Web lists-archives.com

Re: [PATCH v2] http: inform about alternates-as-redirects behavior

On Sat, Mar 04, 2017 at 08:36:45AM +0000, Eric Wong wrote:

> I also think the security implications for relative alternates
> on the same host would not matter, since the smart HTTP will
> take them into account on the server side.

It depends on the host whether all of the repos on it have the same
security domain or not. A site like github.com hosts both public and
private repositories, and you do not want a public repo redirecting to
the private one to get objects.

Of course, that depends on untrusted users being able to configure
server-side alternates, which GitHub certainly would not let you do. I
would hope other multi-user hosting sites behave similarly (most hosting
sites do not seem to allow dumb http at all).

> Perhaps we give http_follow_config ORable flags:
> With the default would being: HTTP_FOLLOW_INITIAL|HTTP_FOLLOW_RELATIVE
> (but I suppose that's a patch for another time)

I don't have a real problem with breaking it down that way, if somebody
wants to make a patch. Mostly the reason I didn't do so is that I don't
think http-alternates are in common use these days, since smart-http is
much more powerful.

> ----------8<-----------
> From: Eric Wong <e@xxxxxxxxx>
> Subject: [PATCH] http: inform about alternates-as-redirects behavior

This v2 looks fine to me.