Jonathan Nieder <jrnieder@xxxxxxxxx> writes:
> Junio C Hamano wrote:
>>> Andrej Andb wrote:
>
>>>> --- a/gitweb/gitweb.perl
>>>> +++ b/gitweb/gitweb.perl
>>>> @@ -2068,7 +2068,7 @@ sub picon_url {
>>>> if (!$avatar_cache{$email}) {
>>>> my ($user, $domain) = split('@', $email);
>>>> $avatar_cache{$email} =
>>>> - "http://www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/"; .
>>>> + "//www.cs.indiana.edu/cgi-pub/kinzler/piconsearch.cgi/" .
> [...]
>> Intuitively it feels strange that the above lets the site that gave
>> you the base URL dictate over what scheme sites unrelated to it has
>> to serve their resources.
>
> The main effect is to slightly improve privacy. A man in the middle
> can still see the size of avatars and when you fetched them, but at
> least this way when you are using HTTPS they do not see the names of
> authors of commits you are looking at.
>
> It also avoids a mixed content warning.
>
> On the other hand, it hurts caching by proxies.
I am sure mixed content warning was the primary motivation of the
patch. Do we know these external sites actually server what we want
over https://?
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html