Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider excluding tzdb from HTTPS redirects #1319

Closed
jskeet opened this Issue Mar 16, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@jskeet
Copy link
Member

jskeet commented Mar 16, 2019

We get a lot of requests for /tzdb/latest.txt - I suspect these are automated from applications.

Currently, we're redirecting those requests to HTTPS, but if we can work out a way of excluding /tzdb/* then that's probably worth doing.

@jskeet jskeet self-assigned this Mar 16, 2019

@jskeet

This comment has been minimized.

Copy link
Member Author

jskeet commented Mar 16, 2019

(I believe this was the case when we were on Azure, so I don't think it's anything new anyway.)

@malcolmr

This comment has been minimized.

Copy link
Contributor

malcolmr commented Mar 18, 2019

I think it'd be a little bit weird to have a mixture of redirecting and non-redirecting paths. Ideally, clients should switch to HTTPS.

Plus, if we enable HTTP Strict-Transport-Security, we'd be in a position where browsers (and other HSTS-supporting UAs) would auto-redirect to HTTPS, but other UAs wouldn't, which would be even more weird, and be ~impossible to test.

@jskeet

This comment has been minimized.

Copy link
Member Author

jskeet commented Mar 18, 2019

Righto. Will close for now, and reopen if we ever decide we want to do this after all, e.g. if application authors run into issues.

@jskeet jskeet closed this Mar 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.