Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always use https:// #1390

Closed
wants to merge 4 commits into from
Closed

Always use https:// #1390

wants to merge 4 commits into from

Conversation

beaufortfrancois
Copy link
Contributor

@beaufortfrancois beaufortfrancois commented Apr 4, 2018
edited
Loading

This CL simply makes sure we don't use // and also adds playsinline which is almost always mandatory in iOS world

This CL simply makes sure we don't use protocol relative URLs.

Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.

Source: See https://www.paulirish.com/2010/the-protocol-relative-url/ and https://google.github.io/styleguide/htmlcssguide.html#Protocol.
joeyparrish
joeyparrish requested changes Apr 4, 2018
View reviewed changes
docs/tutorials/basic-usage.md Outdated
@@ -23,16 +23,16 @@ Basic usage of Shaka Player is very easy:
<body>
<video id="video"
width="640"
poster="//shaka-player-demo.appspot.com/assets/poster.jpg"
controls autoplay></video>
poster="/assets/poster.jpg"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original version was correct. assets/poster.jpg is a dynamic script hosted on appspot and does not live in the sources. This change will cause the poster not to show in a local copy. Please revert.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. I'll revert.
docs/tutorials/basic-usage.md
</body>
</html>
```

```js
// myapp.js

var manifestUri = '//storage.googleapis.com/shaka-demo-assets/angel-one/dash.mpd';
var manifestUri = 'https://storage.googleapis.com/shaka-demo-assets/angel-one/dash.mpd';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why we shouldn't use // ? It's not very helpful to make arbitrary changes like this without at least explaining them in the commit message.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://www.paulirish.com/2010/the-protocol-relative-url/ and https://google.github.io/styleguide/htmlcssguide.html#Protocol. You can also have a look at b/31773284 and b/73454807
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Can you please update the other instances of protocol-relative URIs as well? There are many, many of these in the code.
docs/tutorials/basic-usage.md Outdated
poster="//shaka-player-demo.appspot.com/assets/poster.jpg"
controls autoplay></video>
poster="/assets/poster.jpg"
controls autoplay playsinline></video>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A link to playsinline docs in the commit message would be helpful. You mention that it's required for iOS, which we do not currently support. If there are other reasons for this, we need context.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since iOS is not supported yet*, I'll revert for now.
@beaufortfrancois beaufortfrancois changed the title Fix nits Apr 4, 2018
joeyparrish
joeyparrish requested changes Apr 5, 2018
View reviewed changes
docs/tutorials/basic-usage.md
</body>
</html>
```

```js
// myapp.js

var manifestUri = '//storage.googleapis.com/shaka-demo-assets/angel-one/dash.mpd';
var manifestUri = 'https://storage.googleapis.com/shaka-demo-assets/angel-one/dash.mpd';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Can you please update the other instances of protocol-relative URIs as well? There are many, many of these in the code.
@beaufortfrancois
Copy link
Contributor Author

beaufortfrancois commented Apr 9, 2018
edited
Loading

@joeyparrish Here it is: git grep -l "'//" | xargs sed -i "s/'\/\//'https:\/\//g" in docs/tutorials
@joeyparrish
Copy link
Member

Thank you, but I meant in the entire project, not just the docs. Don't worry, though, I'll take care of it. git grep -l was a very helpful hint. Thanks!
@shaka-bot shaka-bot closed this in 66abf9c Apr 9, 2018
@github-actions github-actions bot added the status: archived Archived and locked; will not be updated label Jul 25, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
status: archived Archived and locked; will not be updated
2 participants
@beaufortfrancois @joeyparrish