Hi all,
It looks like the entire zotero.org domain (recently?) switched to
serving everything over HTTPS. We just had our first CSL style
submission that uses “https” in the style’s “template”-link,
“self”-link, and style ID, which made our Travis CI tests fail:
https://github.com/citation-style-language/styles/pull/910
We probably want to accept styles that use either “http” or “https” as
the URL prefix for the style ID and “self”, “independent-parent”, and
"template" links, and I’m planning to adjust the Travis tests to allow
for this. I’m mentioning this to give people a heads-up of the change,
in case the use of the “https” prefix breaks anybody’s code.
Rintze
PS. we could also use this change as a reason to start hosting all CSL
styles under the citationstyles.org domain, e.g. via
"repository.citationstyles.org/apa.csl", as discussed at
http://xbiblio-devel.2463403.n2.nabble.com/call-for-comments-on-base-URI-issue-td6097469.html#a6174119
, which is long-standing item on my wish list.
Hi Rintze,
Just to be sure: are the current style going to be changed? If all the IDs are changed, that would be quite a mess for Papers, as the id is used to… uniquely identify the style 
Sorry I don’t show up much on the mailing list anymore, just busy with http://findingsapp.com
Thanks,
Charles
I wasn’t planning on changing IDs of existing styles. And on
reflection, it might be easier if we just require folks to use "http"
as the prefix, even though zotero.org automatically redirects those
links to HTTPS URLs.
Rintze
This is just a knee-jerk reaction, without knowing much about your infrastructure. I think your latest suggestion, here, Rintze, is the best one.
I would recommend treating these first and foremost as identifiers, in the linked-data sense, rather than web addresses. In that case, it’s a good idea to establish this kind of convention (“http” and not “https”) so that it makes it easier and more robust for machines to process. There might be use-cases, for example, where you want to generate an identifier from the style name, and compare it with against a set of ids from somewhere else; or to extract the style name using a regexp, etc.
Chris Maloney
NIH/NLM/NCBI (Contractor)
Building 45, 5AN.24D-22
301-594-2842> -----Original Message-----
There might be use-cases, for example, where you want to generate an identifier from the style name, and compare it with against a set of ids from somewhere else
yeah, good point by Chris - we should keep the rules for IDs strict
and not allow for ambiguity (as in “either http or https”).
I don’t think there’s much of a downside to keeping this all as http
except that we’ll likely be seeing more submission errors even if we
highlight this (as we should) in the style requirements
Yeah, I was going to make that point. Seems really odd to change IDs just
to accommodate some security change.
Agreed. The main requirement is that the style “self”-link should
resolve to an online copy of the style, and that won’t be a problem if
we stick to using “http”.
Rintze
And I think rel=“template” should also be dereferenceable (and therefore
"https"), with the same logic as rel=“independent-parent” — that is, in
any case where you don’t have the original style, you need to use the
value as a locator.
Once you’ve installed a style, directly or indirectly (via
independent-parent), you have the id, which you can use as a unique
identifier.
Just to make sure this is what you’re saying, the rel=“self” links for
Zotero-hosted styles can and should be “https”. It’s just the ids that
should stay as “http”.
Zotero actually makes a single request that includes the ids when it
updates styles from the Zotero repo, but a client that updates each
style directly shouldn’t need to trigger unnecessary redirects (and, in
theory, expose itself to some sort of XML-parsing exploit or other
mischief).
rel=“independent-parent” should also be “https”, since that’s used for
retrieval rather than identification.
(There’s no particular need to mass-change old styles, though.)
Uhm, yes, that makes sense.
I modified the Travis tests to allow (but not require) “https” in
"self", “template”, and “independent-parent” links. Going forward
we’ll prefer the use of “https” for these links, but I don’t think
we’ll enforce this very carefully unless we decide to bulk-modify the
existing styles and switch all these links over to “https”. Style IDs
will still use “http”.
See https://github.com/citation-style-language/styles/commit/86ac53d10d2515695409823991acfe7dd6c40126
and https://github.com/citation-style-language/styles/pull/910 (I
accepted the previously problematic style).
Rintze
