Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch URLs from http to https #17

Open
wants to merge 1 commit into
base: gh-pages
Choose a base branch
from
Open

Switch URLs from http to https #17

wants to merge 1 commit into from

Conversation

guillemj
Copy link

The web site is now available via https, let's switch the documentation to use it.

Fixes #12

@guillemj
Switch URLs from http to https
c129a63 
The web site is now available via https, let's switch the documentation
to use it.

Fixes potch#12
@david-a-wheeler
Copy link

@potch - would you be willing to merge this soon? The CII Best Practices badge is discussing referring to unmaintained.tech, but suggesting the use of http instead of https could be a blocker for us.

Thanks!

@scy
Copy link

scy commented Mar 22, 2024

Using a protocol-relative URL like //unmaintained.tech/badge.svg might even be better. If the embedding website is using HTTP, the badge will be loaded via HTTP; if it's accessed via HTTPS, HTTPS will be used.

@guillemj
Copy link
Author

@scy I'm not sure I understand your suggestion. Why would it be good to access the external resources using https a problem if the embedding website is accessible via http (and I assume https)? (Given current mainstream browsers where using http will be penalized, I'd say that's in general a bad idea?)

@scy
Copy link

scy commented Mar 22, 2024

There might be a good reason why the user is accessing the embedding website using plain HTTP, for example due to network restrictions, for performance reasons, or because their browser doesn't support HTTPS. In these cases, if you embed the badge always via HTTPS, it probably won't load.

If, on the other hand, the embedding website is accessed via HTTPS, the badge will be loaded via HTTPS, too. There's no penalty.

@david-a-wheeler
Copy link

scy:

There might be a good reason why the user is accessing the embedding website using plain HTTP, for example due to network restrictions, for performance reasons, or because their browser doesn't support HTTPS.

The "//" prefix does not work when referring to an external site, which in many cases is what's happening. The "//" prefix will only work if it's the same site. By contract, "https:" works everywhere (presuming your browser supports https, and if it doesn't, you shouldn't be accessing the public Internet with it). Also, if you use "//" and you started with "http:", you allow an attacker to intercept the data & replace it with anything.

For many years, using https: was something special you only did on special sites. At this point, https:, is the norm, and using http: is just like using telnet - something you should avoid in most circumstances if the data might traverse the public Internet.

@mrimann
Copy link

mrimann commented Apr 10, 2024

I tried to imagine a use case of "cannot use HTTPS" in combination with this badge but didn't come up to one...

I'd use the badge inserted in README.md files on Github-Repositories. Visiting Github repos (and displaying the rendered output of the file) happens via HTTPS anyway - so loading the badge via HTTPS will not be the problem I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HTTPS
4 participants
@guillemj @david-a-wheeler @scy @mrimann