-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use raw.githubusercontent.com instead of raw.github.com for binaries #99
Conversation
According to [Github](https://developer.github.com/changes/2014-04-25-user-content-security/) to avoid XSS all user-generated content must be accesed from alternative domain: `raw.githubusercontent.com`.
can we please merge this. all of our builds are failing until this is pushed. |
We are also stuck for now. please merge this request |
Please merge 👍 |
👍 |
🆒 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm this fixes the issue.
please merge this |
Please merge. |
:merge_it: |
No 😑 |
someone for the love of god merge this and unblock me |
🙏 merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MERGE ME MERGE ME MERGE ME
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Can I get a MERGE ma bro |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
🆘 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you don't have any new information to add please 👍 an existing message instead of adding duplicates or spamming gifs. The fewer messages the maintainers have to read through the faster they'll get a fix released 😉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change looks amazing please merge.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be in a encodeURI()
call?
@@ -3,7 +3,7 @@ const path = require('path'); | |||
const BinWrapper = require('bin-wrapper'); | |||
const pkg = require('../package.json'); | |||
|
|||
const url = `https://raw.github.com/imagemin/pngquant-bin/v${pkg.version}/vendor/`; | |||
const url = `https://raw.githubusercontent.com/imagemin/pngquant-bin/v${pkg.version}/vendor/`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be in a encodeURI()
call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shaun-sweet encodeURI()
has no sense here, it does not encode specials characters like :
, .
or /
that can be found in this URL, please do not confuse with encodeURIComponent()
. Please the the corresponding article on MDN.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call!!
Published v5.0.2. |
In my case, it failed in githubusercontent, but it successed in github. |
According to Github to avoid XSS all user-generated content must be accesed from alternative domain:
raw.githubusercontent.com
.Current:
Updated:
UPD: as @cadejscroggins indicated below
raw.github.com
seems to be working now, but would be nice to be sure that issue will not appear again some day.