Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Sourceforge -> https

X-seq: zsh-workers 48895
From: Axel Beckert <abe@xxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Sourceforge -> https
Date: Fri, 21 May 2021 17:53:23 +0200
Archived-at: <https://zsh.org/workers/48895>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAAAAAC3mUtaAAAABGdBTUEAALGPC/xhBQAAADh0RVh0U29mdHdhcmUAWFYgVmVyc2lvbiAzLjEwYSAgUmV2OiAxMi8yOS85NCAoUE5HIHBhdGNoIDEuMindFS5JAAACGElEQVQ4jXXQMU8UYRDG8f8shNjdDH4AbpfGDjAWlKiJiZ0ajL1aGCvsNCbGaCGG1koLaztaTYz6ATy+gOyehYmF3MxVxgg3FnDsHcTpJr/M+8w7Rf6nCsaVTTDqxbg9hoOXmw83H71+Eyfg4E1d7/Z2fG9rGkZbTQiu+K+3U/C+76lmkvAhJuDndnoAiftou4V84okAGclop4U/jYACZDTxrYWP0gkxVfAm/W//GLZpxIzwIN0Hn8dw0B+IWkZmQmRsj2HfhwokEklHfNCCiQCRgAR7YyhQVRVTCKCzP4Y5zBBE0t0zY3Q8oQaBqqAMlVEcgVQd9706zGirAFium8HXumlMIeMwqQCInju+2+uB6MRENupdpMt8pRlHZyuAW0F+Mb6XSIVqtxjD+iVmVqqystLEzFTGT92YqRaXpNT5eTVjeJhbALPnrTxLUZUKZsgxcNm64hAOYisT/xhF+oKTGU5RegtC3Rt6eEDi/QnIevdTx9Md2EMmYBRmCQR1026FCGQQJJExsRUqgkMGaWSbwYLnoO4T6VgpbQbdELPMBAHWWrhYrcxXnYgAsatPWygkFCBD4K62MAsOTqA6szYRPpsu6e6Y8mPiVrBMNuGIMrgwBUu4p2DgG1Ownu6hpuTv7hScefHAzAC/yRRw5U5pALMbJ4AUALvHSZhxgHPXTsHcdWD1GadAHr9avP+c0wCr7263Df8ASLwXWHWs+KIAAAAHdElNRQfYBQEBODPr
In-reply-to: <CAHYJk3RDmTpaQY_Fg9WeKgFY0eG24KaSdAqvCaZFzLcg3VpNfQ@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
Mail-followup-to: zsh-workers@xxxxxxx
Organization: DeuxChevaux.org -- The Citroën 2CV Database
References: <1403418415.301394.1621610617915@mail2.virginmedia.com> <CAHYJk3RDmTpaQY_Fg9WeKgFY0eG24KaSdAqvCaZFzLcg3VpNfQ@mail.gmail.com>

Hi,

On Fri, May 21, 2021 at 05:40:19PM +0200, Mikael Magnusson wrote:
> > Your website is currently hosted at http://zsh.sourceforge.net with PHP 5.4
> >
> > To update to https://zsh.sourceforge.io and PHP 7.x, click the button
> > below.

+1 for moving away from PHP 5.4 (long time EoL already). Do we use PHP
at all? HTTPS is fine, too. :-)

> The tld being different seems a bit more concerning

Well, if I were SF, I would be concerned if I wouldn't do it.

Reason for the different TLD is that otherwise every project page
could extract valid https://sourceforge.net/ authentication cookies
and afterwards impersonate that user.

This is one of the reasons why using just the domain itself as website
should not be done unless all subdomains are trusted. (Which obviously
isn't the case for a hosting business.) Same reason why GitHub pages
are hosted under github.io and not github.com.

Actually, it is already a concern for old project sites, but since
most HTTPS cookies are not sent over plain HTTP, too, it's ok-ish.

The cleaner solution for SF would be to use "www.sourceforge.net" and
restrict cookies to this hostname instead of the whole domain. (You
don't seem to be able to restrict cookies to a domain, but then
exclude its subdomains.) But since websites without "www." are totally
in fashion these days... (I should shut up here as I have at least one
domain I use that way, too. But without using any authentication
cookies. :-)

> but presumably the old urls will continue to redirect?

I think so, yes. At least it works for other projects like e.g.
http://octave.sourceforge.net/ → https://octave.sourceforge.io/

HTH

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@xxxxxxxxxxxxxxx  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@xxxxxxxxx  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

Follow-Ups:
- Re: Sourceforge -> https
  - From: Peter Stephenson

References:
- Sourceforge -> https
  - From: Peter Stephenson
- Re: Sourceforge -> https
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author