[PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Andrej E Baranov]

Just drop the scheme: part from the URL, so that these
external sites are accessed over https:// in such a case.

Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru>
---
 gitweb/gitweb.perl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..1309196 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2068,7 +2068,7 @@ sub picon_url {
 	if (!$avatar_cache{$email}) {
 		my ($user, $domain) = split('@', $email);
 		$avatar_cache{$email} =
-			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
+			"//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
 			"$domain/$user/" .
 			"users+domains+unknown/up/single";
 	}
@@ -2083,7 +2083,7 @@ sub gravatar_url {
 	my $email = lc shift;
 	my $size = shift;
 	$avatar_cache{$email} ||=
-		"http://www.gravatar.com/avatar/" .
+		"//www.gravatar.com/avatar/" .
 			Digest::MD5::md5_hex($email) . "?s=";
 	return $avatar_cache{$email} . $size;
 }
-- 
1.8.1.1

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Junio C Hamano]

Thanks; will queue.

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Bryan Turner]

This won't work correctly as-is. The secure URL for Gravatar is
"https://secure.gravatar.com"[1], not "https://www.gravatar.com".

[1] See the "Secure Requests" section on:
https://en.gravatar.com/site/implement/images/

On 29 January 2013 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>
> Thanks; will queue.
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Jonathan Nieder]

Hi Bryan,

Bryan Turner wrote:

> This won't work correctly as-is. The secure URL for Gravatar is
> "https://secure.gravatar.com"[1], not "https://www.gravatar.com".

Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
technical support query to find out what the Gravatar admins prefer.

Thanks,
Jonathan

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Bryan Turner]

Interesting. I wonder if they've changed it recently. I only pointed
it out because a software product I'm working on had a bug because it
was building the URLs with "https://www..." and the resulting images
were showing as X's instead of avatars. We had to change the
implementation to use "https://secure..." to get the avatars to load
correctly. That's been ~8 months ago now, though, so maybe it's no
longer the case. It seems like it would be much more convenient if
they just changed the scheme.

Bryan

On 29 January 2013 15:12, Jonathan Nieder <jrnieder@gmail.com> wrote:
> Hi Bryan,
>
> Bryan Turner wrote:
>
>> This won't work correctly as-is. The secure URL for Gravatar is
>> "https://secure.gravatar.com"[1], not "https://www.gravatar.com".
>
> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
> technical support query to find out what the Gravatar admins prefer.
>
> Thanks,
> Jonathan

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Junio C Hamano]

Jonathan Nieder <jrnieder@gmail.com> writes:

> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
> technical support query to find out what the Gravatar admins prefer.

Thanks; will hold onto Andrej's patch until we hear what the story
is.

Of course we could do something like this (untested).

 gitweb/gitweb.perl | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c6bafe6..b59773b 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -313,6 +313,14 @@ sub evaluate_uri {
 		'override' => 0,
 		'default' => [0]},
 
+	# Use https:// URL for embedded picons/gravatar images, to be used
+	# on installations that server gitweb over https://
+	'subcontentssl' => {
+		'sub' => sub { feature_bool('subcontentssl', @_) },
+		'override' => 0,
+		'default' => [0]},
+	}
+
 	# Enable the 'snapshot' link, providing a compressed archive of any
 	# tree. This can potentially generate high traffic if you have large
 	# project.
@@ -1111,6 +1119,7 @@ sub evaluate_git_dir {
 }
 
 our (@snapshot_fmts, $git_avatar);
+our ($gravatar_base_url, $picon_base_url);
 sub configure_gitweb_features {
 	# list of supported snapshot formats
 	our @snapshot_fmts = gitweb_get_feature('snapshot');
@@ -1121,10 +1130,17 @@ sub configure_gitweb_features {
 	# if the provider name is invalid or the dependencies are not met,
 	# reset $git_avatar to the empty string.
 	our ($git_avatar) = gitweb_get_feature('avatar');
+	my $use_https = gitweb_check_feature('subcontentssl');
+
 	if ($git_avatar eq 'gravatar') {
 		$git_avatar = '' unless (eval { require Digest::MD5; 1; });
+		$gravatar_base_url = $use_https ?
+		    "https://secure.gravatar.com/avatar/" :
+		    "http://www.gravatar.com/avatar/";
 	} elsif ($git_avatar eq 'picon') {
-		# no dependencies
+		$picon_base_url = $use_https ?
+		    "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" :
+		    "https://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/";
 	} else {
 		$git_avatar = '';
 	}
@@ -2068,7 +2084,7 @@ sub picon_url {
 	if (!$avatar_cache{$email}) {
 		my ($user, $domain) = split('@', $email);
 		$avatar_cache{$email} =
-			"http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
+			$picon_base_url .
 			"$domain/$user/" .
 			"users+domains+unknown/up/single";
 	}
@@ -2082,9 +2098,7 @@ sub picon_url {
 sub gravatar_url {
 	my $email = lc shift;
 	my $size = shift;
-	$avatar_cache{$email} ||=
-		"http://www.gravatar.com/avatar/" .
-			Digest::MD5::md5_hex($email) . "?s=";
+	$avatar_cache{$email} ||= $gravatar_base_url . Digest::MD5::md5_hex($email) . "?s=";
 	return $avatar_cache{$email} . $size;
 }
 

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Jonathan Nieder]

Junio C Hamano wrote:
> Jonathan Nieder <jrnieder@gmail.com> writes:

>> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
>> technical support query to find out what the Gravatar admins prefer.
>
> Thanks; will hold onto Andrej's patch until we hear what the story
> is.

Good news: a kind person from Automattic answered that
www.gravatar.com should work fine over SSL, both now and in the
future, and promised to add updating documentation to their todo list.

Thanks for your help and patience.
Jonathan

Re: [PATCH] The images from picon and gravatar are always used over http://, and browsers give mixed contents warning when gitweb is served over https://.

[Junio C Hamano]

Jonathan Nieder <jrnieder@gmail.com> writes:

> Junio C Hamano wrote:
>> Jonathan Nieder <jrnieder@gmail.com> writes:
>
>>> Odd.  "https://www.gravatar.com/" also seems to work.  I've put in a
>>> technical support query to find out what the Gravatar admins prefer.
>>
>> Thanks; will hold onto Andrej's patch until we hear what the story
>> is.
>
> Good news: a kind person from Automattic answered that
> www.gravatar.com should work fine over SSL, both now and in the
> future, and promised to add updating documentation to their todo list.
>
> Thanks for your help and patience.

I'll merge Andrej's topic to 'next' in the next integration cycle.
The fix should hit 'master' no later than the beginning of next
week.

Thanks.