Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Sourceforge -> https


On Fri, May 21, 2021 at 05:40:19PM +0200, Mikael Magnusson wrote:
> > Your website is currently hosted at http://zsh.sourceforge.net with PHP 5.4
> >
> > To update to https://zsh.sourceforge.io and PHP 7.x, click the button
> > below.

+1 for moving away from PHP 5.4 (long time EoL already). Do we use PHP
at all? HTTPS is fine, too. :-)

> The tld being different seems a bit more concerning

Well, if I were SF, I would be concerned if I wouldn't do it.

Reason for the different TLD is that otherwise every project page
could extract valid https://sourceforge.net/ authentication cookies
and afterwards impersonate that user.

This is one of the reasons why using just the domain itself as website
should not be done unless all subdomains are trusted. (Which obviously
isn't the case for a hosting business.) Same reason why GitHub pages
are hosted under github.io and not github.com.

Actually, it is already a concern for old project sites, but since
most HTTPS cookies are not sent over plain HTTP, too, it's ok-ish.

The cleaner solution for SF would be to use "www.sourceforge.net" and
restrict cookies to this hostname instead of the whole domain. (You
don't seem to be able to restrict cookies to a domain, but then
exclude its subdomains.) But since websites without "www." are totally
in fashion these days... (I should shut up here as I have at least one
domain I use that way, too. But without using any authentication
cookies. :-)

> but presumably the old urls will continue to redirect?

I think so, yes. At least it works for other projects like e.g.


		Kind regards, Axel
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@xxxxxxxxxxxxxxx  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@xxxxxxxxx  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

Messages sorted by: Reverse Date, Date, Thread, Author