Quantcast

Switch from "http" to "https" prefix for CSL style ID and "self"-links

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Switch from "http" to "https" prefix for CSL style ID and "self"-links

rmzelle
Administrator
Hi all,

It looks like the entire zotero.org domain (recently?) switched to
serving everything over HTTPS. We just had our first CSL style
submission that uses "https" in the style's "template"-link,
"self"-link, and style ID, which made our Travis CI tests fail:
https://github.com/citation-style-language/styles/pull/910

We probably want to accept styles that use either "http" or "https" as
the URL prefix for the style ID and "self", "independent-parent", and
"template" links, and I'm planning to adjust the Travis tests to allow
for this. I'm mentioning this to give people a heads-up of the change,
in case the use of the "https" prefix breaks anybody's code.

Rintze

PS. we could also use this change as a reason to start hosting all CSL
styles under the citationstyles.org domain, e.g. via
"repository.citationstyles.org/apa.csl", as discussed at
http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-URI-issue-td6097469.html#a6174119
, which is long-standing item on my wish list.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Charles Parnot
Hi Rintze,

Just to be sure: are the current style going to be changed? If all the IDs are changed, that would be quite a mess for Papers, as the id is used to... uniquely identify the style ;-)

Sorry I don’t show up much on the mailing list anymore, just busy with http://findingsapp.com

Thanks,

Charles


On Apr 10, 2014, at 6:35 PM, Rintze Zelle <[hidden email]> wrote:

> Hi all,
>
> It looks like the entire zotero.org domain (recently?) switched to
> serving everything over HTTPS. We just had our first CSL style
> submission that uses "https" in the style's "template"-link,
> "self"-link, and style ID, which made our Travis CI tests fail:
> https://github.com/citation-style-language/styles/pull/910
>
> We probably want to accept styles that use either "http" or "https" as
> the URL prefix for the style ID and "self", "independent-parent", and
> "template" links, and I'm planning to adjust the Travis tests to allow
> for this. I'm mentioning this to give people a heads-up of the change,
> in case the use of the "https" prefix breaks anybody's code.
>
> Rintze
>
> PS. we could also use this change as a reason to start hosting all CSL
> styles under the citationstyles.org domain, e.g. via
> "repository.citationstyles.org/apa.csl", as discussed at
> http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-URI-issue-td6097469.html#a6174119
> , which is long-standing item on my wish list.
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

--
Charles Parnot
[hidden email]
http://app.net/cparnot
twitter: @cparnot

Your Lab Notebook, Reinvented.
http://findingsapp.com


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

rmzelle
Administrator
I wasn't planning on changing IDs of existing styles. And on
reflection, it might be easier if we just require folks to use "http"
as the prefix, even though zotero.org automatically redirects those
links to HTTPS URLs.

Rintze

On Fri, Apr 11, 2014 at 11:11 AM, Charles Parnot
<[hidden email]> wrote:

> Hi Rintze,
>
> Just to be sure: are the current style going to be changed? If all the IDs are changed, that would be quite a mess for Papers, as the id is used to... uniquely identify the style ;-)
>
> Sorry I don't show up much on the mailing list anymore, just busy with http://findingsapp.com
>
> Thanks,
>
> Charles
>
>
> On Apr 10, 2014, at 6:35 PM, Rintze Zelle <[hidden email]> wrote:
>
>> Hi all,
>>
>> It looks like the entire zotero.org domain (recently?) switched to
>> serving everything over HTTPS. We just had our first CSL style
>> submission that uses "https" in the style's "template"-link,
>> "self"-link, and style ID, which made our Travis CI tests fail:
>> https://github.com/citation-style-language/styles/pull/910
>>
>> We probably want to accept styles that use either "http" or "https" as
>> the URL prefix for the style ID and "self", "independent-parent", and
>> "template" links, and I'm planning to adjust the Travis tests to allow
>> for this. I'm mentioning this to give people a heads-up of the change,
>> in case the use of the "https" prefix breaks anybody's code.
>>
>> Rintze
>>
>> PS. we could also use this change as a reason to start hosting all CSL
>> styles under the citationstyles.org domain, e.g. via
>> "repository.citationstyles.org/apa.csl", as discussed at
>> http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-URI-issue-td6097469.html#a6174119
>> , which is long-standing item on my wish list.
>>
>> ------------------------------------------------------------------------------
>> Put Bad Developers to Shame
>> Dominate Development with Jenkins Continuous Integration
>> Continuously Automate Build, Test & Deployment
>> Start a new project now. Try Jenkins in the cloud.
>> http://p.sf.net/sfu/13600_Cloudbees
>> _______________________________________________
>> xbiblio-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
>
> --
> Charles Parnot
> [hidden email]
> http://app.net/cparnot
> twitter: @cparnot
>
> Your Lab Notebook, Reinvented.
> http://findingsapp.com
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Chris Maloney
This is just a knee-jerk reaction, without knowing much about your infrastructure.  I think your latest suggestion, here, Rintze, is the best one.  

I would recommend treating these first and foremost as *identifiers*, in the linked-data sense, rather than web addresses.  In that case, it's a good idea to establish this kind of convention ("http" and not "https") so that it makes it easier and more robust for machines to process.  There might be use-cases, for example, where you want to generate an identifier from the style name, and compare it with against a set of ids from somewhere else; or to extract the style name using a regexp, etc.



Chris Maloney
NIH/NLM/NCBI (Contractor)
Building 45, 5AN.24D-22
301-594-2842


> -----Original Message-----
> From: Rintze Zelle [mailto:[hidden email]]
> Sent: Friday, April 11, 2014 11:24 AM
> To: development discussion for xbiblio
> Subject: Re: [xbiblio-devel] Switch from "http" to "https" prefix for CSL style
> ID and "self"-links
>
> I wasn't planning on changing IDs of existing styles. And on reflection, it might
> be easier if we just require folks to use "http"
> as the prefix, even though zotero.org automatically redirects those links to
> HTTPS URLs.
>
> Rintze
>
> On Fri, Apr 11, 2014 at 11:11 AM, Charles Parnot <[hidden email]>
> wrote:
> > Hi Rintze,
> >
> > Just to be sure: are the current style going to be changed? If all the
> > IDs are changed, that would be quite a mess for Papers, as the id is
> > used to... uniquely identify the style ;-)
> >
> > Sorry I don't show up much on the mailing list anymore, just busy with
> > http://findingsapp.com
> >
> > Thanks,
> >
> > Charles
> >
> >
> > On Apr 10, 2014, at 6:35 PM, Rintze Zelle <[hidden email]> wrote:
> >
> >> Hi all,
> >>
> >> It looks like the entire zotero.org domain (recently?) switched to
> >> serving everything over HTTPS. We just had our first CSL style
> >> submission that uses "https" in the style's "template"-link,
> >> "self"-link, and style ID, which made our Travis CI tests fail:
> >> https://github.com/citation-style-language/styles/pull/910
> >>
> >> We probably want to accept styles that use either "http" or "https"
> >> as the URL prefix for the style ID and "self", "independent-parent",
> >> and "template" links, and I'm planning to adjust the Travis tests to
> >> allow for this. I'm mentioning this to give people a heads-up of the
> >> change, in case the use of the "https" prefix breaks anybody's code.
> >>
> >> Rintze
> >>
> >> PS. we could also use this change as a reason to start hosting all
> >> CSL styles under the citationstyles.org domain, e.g. via
> >> "repository.citationstyles.org/apa.csl", as discussed at
> >> http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-
> >> URI-issue-td6097469.html#a6174119 , which is long-standing item on my
> >> wish list.
> >>
> >> ---------------------------------------------------------------------
> >> ---------
> >> Put Bad Developers to Shame
> >> Dominate Development with Jenkins Continuous Integration
> Continuously
> >> Automate Build, Test & Deployment Start a new project now. Try
> >> Jenkins in the cloud.
> >> http://p.sf.net/sfu/13600_Cloudbees
> >> _______________________________________________
> >> xbiblio-devel mailing list
> >> [hidden email]
> >> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
> >
> > --
> > Charles Parnot
> > [hidden email]
> > http://app.net/cparnot
> > twitter: @cparnot
> >
> > Your Lab Notebook, Reinvented.
> > http://findingsapp.com
> >
> >
> > ----------------------------------------------------------------------
> > --------
> > Put Bad Developers to Shame
> > Dominate Development with Jenkins Continuous Integration Continuously
> > Automate Build, Test & Deployment Start a new project now. Try Jenkins
> > in the cloud.
> > http://p.sf.net/sfu/13600_Cloudbees
> > _______________________________________________
> > xbiblio-devel mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration Continuously
> Automate Build, Test & Deployment Start a new project now. Try Jenkins in
> the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Sebastian Karcher
> There might be use-cases, for example, where you want to generate an identifier from the style name, and compare it with against a set of ids from somewhere else

yeah, good point by Chris - we should keep the rules for IDs strict
and not allow for ambiguity (as in "either http or https").
I don't think there's much of a downside to keeping this all as http
except that we'll likely be seeing more submission errors even if we
highlight this (as we should) in the style requirements

On Fri, Apr 11, 2014 at 9:31 AM, Maloney, Christopher (NIH/NLM/NCBI)
[C] <[hidden email]> wrote:

> This is just a knee-jerk reaction, without knowing much about your infrastructure.  I think your latest suggestion, here, Rintze, is the best one.
>
> I would recommend treating these first and foremost as *identifiers*, in the linked-data sense, rather than web addresses.  In that case, it's a good idea to establish this kind of convention ("http" and not "https") so that it makes it easier and more robust for machines to process.  There might be use-cases, for example, where you want to generate an identifier from the style name, and compare it with against a set of ids from somewhere else; or to extract the style name using a regexp, etc.
>
>
>
> Chris Maloney
> NIH/NLM/NCBI (Contractor)
> Building 45, 5AN.24D-22
> 301-594-2842
>
>
>> -----Original Message-----
>> From: Rintze Zelle [mailto:[hidden email]]
>> Sent: Friday, April 11, 2014 11:24 AM
>> To: development discussion for xbiblio
>> Subject: Re: [xbiblio-devel] Switch from "http" to "https" prefix for CSL style
>> ID and "self"-links
>>
>> I wasn't planning on changing IDs of existing styles. And on reflection, it might
>> be easier if we just require folks to use "http"
>> as the prefix, even though zotero.org automatically redirects those links to
>> HTTPS URLs.
>>
>> Rintze
>>
>> On Fri, Apr 11, 2014 at 11:11 AM, Charles Parnot <[hidden email]>
>> wrote:
>> > Hi Rintze,
>> >
>> > Just to be sure: are the current style going to be changed? If all the
>> > IDs are changed, that would be quite a mess for Papers, as the id is
>> > used to... uniquely identify the style ;-)
>> >
>> > Sorry I don't show up much on the mailing list anymore, just busy with
>> > http://findingsapp.com
>> >
>> > Thanks,
>> >
>> > Charles
>> >
>> >
>> > On Apr 10, 2014, at 6:35 PM, Rintze Zelle <[hidden email]> wrote:
>> >
>> >> Hi all,
>> >>
>> >> It looks like the entire zotero.org domain (recently?) switched to
>> >> serving everything over HTTPS. We just had our first CSL style
>> >> submission that uses "https" in the style's "template"-link,
>> >> "self"-link, and style ID, which made our Travis CI tests fail:
>> >> https://github.com/citation-style-language/styles/pull/910
>> >>
>> >> We probably want to accept styles that use either "http" or "https"
>> >> as the URL prefix for the style ID and "self", "independent-parent",
>> >> and "template" links, and I'm planning to adjust the Travis tests to
>> >> allow for this. I'm mentioning this to give people a heads-up of the
>> >> change, in case the use of the "https" prefix breaks anybody's code.
>> >>
>> >> Rintze
>> >>
>> >> PS. we could also use this change as a reason to start hosting all
>> >> CSL styles under the citationstyles.org domain, e.g. via
>> >> "repository.citationstyles.org/apa.csl", as discussed at
>> >> http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-
>> >> URI-issue-td6097469.html#a6174119 , which is long-standing item on my
>> >> wish list.
>> >>
>> >> ---------------------------------------------------------------------
>> >> ---------
>> >> Put Bad Developers to Shame
>> >> Dominate Development with Jenkins Continuous Integration
>> Continuously
>> >> Automate Build, Test & Deployment Start a new project now. Try
>> >> Jenkins in the cloud.
>> >> http://p.sf.net/sfu/13600_Cloudbees
>> >> _______________________________________________
>> >> xbiblio-devel mailing list
>> >> [hidden email]
>> >> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
>> >
>> > --
>> > Charles Parnot
>> > [hidden email]
>> > http://app.net/cparnot
>> > twitter: @cparnot
>> >
>> > Your Lab Notebook, Reinvented.
>> > http://findingsapp.com
>> >
>> >
>> > ----------------------------------------------------------------------
>> > --------
>> > Put Bad Developers to Shame
>> > Dominate Development with Jenkins Continuous Integration Continuously
>> > Automate Build, Test & Deployment Start a new project now. Try Jenkins
>> > in the cloud.
>> > http://p.sf.net/sfu/13600_Cloudbees
>> > _______________________________________________
>> > xbiblio-devel mailing list
>> > [hidden email]
>> > https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
>>
>> ------------------------------------------------------------------------------
>> Put Bad Developers to Shame
>> Dominate Development with Jenkins Continuous Integration Continuously
>> Automate Build, Test & Deployment Start a new project now. Try Jenkins in
>> the cloud.
>> http://p.sf.net/sfu/13600_Cloudbees
>> _______________________________________________
>> xbiblio-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel



--
Sebastian Karcher
Ph.D. Candidate
Department of Political Science
Northwestern University

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Bruce D'Arcus-3
In reply to this post by Charles Parnot

Yeah, I was going to make that point. Seems really odd to change IDs just to accommodate some security change.

On Apr 11, 2014 11:11 AM, "Charles Parnot" <[hidden email]> wrote:
Hi Rintze,

Just to be sure: are the current style going to be changed? If all the IDs are changed, that would be quite a mess for Papers, as the id is used to... uniquely identify the style ;-)

Sorry I don’t show up much on the mailing list anymore, just busy with http://findingsapp.com

Thanks,

Charles


On Apr 10, 2014, at 6:35 PM, Rintze Zelle <[hidden email]> wrote:

> Hi all,
>
> It looks like the entire zotero.org domain (recently?) switched to
> serving everything over HTTPS. We just had our first CSL style
> submission that uses "https" in the style's "template"-link,
> "self"-link, and style ID, which made our Travis CI tests fail:
> https://github.com/citation-style-language/styles/pull/910
>
> We probably want to accept styles that use either "http" or "https" as
> the URL prefix for the style ID and "self", "independent-parent", and
> "template" links, and I'm planning to adjust the Travis tests to allow
> for this. I'm mentioning this to give people a heads-up of the change,
> in case the use of the "https" prefix breaks anybody's code.
>
> Rintze
>
> PS. we could also use this change as a reason to start hosting all CSL
> styles under the citationstyles.org domain, e.g. via
> "repository.citationstyles.org/apa.csl", as discussed at
> http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-URI-issue-td6097469.html#a6174119
> , which is long-standing item on my wish list.
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

--
Charles Parnot
[hidden email]
http://app.net/cparnot
twitter: @cparnot

Your Lab Notebook, Reinvented.
http://findingsapp.com


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

rmzelle
Administrator
In reply to this post by Chris Maloney
Agreed. The main requirement is that the style "self"-link should
resolve to an online copy of the style, and that won't be a problem if
we stick to using "http".

Rintze

On Fri, Apr 11, 2014 at 11:31 AM, Maloney, Christopher (NIH/NLM/NCBI)
[C] <[hidden email]> wrote:
> I would recommend treating these first and foremost as *identifiers*, in the linked-data sense, rather than web addresses.  In that case, it's a good idea to establish this kind of convention ("http" and not "https") so that it makes it easier and more robust for machines to process.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Charles Parnot
Ah, it’s settled then :-)

On Apr 11, 2014, at 5:59 PM, Rintze Zelle <[hidden email]> wrote:

> Agreed. The main requirement is that the style "self"-link should
> resolve to an online copy of the style, and that won't be a problem if
> we stick to using "http".
>
> Rintze
>
> On Fri, Apr 11, 2014 at 11:31 AM, Maloney, Christopher (NIH/NLM/NCBI)
> [C] <[hidden email]> wrote:
>> I would recommend treating these first and foremost as *identifiers*, in the linked-data sense, rather than web addresses.  In that case, it's a good idea to establish this kind of convention ("http" and not "https") so that it makes it easier and more robust for machines to process.
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> xbiblio-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xbiblio-devel

--
Charles Parnot
[hidden email]
http://app.net/cparnot
twitter: @cparnot

Your Lab Notebook, Reinvented.
http://findingsapp.com


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Dan Stillman
In reply to this post by rmzelle
On 4/11/14, 11:59 AM, Rintze Zelle wrote:
> Agreed. The main requirement is that the style "self"-link should
> resolve to an online copy of the style, and that won't be a problem if
> we stick to using "http".

Just to make sure this is what you're saying, the rel="self" links for
Zotero-hosted styles can and should be "https". It's just the ids that
should stay as "http".

Zotero actually makes a single request that includes the ids when it
updates styles from the Zotero repo, but a client that updates each
style directly shouldn't need to trigger unnecessary redirects (and, in
theory, expose itself to some sort of XML-parsing exploit or other
mischief).

rel="independent-parent" should also be "https", since that's used for
retrieval rather than identification.

(There's no particular need to mass-change old styles, though.)

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

Dan Stillman
On 4/11/14, 5:54 PM, Dan Stillman wrote:

> On 4/11/14, 11:59 AM, Rintze Zelle wrote:
>> Agreed. The main requirement is that the style "self"-link should
>> resolve to an online copy of the style, and that won't be a problem if
>> we stick to using "http".
>
> Just to make sure this is what you're saying, the rel="self" links for
> Zotero-hosted styles can and should be "https". It's just the ids that
> should stay as "http".
>
> Zotero actually makes a single request that includes the ids when it
> updates styles from the Zotero repo, but a client that updates each
> style directly shouldn't need to trigger unnecessary redirects (and,
> in theory, expose itself to some sort of XML-parsing exploit or other
> mischief).
>
> rel="independent-parent" should also be "https", since that's used for
> retrieval rather than identification.
>
> (There's no particular need to mass-change old styles, though.)

And I think rel="template" should also be dereferenceable (and therefore
"https"), with the same logic as rel="independent-parent" — that is, in
any case where you don't have the original style, you need to use the
value as a locator.

Once you've installed a style, directly or indirectly (via
independent-parent), you have the id, which you can use as a unique
identifier.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Switch from "http" to "https" prefix for CSL style ID and "self"-links

rmzelle
Administrator
Uhm, yes, that makes sense.

I modified the Travis tests to allow (but not require) "https" in
"self", "template", and "independent-parent" links. Going forward
we'll prefer the use of "https" for these links, but I don't think
we'll enforce this very carefully unless we decide to bulk-modify the
existing styles and switch all these links over to "https". Style IDs
will still use "http".

See https://github.com/citation-style-language/styles/commit/86ac53d10d2515695409823991acfe7dd6c40126
and https://github.com/citation-style-language/styles/pull/910 (I
accepted the previously problematic style).

Rintze

On Fri, Apr 11, 2014 at 6:11 PM, Dan Stillman <[hidden email]> wrote:

> On 4/11/14, 5:54 PM, Dan Stillman wrote:
>> On 4/11/14, 11:59 AM, Rintze Zelle wrote:
>>> Agreed. The main requirement is that the style "self"-link should
>>> resolve to an online copy of the style, and that won't be a problem if
>>> we stick to using "http".
>>
>> Just to make sure this is what you're saying, the rel="self" links for
>> Zotero-hosted styles can and should be "https". It's just the ids that
>> should stay as "http".
>>
>> Zotero actually makes a single request that includes the ids when it
>> updates styles from the Zotero repo, but a client that updates each
>> style directly shouldn't need to trigger unnecessary redirects (and,
>> in theory, expose itself to some sort of XML-parsing exploit or other
>> mischief).
>>
>> rel="independent-parent" should also be "https", since that's used for
>> retrieval rather than identification.
>>
>> (There's no particular need to mass-change old styles, though.)
>
> And I think rel="template" should also be dereferenceable (and therefore
> "https"), with the same logic as rel="independent-parent" -- that is, in
> any case where you don't have the original style, you need to use the
> value as a locator.
>
> Once you've installed a style, directly or indirectly (via
> independent-parent), you have the id, which you can use as a unique
> identifier.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xbiblio-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xbiblio-devel
Loading...