we want over https://? -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Or maybe option like: /etc/gitweb.conf: $feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none']; but it's hard for me :) i don't know perl 2013/1/29 Junio C Hamano gits...@pobox.com: Jonathan Nieder jrnie...@gmail.com writes: Junio C Hamano wrote: Andrej Andb wrote: --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2068,7 +2068,7 @@ sub picon_url { if (!$avatar_cache{$email}) { my ($user, $domain) = split('@', $email); $avatar_cache{$email} = - http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/; . + //www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/ . [...] Intuitively it feels strange that the above lets the site that gave you the base URL dictate over what scheme sites unrelated to it has to serve their resources. The main effect is to slightly improve privacy. A man in the middle can still see the size of avatars and when you fetched them, but at least this way when you are using HTTPS they do not see the names of authors of commits you are looking at. It also avoids a mixed content warning. On the other hand, it hurts caching by proxies. I am sure mixed content warning was the primary motivation of the patch. Do we know these external sites actually server what we want over https://? -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Junio C Hamano wrote: I am sure mixed content warning was the primary motivation of the patch. Sure, but that's not enough motivation for me to like it. ;-) The privacy aspect is enough to motivate it for me. Do we know these external sites actually server what we want over https://? Yep. cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi and www.gravatar.com/avatar both support https and return the expected responses for queries over https. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
Андрей Баранов ad...@andrej-andb.ru writes: Or maybe option like: /etc/gitweb.conf: $feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none']; but it's hard for me :) i don't know perl The effect is the same and your original patch is shorter and cleaner to see what is going on; as far as the patch text is concerned, the original one is just fine. Except that we wanted a bit more stuff before --- line. How about something like this? Subject: [PATCH] gitweb: refer to picon/gravatar images over the same scheme The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://. Just drop the scheme: part from the URL, so that these external sites are accessed over https:// in such a case. Signed-off-by: Your Name y...@addre.ss --- gitweb/gitweb.perl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl ... -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server
re sended. Very big thanks for example :D 2013/1/29 Junio C Hamano gits...@pobox.com: Андрей Баранов ad...@andrej-andb.ru writes: Or maybe option like: /etc/gitweb.conf: $feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none']; but it's hard for me :) i don't know perl The effect is the same and your original patch is shorter and cleaner to see what is going on; as far as the patch text is concerned, the original one is just fine. Except that we wanted a bit more stuff before --- line. How about something like this? Subject: [PATCH] gitweb: refer to picon/gravatar images over the same scheme The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://. Just drop the scheme: part from the URL, so that these external sites are accessed over https:// in such a case. Signed-off-by: Your Name y...@addre.ss --- gitweb/gitweb.perl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl ... -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html