docs: update links to use HTTPS as protocol #39718
Conversation
Marcono1234
changed the title
aio/content/guide/security.md
Outdated
| `Content-Security-Policy` HTTP header. Read more about content security policy at the | ||
| [Web Fundamentals page](https://developers.google.com/web/fundamentals/security/csp) on the | ||
| Google Developers website. |
There was a problem hiding this comment.
Not sure if the wording here is good. The reason for this change is that http://www.html5rocks.com/en/tutorials/security/content-security-policy/ redirects to the Google Developers site.
There was a problem hiding this comment.
I think "Web Fundamentals guide" is better. Other than that, everything sounds good to me.
| @@ -222,7 +222,7 @@ modified to serve `index.html`: | |||
|
|
|||
|
|
|||
| * [IIS](https://www.iis.net/): add a rewrite rule to `web.config`, similar to the one shown | |||
| [here](http://stackoverflow.com/a/26152011/2116927): | |||
| [here](https://stackoverflow.com/a/26152011): | |||
There was a problem hiding this comment.
I have removed the user ID at the end. Could be added again if that user wants badges 😄
| @@ -137,7 +137,7 @@ template using the `<app-hero-form>` tag. | |||
| The **Submit** button has some classes on it for styling. | |||
| At this point, the form layout is all plain HTML5, with no bindings or directives. | |||
|
|
|||
| 6. The sample form uses some style classes from [Twitter Bootstrap](http://getbootstrap.com/css/): `container`, `form-group`, `form-control`, and `btn`. | |||
| 6. The sample form uses some style classes from [Twitter Bootstrap](https://getbootstrap.com/css/): `container`, `form-group`, `form-control`, and `btn`. | |||
There was a problem hiding this comment.
Maybe this could also be changed to https://getbootstrap.com/, or a different link, in case this applies to version 4 as well. The current link leads to version 3.4.
There was a problem hiding this comment.
This is amazing, @Marcono1234 ❤️
I could help taking a look, even if it's in draft state 😇
This comment has been minimized.
This comment has been minimized.
|
I have force-pushed to fix a merge conflict by rebasing onto I can also squash the commits at the end, but for now I think having them separate makes it easier to see the changes. |
gkalpak
added
action: review
|
You can preview e9fab14 at https://pr39718-e9fab14.ngbuilds.io/. |
There was a problem hiding this comment.
Thx, @Marcono1234! One last comment and this should be good to go 🚀
We prefer rebasing over merging, so force-pushing to a PR branch is fine 😉
You are right that we will need the commits squashed eventually. A better way to keep incremental changes separate is using fixup commits. See here for more details. At this point, you could squash your existing commits into one and add any new changes to a fixup commit (so they are easier to review).
This comment has been minimized.
This comment has been minimized.
1 similar comment
This comment has been minimized.
This comment has been minimized.
pullapprove
bot
requested review from
alxhub,
AndrewKushnir,
atscott,
IgorMinar and
jelbourn
This comment has been minimized.
This comment has been minimized.
| `${lowerAttrName} on element ${tagName} (see https://g.co/ng/security#xss)`); | ||
| `${lowerAttrName} on element ${tagName} ` + | ||
| `(see https://g.co/ng/security#xss)`); |
There was a problem hiding this comment.
The format task wanted to wrap this in a weird way:
console.warn(
`WARNING: ignoring unsafe attribute value ` +
`${lowerAttrName} on element ${
tagName} (see https://g.co/ng/security#xss)`);I am not really familiar with TypeScript, but that did not look right to me so I manually wrapped it instead.
There was a problem hiding this comment.
You should never argue with the formatter 😛
Your way is fine too, though, so heppy to go with that (as long as the formatter is happy).
There was a problem hiding this comment.
🎉
Thx, @Marcono1234 ❤️
Reviewed-for: dev-infra, global-docs-approvers
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
wow.. nice cleanup. thank you, @Marcono1234!
Reviewed-for: global-approvers
IgorMinar
added
action: merge
AndrewKushnir
added
the
action: presubmit
|
No problem and thanks for the review comments! It appears the CircleCI "Details" links require you to authenticate with your GitHub account, even though you just want to see the build logs. This is rather cumbersome, especially since CircleCI requests quite a lot permissions1. Is this something you can control and potentially turn off? 1: Requested permissions:
|
gkalpak
changed the title
|
Unfortunately that is not something we control 😞 |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Documentation, code comments and example and test code is using HTTP for links and URLs despite the target sites supporting HTTPS. When the user then opens the site, the browser first tries to create an unencrypted connection. An adversary in the same local network could abuse this.
What is the new behavior?
The links have been updated where the target site supports HTTPS (and is correctly configured); some links have been updated to their current redirect destination.
Note that this pull request might have missed a few cases. Additionally it is a draft for now to make sure that it does not break anything (since there are also a few code changes).
Though I do not mind if you think this effort is not worth it. Also feel free to pick the relevant edits from the pull request then, or let me know if you want something to be changed, or if you want this pull request to be split.
Does this PR introduce a breaking change?
I hope not.