On Thu, Jul 29, 2010 at 12:24 PM, C. Michael Pilato <cmpil...@red-bean.com> wrote:
> I was originally thinking "off by default", but only because of the > theoretical security implications of being automatically redirected to a URL > (possibly a different machine, etc.) that differs from what you expected. > Maybe I'm overthinking that, exaggerating the risk? If so -- if there's no > risk to automatically following redirection notices -- then is there any > value in having either configuration OR prompts for this behavior? I am just thinking that most people do not plan to need this feature. Usually a server moves, or occasionally they enter http instead of https and a redirect is in place. If it is not on by default, most people are still going to get an error and are unlikely to know to turn it on. If you are a server admin and need to move a server and want to leave a redirect behind, we do not give you and tools to also go update all your users config's so that they will follow the redirect. I honestly do not know what the security ramifications are. It seems like browsers automatically follow redirects by default. I agree if there are no ramifications then the prompts are of less value. The main value I see in prompts is to let the user know they are being redirected. Presumably a savvy user will want to use sw --relocate to avoid these redirects in the future. If we just do the redirects, might a user just not perceive SVN as being slow? -- Thanks Mark Phippard http://markphip.blogspot.com/
