While the original expected values were more correct in the majority of these tests, we shouldn't impose too much logic on the nginx rules that will be making the tests pass. It's better to have slightly less precise HTTP error codes but to have an easier (and more maintainable) nginx config.
The top-level (GET /) of each domain should redirect to the main Persona website (currently https://login.persona.org).
Same reasons as 5808238.
In this case, the URL is the right one (including the scheme) and the only thing that needs to be fixed is the method. Note that for this one, the spec says that we need to include an "Allow" header: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.7
As far as I can tell, 405 is only used for method mismatch (e.g. POST v. GET): http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.6 In these cases, parts of the URL are wrong so 404 seems like a better fit.
benadida writes here : https://bugzilla.mozilla.org/show_bug.cgi?id=781838#c15 > 1. a request for "http://www.anosrep.org/" would redirect to > "http://anosrep.org/" which wound then do a second redirect to > "https://login.anosrep.org/" Yes, I'm okay with this 2-step redirect because in case anyone caches the www --> non-www redirect (the first one), and we start serving diff stuff at anosrep.org, then I'd like that to work. > 2. a request for "https://www.anosrep.org/" would redirect to > "https://anosrep.org/" which wound then do a second redirect to > "https://login.anosrep.org/" Same reasoning. There's a chance we serve something different at anosrep.org in the future, don't want to write rules that imply that login.* and anosrep.org are the same site. > 3. a request for "http://www.anosrep.org/about" would return a 404 > 4. a request for "https://www.anosrep.org/about" would return a 404 Yes, I'd like that. I would rather be stricter about the API we expose and then loosen it if needed.
benadida writes here : https://bugzilla.mozilla.org/show_bug.cgi?id=781838#c15 > You'd said "POST http://verifier.login.anosrep.org/verify 400 > > --> yes." > > Do you really want to serve back a 400 Bad Request on an http POST to > "http://verifier.login.anosrep.org/verify" or would you like to serve a 405 > Method Not Allowed like we do for other POSTs to http? Let me tweak the request based on a conversation with Francois. For all plain HTTP requests to the verifier, we should give a 404 with an error message that says "the verifier is only available over SSL."
benadida writes here : https://bugzilla.mozilla.org/show_bug.cgi?id=781838#c15 (In reply to Eugene Wood [:gene] from comment #13) > > You'd said "GET http://static.login.anosrep.org/ https://login.anosrep.org/ > > --> for top-level path only." > > Does this mean you really want to allow serving of static resources over > http? For example, you want to serve back a 200 when a request for > http://login.anosrep.org/v/fb5534092a/production/browserid.css ? Ahah, good catch. So for I would suggest that - top-level static path on HTTP redirect to top-level login.* path on HTTPS. - every other URL on plain HTTP static should give a 404. so that we only serve static content from https.
https://browserid.org/verify'; is 405. That URL must never be blocked as it is the URL that >90% of the current Relying Parties use." So I'm fixing that in the test case list