
Rawgithub.com - johns
https://rawgithub.com/
======
waawal
"We added the X-Content-Type-Options: nosniff header to our raw URL responses
way back in 2011 as a first step in combating hotlinking. This has the effect
of forcing the browser to treat content in accordance with the Content-Type
header. That means that when we set Content-Type: text/plain for raw views of
files, the browser will refuse to treat that file as JavaScript or CSS."

[https://github.com/blog/1482-heads-up-nosniff-header-
support...](https://github.com/blog/1482-heads-up-nosniff-header-support-
coming-to-chrome-and-firefox)

------
shared4you
"What will happen if im an asshole" -- that's the first time I've seen a URL
anchor like that!

<https://rawgithub.com/#what-will-happen-if-im-an-asshole>

~~~
derleth
I think the author should warn people "If you're a big enough asshole, I will
make your website look amusingly awful and submit it to Reddit and Hacker
News." Making someone look like a complete idiot in public can be a powerful
disincentive.

~~~
juandopazo
It has happened, but the result was a more polite alert() box in a hompeage
and it wasn't posted anywere.

~~~
rgrove
Actually, it was an alert() box plus evil.js, which overwrites lots of native
JS functionality to intentionally cause weird bugs.

The idea is to make it impossible to ignore so abusers will stop their
hotlinking. I'm not really interested in shaming anyone, though. I think it's
usually just a simple mistake where someone was lazy and didn't bother reading
all the caveats.

------
gkoberger
Very awesome.

I'm sure there's a legitimate reason, but I've always wondered why you can't
just set master as your GitHub Pages branch if it made sense (rather than
gh_pages).

~~~
shurcooL
I've tried that here [1], gh-pages has replaced master as the only branch. It
seems to work well [2] for the static site.

[1] <https://github.com/shurcooL/latest-tweets>

[2] <http://shurcool.github.io/latest-tweets/>

------
balac
I like the service, but is it OK to use the github name like this?

~~~
asperous
Looks like no, it's trademarked:
[http://tess2.uspto.gov/bin/showfield?f=doc&state=4802:zp...](http://tess2.uspto.gov/bin/showfield?f=doc&state=4802:zp1qua.2.2)

Since Mr. Grove (and by extension, his website) is based on USA, it is
eligible to be sued (in fact they have to protect their copyright or risk
rendering it de-facto invalid).

~~~
rcfox
They have to defend their _trademark_ , not their copyright.

~~~
asperous
That's what I meant

------
huntedsnark
This is great, I have some JSfiddle examples that I share occasionally that
reference some raw files an Github, this fixes them in Chrome. Seems like the
perfect use case for this.

------
simonw
I love it - I've been wanting this for ages. Super convenient.

------
sergeykish
Same idea with source <https://github.com/sergeykish/gisted>

~~~
quarterto
Read the FAQ, rawgithub's source is here:
<https://github.com/rgrove/rawgithub>

------
the_mitsuhiko
Sounds like a horrible idea security wise.

~~~
judofyr
Care to explain why?

~~~
PommeDeTerre
Is it really not obvious?

The site's FAQ admits that it'll engage in what is basically a man-in-the-
middle attack against content that receives heavy traffic, for instance. See
the "rawgithub.com will start serving evil.js and evil.css instead of
requested JS and CSS files" part of one of the answers.

If the content being served will be modified in some cases, is there really
anything preventing it from being modified in a different (perhaps more
malicious) way in some other cases?

Like anything else, a service like this is itself susceptible to breach, of
course. There's always the potential that it gets compromised, and starts
acting in a malicious manner, initially undetected by its
creators/operators/users.

Some may argue that this is acceptable risk for content served up for
demonstration purposes. I'm not certain that's necessarily true. A demo being
unexpectedly modified in a harmful way (racial slurs inserted into a web
site's text, malicious JavaScript being injected, and so on) could seriously
affect the demo giver's reputation, for example.

It's not difficult, nor expensive, to set up your own publically-facing web
server. If already using GitHub, git makes it quite simple to fetch and update
any content being served up. While there is still risk associated with such a
setup, you are cutting out at least one other party by doing things yourself,
avoiding the harm they could potentially cause. So services of this type seem
quite unnecessary, and perhaps more of a risk than they're worth.

~~~
tokenizerrr
This service is all about work-in-progress and demo projects. Just to show it
off for a quick demo or whatever. You're completely right, but also missed the
point of this tool completely.

~~~
rgrove
This is exactly right.

Anyone who's using rawgithub.com in a situation where harm could be done by
running arbitrary third-party JS is probably misusing rawgithub.com.

------
niutech
I've done a similar project GitHub HTML Preview, which allows you to run any
HTML & JS & CSS without using GitHub Pages or downloading a repo:
<http://htmlpreview.github.io>

------
ozh
Related: <http://www.5minfork.com/>

------
brokencube
evil.js is just beautiful...

------
kwestro
Couldn't come up with any other name? The site is just begging to be taken
down by Github.

------
louischatriot
I needed yesterday :) Well done.

------
ryeguy
Does this font render horribly for anyone else? On windows with chrome here.

~~~
rfnslyr
It renders horribly for me as well. On that note, how does one _properly_
implement custom fonts into a webpage? Is there a standard, recognized, fool
proof way? I've rarely seen it done correctly.

On that note again, where do I learn about fonts in the browser in general?

~~~
bpatrianakos
There's sort of a standard way. But really no. It's one of those situations
where if you're going to use custom webfonts and aren't using a service you'll
need to go through some trial and error, do some research, and basically
decide which platform/browser combo is most important to you. The second most
popular post on my website discusses this. Not trying to self-promote and
there are problems with my implementation too but maybe this can get you
started [http://billpatrianakos.me/blog/2012/12/26/fix-webfont-
render...](http://billpatrianakos.me/blog/2012/12/26/fix-webfont-rendering-
issues-in-chrome-for-windows/)

------
zenocon
Why doesn't github just fix it to send the correct content-type back?

~~~
matthavener
If someone can host arbitrary html and js on the *.github.com domain, they can
set cookies for github.com. See [http://homakov.blogspot.com/2013/03/hacking-
github-with-webk...](http://homakov.blogspot.com/2013/03/hacking-github-with-
webkit.html)

