Re: [PATCH v2] http: inform about alternates-as-redirects behavior
- Date: Mon, 6 Mar 2017 10:03:02 -0800
- From: Brandon Williams <bmwill@xxxxxxxxxx>
- Subject: Re: [PATCH v2] http: inform about alternates-as-redirects behavior
On 03/04, Jeff King wrote:
> On Sat, Mar 04, 2017 at 08:36:45AM +0000, Eric Wong wrote:
> > I also think the security implications for relative alternates
> > on the same host would not matter, since the smart HTTP will
> > take them into account on the server side.
> It depends on the host whether all of the repos on it have the same
> security domain or not. A site like github.com hosts both public and
> private repositories, and you do not want a public repo redirecting to
> the private one to get objects.
> Of course, that depends on untrusted users being able to configure
> server-side alternates, which GitHub certainly would not let you do. I
> would hope other multi-user hosting sites behave similarly (most hosting
> sites do not seem to allow dumb http at all).
> > Perhaps we give http_follow_config ORable flags:
> > HTTP_FOLLOW_NONE = 0,
> > HTTP_FOLLOW_INITIAL = 0x1,
> > HTTP_FOLLOW_RELATIVE = 0x2,
> > HTTP_FOLLOW_ABSOLUTE = 0x4,
> > HTTP_FOLLOW_ALWAYS = 0x7,
> > With the default would being: HTTP_FOLLOW_INITIAL|HTTP_FOLLOW_RELATIVE
> > (but I suppose that's a patch for another time)
> I don't have a real problem with breaking it down that way, if somebody
> wants to make a patch. Mostly the reason I didn't do so is that I don't
> think http-alternates are in common use these days, since smart-http is
> much more powerful.
> > ----------8<-----------
> > From: Eric Wong <e@xxxxxxxxx>
> > Subject: [PATCH] http: inform about alternates-as-redirects behavior
> This v2 looks fine to me.
I know I'm a little late to the party but v2 looks good to me too. I
like the change from v1 that only mentions the config option as opposed
to listing a value it should be set to.