From: Axel Beckert <abe@deuxchevaux.org>
To: zsh-workers@zsh.org
Subject: Re: Sourceforge -> https
Date: Fri, 21 May 2021 17:53:23 +0200 [thread overview]
Message-ID: <20210521155322.qa3uv3o7fwlxhlcc@sym.noone.org> (raw)
In-Reply-To: <CAHYJk3RDmTpaQY_Fg9WeKgFY0eG24KaSdAqvCaZFzLcg3VpNfQ@mail.gmail.com>
Hi,
On Fri, May 21, 2021 at 05:40:19PM +0200, Mikael Magnusson wrote:
> > Your website is currently hosted at http://zsh.sourceforge.net with PHP 5.4
> >
> > To update to https://zsh.sourceforge.io and PHP 7.x, click the button
> > below.
+1 for moving away from PHP 5.4 (long time EoL already). Do we use PHP
at all? HTTPS is fine, too. :-)
> The tld being different seems a bit more concerning
Well, if I were SF, I would be concerned if I wouldn't do it.
Reason for the different TLD is that otherwise every project page
could extract valid https://sourceforge.net/ authentication cookies
and afterwards impersonate that user.
This is one of the reasons why using just the domain itself as website
should not be done unless all subdomains are trusted. (Which obviously
isn't the case for a hosting business.) Same reason why GitHub pages
are hosted under github.io and not github.com.
Actually, it is already a concern for old project sites, but since
most HTTPS cookies are not sent over plain HTTP, too, it's ok-ish.
The cleaner solution for SF would be to use "www.sourceforge.net" and
restrict cookies to this hostname instead of the whole domain. (You
don't seem to be able to restrict cookies to a domain, but then
exclude its subdomains.) But since websites without "www." are totally
in fashion these days... (I should shut up here as I have at least one
domain I use that way, too. But without using any authentication
cookies. :-)
> but presumably the old urls will continue to redirect?
I think so, yes. At least it works for other projects like e.g.
http://octave.sourceforge.net/ → https://octave.sourceforge.io/
HTH
Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
next prev parent reply other threads:[~2021-05-21 16:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-21 15:23 Peter Stephenson
2021-05-21 15:40 ` Mikael Magnusson
2021-05-21 15:47 ` Peter Stephenson
2021-05-21 15:53 ` Axel Beckert [this message]
2021-05-24 8:20 ` Peter Stephenson
2021-05-24 12:09 ` Peter Stephenson
2021-05-24 18:26 ` Daniel Shahaf
2021-05-24 17:39 ` Phil Pennock
2021-05-24 18:18 ` Bart Schaefer
2021-05-24 18:23 ` Peter Stephenson
2021-05-24 18:57 ` Phil Pennock
2021-05-24 19:43 ` website links (Re: Sourceforge -> https) Phil Pennock
2021-05-24 20:06 ` Bart Schaefer
2021-05-24 20:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210521155322.qa3uv3o7fwlxhlcc@sym.noone.org \
--to=abe@deuxchevaux.org \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).