Re-allow hosting HTML, JS & CSS from *.org #50

Merged
hw merged 1 commits from momar/build-deploy-gitea:bugfix/fix-raw-content-type into master 2 months ago
momar commented 1 year ago
Owner

This resolves a regression from 5553585631 - Content-Type: text/plain was mistakenly set on pages like fonts.codeberg.org for HTML, JS and CSS files.

This resolves a regression from 5553585631 - `Content-Type: text/plain` was mistakenly set on pages like fonts.codeberg.org for HTML, JS and CSS files.
hw commented 1 year ago
Owner

Can you please also review #52?

Can you please also review #52?
Poster
Owner

Did that, I guess they're quite closely related and don't work at the same time, but solve different issues 🙈

Did that, I guess they're quite closely related and don't work at the same time, but solve different issues 🙈
momar force-pushed bugfix/fix-raw-content-type from df67f0f85f to b23d3e83ac 1 year ago
Poster
Owner

This has now been rebased to include #52, together with some changes (see Codeberg/build-deploy-gitea#52).

This has now been rebased to include #52, together with some changes (see https://codeberg.org/Codeberg/build-deploy-gitea/issues/52#issuecomment-183030).
Poster
Owner

I have deployed this to codeberg-test.org, and raw content it works when adding 116.203.144.175 raw.codeberg.eu to /etc/hosts (.eu instead of .page because it doesn't have HSTS; .page instead of .org because raw.* doesn't work on .org, as seen in #52).

I have deployed this to codeberg-test.org, and raw content it works when adding `116.203.144.175 raw.codeberg.eu` to `/etc/hosts` (`.eu` instead of `.page` because it doesn't have HSTS; `.page` instead of `.org` because `raw.*` doesn't work on `.org`, as seen in #52).
hw commented 1 year ago
Owner

I have deployed this to codeberg-test.org, and raw content it works when adding 116.203.144.175 raw.codeberg.eu to /etc/hosts (.eu instead of .page because it doesn't have HSTS; .page instead of .org because raw.* doesn't work on .org, as seen in #52).

not sure if I understand, where is the reference to .page coming from?

> I have deployed this to codeberg-test.org, and raw content it works when adding `116.203.144.175 raw.codeberg.eu` to `/etc/hosts` (`.eu` instead of `.page` because it doesn't have HSTS; `.page` instead of `.org` because `raw.*` doesn't work on `.org`, as seen in #52). not sure if I understand, where is the reference to `.page` coming from?
Poster
Owner

Because I'm not sure what domain is intended to be used for raw.* - it doesn't seem to be raw.codeberg.org, because b23d3e83ac/var/www/pages/index.php (L47) is in the else branch, so it won't work on *.org - my question mainly is if that was intended.

Because I'm not sure what domain is intended to be used for `raw.*` - it doesn't seem to be `raw.codeberg.org`, because https://codeberg.org/Codeberg/build-deploy-gitea/src/commit/b23d3e83ac2654ad8d6bba6001097f1acf14d1cd/var/www/pages/index.php#L47 is in the `else` branch, so it won't work on `*.org` - my question mainly is if that was intended.
momar force-pushed bugfix/fix-raw-content-type from 684342ffad to b23d3e83ac 1 year ago
momar force-pushed bugfix/fix-raw-content-type from b23d3e83ac to 48c37c9d8d 1 year ago
Poster
Owner

I just rebased this onto master - what's missing here @hw? Do you want raw.codeberg.org, raw.codeberg.page or raw.codeberg.eu? Security-wise it shouldn't matter.

I just rebased this onto master - what's missing here @hw? Do you want raw.codeberg.org, raw.codeberg.page or raw.codeberg.eu? Security-wise it shouldn't matter.
hw commented 1 year ago
Owner

Because I'm not sure what domain is intended to be used for raw.* - it doesn't seem to be raw.codeberg.org, because b23d3e83ac/var/www/pages/index.php (L47) is in the else branch, so it won't work on *.org - my question mainly is if that was intended.

raw.* content must be served from dedicated domain (can be included from any site, the reason people asked for this is to be able to securely embed cross-site content).

> Because I'm not sure what domain is intended to be used for `raw.*` - it doesn't seem to be `raw.codeberg.org`, because https://codeberg.org/Codeberg/build-deploy-gitea/src/commit/b23d3e83ac2654ad8d6bba6001097f1acf14d1cd/var/www/pages/index.php#L47 is in the `else` branch, so it won't work on `*.org` - my question mainly is if that was intended. `raw.*` content must be served from dedicated domain (can be included from any site, the reason people asked for this is to be able to securely embed cross-site content).
hw commented 1 year ago
Owner

I just rebased this onto master - what's missing here @hw? Do you want raw.codeberg.org, raw.codeberg.page or raw.codeberg.eu? Security-wise it shouldn't matter.

Either .page/.eu, or a new dedicated domain (if we think this is worth it). The main missing bit was a thourough review ;)

> I just rebased this onto master - what's missing here @hw? Do you want raw.codeberg.org, raw.codeberg.page or raw.codeberg.eu? Security-wise it shouldn't matter. Either `.page/.eu`, or a new dedicated domain (if we think this is worth it). The main missing bit was a thourough review ;)
momar added 1 commit 1 year ago
Poster
Owner

Hm, you're right that Cookies might be set across subdomains.

I just disabled CORS to get-it-on.codeberg.org and docs.codeberg.org with an additional commit; it's needed though for design.codeberg.org and fonts.codeberg.org.

I think codeberg-raw.org or something makes sense for the raw content? But as this basically contains everything CORS-related, what can we do to make design.codeberg.org finally work? Deploy this as it is so raw.codeberg.page and raw.codeberg.eu works?

Hm, you're right that Cookies might be set across subdomains. I just disabled CORS to get-it-on.codeberg.org and docs.codeberg.org with an additional commit; it's needed though for design.codeberg.org and fonts.codeberg.org. I think codeberg-raw.org or something makes sense for the raw content? But as this basically contains everything CORS-related, what can we do to make design.codeberg.org finally work? Deploy this as it is so raw.codeberg.page and raw.codeberg.eu works?
momar force-pushed bugfix/fix-raw-content-type from c6582ad10b to 4bc21c7082 1 year ago
Poster
Owner

Alright, it's now using the Gitea API and contains a lot of extra measurements to make sure that the path is safe.

URL format is now: https://raw.codeberg.page/username/reponame/@branch/path/to/file, with the @branch component being optional. LFS or other identifiers than the branch are not possible with this version, but I guess that's alright for now.

Fun fact: I'm also working on a new Pages server in Go that supports repositories with a pages branch (like https://example.codeberg.page/myrepo/), caching, compression, and custom domains with Let's Encrypt.

Alright, it's now using the Gitea API and contains a lot of extra measurements to make sure that the path is safe. URL format is now: https://raw.codeberg.page/username/reponame/@branch/path/to/file, with the `@branch` component being optional. LFS or other identifiers than the branch are not possible with this version, but I guess that's alright for now. Fun fact: I'm also working on a new Pages server in Go that supports repositories with a `pages` branch (like https://example.codeberg.page/myrepo/), caching, compression, and custom domains with Let's Encrypt.
hw commented 1 year ago
Owner

We should set the Link: <URL>; rel="canonical" HTTP header for branches, to avoid redundant indexing by search engines, and keep crawler traffic within reasonable bounds, also add a disallow wildcard to robots.txt.

We should set the `Link: <URL>; rel="canonical"` HTTP header for branches, to avoid redundant indexing by search engines, and keep crawler traffic within reasonable bounds, also add a disallow wildcard to `robots.txt`.
hw commented 1 year ago
Owner

I just disabled CORS to get-it-on.codeberg.org

Shouldn't badges be embeddable across sites?

> I just disabled CORS to get-it-on.codeberg.org Shouldn't badges be embeddable across sites?
hw merged commit 4bc21c7082 into master 1 year ago
hw commented 1 year ago
Owner

Merged for early testing, let's address the comments above in follow-up PR.

Merged for early testing, let's address the comments above in follow-up PR.
Poster
Owner

Shouldn't badges be embeddable across sites?

They are - CORS is basically only needed when requesting something directly from JavaScript, or if it's a web font. Embedding pictures or even scripts and stylesheets doesn't need CORS.

> Shouldn't badges be embeddable across sites? They are - CORS is basically only needed when requesting something directly from JavaScript, or if it's a web font. Embedding pictures or even scripts and stylesheets doesn't need CORS.
The pull request has been merged as 4bc21c7082.
Sign in to join this conversation.
Loading…
There is no content yet.