[PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Andrej Andb]

---
 gitweb/gitweb.perl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..1309196 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
 	if (!$avatar_cache{$email}) {
 		my ($user, $domain) = split('@', $email);
 		$avatar_cache{$email} =
-			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
+			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
 			"$domain/$user/" .
 			"users+domains+unknown/up/single";
 	}
@@ -2083,7 +2083,7 @@ sub gravatar_url {
 	my $email = lc shift;
 	my $size = shift;
 	$avatar_cache{$email} ||=
-		"http://www.gravatar.com/avatar/" .
+		"//www.gravatar.com/avatar/" .
 			Digest::MD5::md5_hex($email) . "?s=";
 	return $avatar_cache{$email} . $size;
 }
-- 
1.8.1.1

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Jonathan Nieder]

(cc-ing some area experts)
Hi Andrej,

Andrej Andb wrote:

> [Subject: remove protocol from gravatar and picon links for clear if
> Gitweb is being called through a secure server]

Sounds good to me.  May we have your signoff?  (See
Documentation/SubmittingPatches for what this means.)

Thanks,
Jonathan
(patch left unsnipped for reference)

> ---
>  gitweb/gitweb.perl | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index c6bafe6..1309196 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -2068,7 +2068,7 @@ sub picon_url {
>  	if (!$avatar_cache{$email}) {
>  		my ($user, $domain) = split('@', $email);
>  		$avatar_cache{$email} =
> -			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
> +			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>  			"$domain/$user/" .
>  			"users+domains+unknown/up/single";
>  	}
> @@ -2083,7 +2083,7 @@ sub gravatar_url {
>  	my $email = lc shift;
>  	my $size = shift;
>  	$avatar_cache{$email} ||=
> -		"http://www.gravatar.com/avatar/" .
> +		"//www.gravatar.com/avatar/" .
>  			Digest::MD5::md5_hex($email) . "?s=";
>  	return $avatar_cache{$email} . $size;
>  }

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Junio C Hamano]

Jonathan Nieder <jrnieder@gmail.com> writes:

> (cc-ing some area experts)
> Hi Andrej,
>
> Andrej Andb wrote:
>
>> [Subject: remove protocol from gravatar and picon links for clear if
>> Gitweb is being called through a secure server]
>
> Sounds good to me.  May we have your signoff?  (See
> Documentation/SubmittingPatches for what this means.)
>
> Thanks,
> Jonathan
> (patch left unsnipped for reference)
>
>> ---
>>  gitweb/gitweb.perl | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
>> index c6bafe6..1309196 100755
>> --- a/gitweb/gitweb.perl
>> +++ b/gitweb/gitweb.perl
>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>  	if (!$avatar_cache{$email}) {
>>  		my ($user, $domain) = split('@', $email);
>>  		$avatar_cache{$email} =
>> -			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>> +			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .

Hrmph.  Is that even a valid URL to refer to that external site from
a https://my.site/some/where/ base URL?  I wouldn't be surprised if
browsers allowed it, but I do not recall seeing such a use in RFCs.

Intuitively it feels strange that the above lets the site that gave
you the base URL dictate over what scheme sites unrelated to it has
to serve their resources.

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

>>> -			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>>> +			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>
> Hrmph.  Is that even a valid URL to refer to that external site from
> a https://my.site/some/where/ base URL?  I wouldn't be surprised if
> browsers allowed it, but I do not recall seeing such a use in RFCs.

ah, nevermind.  That's net_path in 1808.

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Jonathan Nieder]

Junio C Hamano wrote:
>> Andrej Andb wrote:

>>> --- a/gitweb/gitweb.perl
>>> +++ b/gitweb/gitweb.perl
>>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>>  	if (!$avatar_cache{$email}) {
>>>  		my ($user, $domain) = split('@', $email);
>>>  		$avatar_cache{$email} =
>>> -			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>>> +			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
[...]
> Intuitively it feels strange that the above lets the site that gave
> you the base URL dictate over what scheme sites unrelated to it has
> to serve their resources.

The main effect is to slightly improve privacy.  A man in the middle
can still see the size of avatars and when you fetched them, but at
least this way when you are using HTTPS they do not see the names of
authors of commits you are looking at.

It also avoids a mixed content warning.

On the other hand, it hurts caching by proxies.

Jonathan

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Junio C Hamano]

Jonathan Nieder <jrnieder@gmail.com> writes:

> Junio C Hamano wrote:
>>> Andrej Andb wrote:
>
>>>> --- a/gitweb/gitweb.perl
>>>> +++ b/gitweb/gitweb.perl
>>>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>>>  	if (!$avatar_cache{$email}) {
>>>>  		my ($user, $domain) = split('@', $email);
>>>>  		$avatar_cache{$email} =
>>>> -			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>>>> +			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
> [...]
>> Intuitively it feels strange that the above lets the site that gave
>> you the base URL dictate over what scheme sites unrelated to it has
>> to serve their resources.
>
> The main effect is to slightly improve privacy.  A man in the middle
> can still see the size of avatars and when you fetched them, but at
> least this way when you are using HTTPS they do not see the names of
> authors of commits you are looking at.
>
> It also avoids a mixed content warning.
>
> On the other hand, it hurts caching by proxies.

I am sure mixed content warning was the primary motivation of the
patch.  Do we know these external sites actually server what we want
over https://?

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Андрей Баранов]

Or maybe option like:
/etc/gitweb.conf:
$feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];

but it's hard for me :) i don't know perl

2013/1/29 Junio C Hamano <gitster@pobox.com>:
> Jonathan Nieder <jrnieder@gmail.com> writes:
>
>> Junio C Hamano wrote:
>>>> Andrej Andb wrote:
>>
>>>>> --- a/gitweb/gitweb.perl
>>>>> +++ b/gitweb/gitweb.perl
>>>>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>>>>    if (!$avatar_cache{$email}) {
>>>>>            my ($user, $domain) = split('@', $email);
>>>>>            $avatar_cache{$email} =
>>>>> -                  "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>>>>> +                  "//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
>> [...]
>>> Intuitively it feels strange that the above lets the site that gave
>>> you the base URL dictate over what scheme sites unrelated to it has
>>> to serve their resources.
>>
>> The main effect is to slightly improve privacy.  A man in the middle
>> can still see the size of avatars and when you fetched them, but at
>> least this way when you are using HTTPS they do not see the names of
>> authors of commits you are looking at.
>>
>> It also avoids a mixed content warning.
>>
>> On the other hand, it hurts caching by proxies.
>
> I am sure mixed content warning was the primary motivation of the
> patch.  Do we know these external sites actually server what we want
> over https://?
>

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Jonathan Nieder]

Junio C Hamano wrote:

> I am sure mixed content warning was the primary motivation of the
> patch.

Sure, but that's not enough motivation for me to like it. ;-)
The privacy aspect is enough to motivate it for me.

>         Do we know these external sites actually server what we want
> over https://?

Yep.  cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi and
www.gravatar.com/avatar both support https and return the expected
responses for queries over https.

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Junio C Hamano]

Андрей Баранов  <admin@andrej-andb.ru> writes:

> Or maybe option like:
> /etc/gitweb.conf:
> $feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];
>
> but it's hard for me :) i don't know perl

The effect is the same and your original patch is shorter and
cleaner to see what is going on; as far as the patch text is
concerned, the original one is just fine.

Except that we wanted a bit more stuff before "---" line.  How about
something like this?

        Subject: [PATCH] gitweb: refer to picon/gravatar images over the same scheme

        The images from picon and gravatar are always used over
        http://, and browsers give mixed contents warning when
        gitweb is served over https://.

        Just drop the scheme: part from the URL, so that these
        external sites are accessed over https:// in such a case.

        Signed-off-by: Your Name <your@addre.ss>
        ---
         gitweb/gitweb.perl | 4 ++--
         1 file changed, 2 insertions(+), 2 deletions(-)

        diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
	...

Re: [PATCH] remove protocol from gravatar and picon links for clear if Gitweb is being called through a secure server

[Андрей Баранов]

re sended. Very big thanks for example :D

2013/1/29 Junio C Hamano <gitster@pobox.com>:
> Андрей Баранов  <admin@andrej-andb.ru> writes:
>
>> Or maybe option like:
>> /etc/gitweb.conf:
>> $feature{'ssl'}{'default'} = ['allways']; ['auto']; ['none'];
>>
>> but it's hard for me :) i don't know perl
>
> The effect is the same and your original patch is shorter and
> cleaner to see what is going on; as far as the patch text is
> concerned, the original one is just fine.
>
> Except that we wanted a bit more stuff before "---" line.  How about
> something like this?
>
>         Subject: [PATCH] gitweb: refer to picon/gravatar images over the same scheme
>
>         The images from picon and gravatar are always used over
>         http://, and browsers give mixed contents warning when
>         gitweb is served over https://.
>
>         Just drop the scheme: part from the URL, so that these
>         external sites are accessed over https:// in such a case.
>
>         Signed-off-by: Your Name <your@addre.ss>
>         ---
>          gitweb/gitweb.perl | 4 ++--
>          1 file changed, 2 insertions(+), 2 deletions(-)
>
>         diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
>         ...
>