[PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
@ 2013-01-28 23:41 Andrej E Baranov
  2013-01-29  3:03 ` Junio C Hamano
  0 siblings, 1 reply; 8+ messages in thread
From: Andrej E Baranov @ 2013-01-28 23:41 UTC (permalink / raw)
  To: git; +Cc: gitster, jrnieder, giuseppe.bilotta, jnareb, Andrej E Baranov

Just drop the scheme: part from the URL, so that these
external sites are accessed over https:// in such a case.

Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru>
---
 gitweb/gitweb.perl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..1309196 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
 	if (!$avatar_cache{$email}) {
 		my ($user, $domain) = split('@', $email);
 		$avatar_cache{$email} =
-			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
+			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
 			"$domain/$user/" .
 			"users+domains+unknown/up/single";
 	}
@@ -2083,7 +2083,7 @@ sub gravatar_url {
 	my $email = lc shift;
 	my $size = shift;
 	$avatar_cache{$email} ||=
-		"http://www.gravatar.com/avatar/" .
+		"//www.gravatar.com/avatar/" .
 			Digest::MD5::md5_hex($email) . "?s=";
 	return $avatar_cache{$email} . $size;
 }
-- 
1.8.1.1

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-28 23:41 [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https:// Andrej E Baranov
@ 2013-01-29  3:03 ` Junio C Hamano
  2013-01-29  3:28   ` Bryan Turner
  0 siblings, 1 reply; 8+ messages in thread
From: Junio C Hamano @ 2013-01-29  3:03 UTC (permalink / raw)
  To: Andrej E Baranov; +Cc: git, jrnieder, giuseppe.bilotta, jnareb

Thanks; will queue.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-29  3:03 ` Junio C Hamano
@ 2013-01-29  3:28   ` Bryan Turner
  2013-01-29  4:12     ` Jonathan Nieder
  0 siblings, 1 reply; 8+ messages in thread
From: Bryan Turner @ 2013-01-29  3:28 UTC (permalink / raw)
  To: git

This won't work correctly as-is. The secure URL for Gravatar is
"https://secure.gravatar.com"[1], not "https://www.gravatar.com".

[1] See the "Secure Requests" section on:
https://en.gravatar.com/site/implement/images/

On 29 January 2013 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>
> Thanks; will queue.
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-29  3:28   ` Bryan Turner
@ 2013-01-29  4:12     ` Jonathan Nieder
  2013-01-29  4:16       ` Bryan Turner
  2013-01-29 18:33       ` Junio C Hamano
  0 siblings, 2 replies; 8+ messages in thread
From: Jonathan Nieder @ 2013-01-29  4:12 UTC (permalink / raw)
  To: Bryan Turner; +Cc: git, Andrej E Baranov, Junio C Hamano

Hi Bryan,

Bryan Turner wrote:

> This won't work correctly as-is. The secure URL for Gravatar is
> "https://secure.gravatar.com"[1], not "https://www.gravatar.com".

Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
technical support query to find out what the Gravatar admins prefer.

Thanks,
Jonathan

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-29  4:12     ` Jonathan Nieder
@ 2013-01-29  4:16       ` Bryan Turner
  2013-01-29 18:33       ` Junio C Hamano
  1 sibling, 0 replies; 8+ messages in thread
From: Bryan Turner @ 2013-01-29  4:16 UTC (permalink / raw)
  To: git

Interesting. I wonder if they've changed it recently. I only pointed
it out because a software product I'm working on had a bug because it
was building the URLs with "https://www..." and the resulting images
were showing as X's instead of avatars. We had to change the
implementation to use "https://secure..." to get the avatars to load
correctly. That's been ~8 months ago now, though, so maybe it's no
longer the case. It seems like it would be much more convenient if
they just changed the scheme.

Bryan

On 29 January 2013 15:12, Jonathan Nieder <jrnieder@gmail.com> wrote:
> Hi Bryan,
>
> Bryan Turner wrote:
>
>> This won't work correctly as-is. The secure URL for Gravatar is
>> "https://secure.gravatar.com"[1], not "https://www.gravatar.com".
>
> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
> technical support query to find out what the Gravatar admins prefer.
>
> Thanks,
> Jonathan

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-29  4:12     ` Jonathan Nieder
  2013-01-29  4:16       ` Bryan Turner
@ 2013-01-29 18:33       ` Junio C Hamano
  2013-01-31  1:28         ` Jonathan Nieder
  1 sibling, 1 reply; 8+ messages in thread
From: Junio C Hamano @ 2013-01-29 18:33 UTC (permalink / raw)
  To: Jonathan Nieder; +Cc: Bryan Turner, git, Andrej E Baranov

Jonathan Nieder <jrnieder@gmail.com> writes:

> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
> technical support query to find out what the Gravatar admins prefer.

Thanks; will hold onto Andrej's patch until we hear what the story
is.

Of course we could do something like this (untested).

 gitweb/gitweb.perl | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..b59773b 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -313,6 +313,14 @@ sub evaluate_uri {
 		'override' => 0,
 		'default' => [0]},
 
+	# Use https:// URL for embedded picons/gravatar images, to be used
+	# on installations that server gitweb over https://
+	'subcontentssl' => {
+		'sub' => sub { feature_bool('subcontentssl', @_) },
+		'override' => 0,
+		'default' => [0]},
+	}
+
 	# Enable the 'snapshot' link, providing a compressed archive of any
 	# tree. This can potentially generate high traffic if you have large
 	# project.
@@ -1111,6 +1119,7 @@ sub evaluate_git_dir {
 }
 
 our (@snapshot_fmts, $git_avatar);
+our ($gravatar_base_url, $picon_base_url);
 sub configure_gitweb_features {
 	# list of supported snapshot formats
 	our @snapshot_fmts = gitweb_get_feature('snapshot');
@@ -1121,10 +1130,17 @@ sub configure_gitweb_features {
 	# if the provider name is invalid or the dependencies are not met,
 	# reset $git_avatar to the empty string.
 	our ($git_avatar) = gitweb_get_feature('avatar');
+	my $use_https = gitweb_check_feature('subcontentssl');
+
 	if ($git_avatar eq 'gravatar') {
 		$git_avatar = '' unless (eval { require Digest::MD5; 1; });
+		$gravatar_base_url = $use_https ?
+		    "https://secure.gravatar.com/avatar/" :
+		    "http://www.gravatar.com/avatar/";
 	} elsif ($git_avatar eq 'picon') {
-		# no dependencies
+		$picon_base_url = $use_https ?
+		    "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" :
+		    "https://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/";
 	} else {
 		$git_avatar = '';
 	}
@@ -2068,7 +2084,7 @@ sub picon_url {
 	if (!$avatar_cache{$email}) {
 		my ($user, $domain) = split('@', $email);
 		$avatar_cache{$email} =
-			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
+			$picon_base_url .
 			"$domain/$user/" .
 			"users+domains+unknown/up/single";
 	}
@@ -2082,9 +2098,7 @@ sub picon_url {
 sub gravatar_url {
 	my $email = lc shift;
 	my $size = shift;
-	$avatar_cache{$email} ||=
-		"http://www.gravatar.com/avatar/" .
-			Digest::MD5::md5_hex($email) . "?s=";
+	$avatar_cache{$email} ||= $gravatar_base_url . Digest::MD5::md5_hex($email) . "?s=";
 	return $avatar_cache{$email} . $size;
 }
 

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-29 18:33       ` Junio C Hamano
@ 2013-01-31  1:28         ` Jonathan Nieder
  2013-02-01  0:58           ` Junio C Hamano
  0 siblings, 1 reply; 8+ messages in thread
From: Jonathan Nieder @ 2013-01-31  1:28 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Bryan Turner, git, Andrej E Baranov

Junio C Hamano wrote:
> Jonathan Nieder <jrnieder@gmail.com> writes:

>> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
>> technical support query to find out what the Gravatar admins prefer.
>
> Thanks; will hold onto Andrej's patch until we hear what the story
> is.

Good news: a kind person from Automattic answered that
www.gravatar.com should work fine over SSL, both now and in the
future, and promised to add updating documentation to their todo list.

Thanks for your help and patience.
Jonathan

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.
  2013-01-31  1:28         ` Jonathan Nieder
@ 2013-02-01  0:58           ` Junio C Hamano
  0 siblings, 0 replies; 8+ messages in thread
From: Junio C Hamano @ 2013-02-01  0:58 UTC (permalink / raw)
  To: Jonathan Nieder; +Cc: Bryan Turner, git, Andrej E Baranov

Jonathan Nieder <jrnieder@gmail.com> writes:

> Junio C Hamano wrote:
>> Jonathan Nieder <jrnieder@gmail.com> writes:
>
>>> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
>>> technical support query to find out what the Gravatar admins prefer.
>>
>> Thanks; will hold onto Andrej's patch until we hear what the story
>> is.
>
> Good news: a kind person from Automattic answered that
> www.gravatar.com should work fine over SSL, both now and in the
> future, and promised to add updating documentation to their todo list.
>
> Thanks for your help and patience.

I'll merge Andrej's topic to 'next' in the next integration cycle.
The fix should hit 'master' no later than the beginning of next
week.

Thanks.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2013-02-01  0:59 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-28 23:41 [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https:// Andrej E Baranov
2013-01-29  3:03 ` Junio C Hamano
2013-01-29  3:28   ` Bryan Turner
2013-01-29  4:12     ` Jonathan Nieder
2013-01-29  4:16       ` Bryan Turner
2013-01-29 18:33       ` Junio C Hamano
2013-01-31  1:28         ` Jonathan Nieder
2013-02-01  0:58           ` Junio C Hamano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).