On 03/04, Jeff King wrote: > On Sat, Mar 04, 2017 at 08:36:45AM +0000, Eric Wong wrote: > > > I also think the security implications for relative alternates > > on the same host would not matter, since the smart HTTP will > > take them into account on the server side. > > It depends on the host whether all of the repos on it have the same > security domain or not. A site like github.com hosts both public and > private repositories, and you do not want a public repo redirecting to > the private one to get objects. > > Of course, that depends on untrusted users being able to configure > server-side alternates, which GitHub certainly would not let you do. I > would hope other multi-user hosting sites behave similarly (most hosting > sites do not seem to allow dumb http at all). > > > Perhaps we give http_follow_config ORable flags: > > > > HTTP_FOLLOW_NONE = 0, > > HTTP_FOLLOW_INITIAL = 0x1, > > HTTP_FOLLOW_RELATIVE = 0x2, > > HTTP_FOLLOW_ABSOLUTE = 0x4, > > HTTP_FOLLOW_ALWAYS = 0x7, > > > > With the default would being: HTTP_FOLLOW_INITIAL|HTTP_FOLLOW_RELATIVE > > (but I suppose that's a patch for another time) > > I don't have a real problem with breaking it down that way, if somebody > wants to make a patch. Mostly the reason I didn't do so is that I don't > think http-alternates are in common use these days, since smart-http is > much more powerful. > > > ----------8<----------- > > From: Eric Wong <e@xxxxxxxxx> > > Subject: [PATCH] http: inform about alternates-as-redirects behavior > > This v2 looks fine to me. > > -Peff I know I'm a little late to the party but v2 looks good to me too. I like the change from v1 that only mentions the config option as opposed to listing a value it should be set to. -- Brandon Williams