Jonathan Nieder <jrnieder@xxxxxxxxx> writes: > (cc-ing some area experts) > Hi Andrej, > > Andrej Andb wrote: > >> [Subject: remove protocol from gravatar and picon links for clear if >> Gitweb is being called through a secure server] > > Sounds good to me. May we have your signoff? (See > Documentation/SubmittingPatches for what this means.) > > Thanks, > Jonathan > (patch left unsnipped for reference) > >> --- >> gitweb/gitweb.perl | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl >> index c6bafe6..1309196 100755 >> --- a/gitweb/gitweb.perl >> +++ b/gitweb/gitweb.perl >> @@ -2068,7 +2068,7 @@ sub picon_url { >> if (!$avatar_cache{$email}) { >> my ($user, $domain) = split('@', $email); >> $avatar_cache{$email} = >> - "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" . >> + "//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" . Hrmph. Is that even a valid URL to refer to that external site from a https://my.site/some/where/ base URL? I wouldn't be surprised if browsers allowed it, but I do not recall seeing such a use in RFCs. Intuitively it feels strange that the above lets the site that gave you the base URL dictate over what scheme sites unrelated to it has to serve their resources. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html