
GitHub Launches Pages: Static Project and Personal Hosting - defunkt
http://github.com/blog/272-github-pages
======
delano
This is the best thing to happen to site hosting in a long, long time. It's
possibly even the nail in the *forge coffin.

~~~
Harkins
Except they can never allow you to do anything dynamic on the server or you'd
be able to read the HttpOnly github session cookies of anyone logged into
github.com itself.

Well, they could, but they'd have to move to www.github.com exclusively, wait
for all those session cookies to expire or for folks to visit and get them
reset...

~~~
mojombo
GitHub cookies are restricted to github.com and gist.github.com domains (using
a redirect trick to allow cross subdomain cookie sharing). You can use all the
JavaScript you like on your Pages.

~~~
Harkins
There's not redirect trick, the cookies are just set to .github.com.

I didn't say anything about JavaScript being disallowed, the cookies are
HttpOnly. So I said that you can't do things on the server.

~~~
defunkt
The .github.com cookie is old and useless. You can't use it to do anything -
it's a relic of our old authentication system. We should have made sure they
were deleted before switching to the new cookie as it's caused some confusion.

What mojombo said is accurate. (He's a GitHub co-founder and I'm the person
who wrote the redirect code.)

------
mhartl
I wish the GitHub guys would stop working so hard; they're making everyone
else look bad by comparison. ;-)

------
tsally
Now they just need to let you map your own domain to it.

~~~
defunkt
CNAME support is planned. We just wanted to get this thing out the door.

~~~
tsally
Awesome! I should have assumed. :-)

------
gojomo
Great idea and implementation.

There may be some risk with allowing arbitrary-content (including Javascript)
on subdomains of github.com. I tried a few trivial cookie/script/iframe
tricks, and was not able to reach logged-in user info. However, my skills are
far from the state-of-evil-art. Note that even Google put their page-hosting
on a separate 2nd-level-domain, googlepages.com, rather than a subdomain of
google.com.

~~~
defunkt
Please see my other comment. You cannot get user login information from Pages.

~~~
gojomo
In some browsers, there's currently a way:

Safari and IE (but not FF or Chrome) will display 'text/plain'-served-content
as HTML. That means the GitHub 'raw' view of project content can be used to
execute arbitrary user JS from github.com.

Such JS can get at a logged-in user's name and make (at the very least)
superficial changes to profile information. A harmless demo (works on Safari
and IE) is here:

[http://github.com/gojomo/scratch/raw/master/getuser/index.ht...](http://github.com/gojomo/scratch/raw/master/getuser/index.html)

Trivially, then, a Pages subdomain can use the above in an iframe to export
the username out. Demo:

<http://gojomo.github.com/getuser>

The 'raw' issue seems more serious and isn't affected by whether Pages are on
.github.com subdomains or not. Still, subdomains have a slight leg up on
exploiting any security slip-ups and browser bugs that may occur.

~~~
defunkt
Not a problem in Safari 3.

URL 1 in Safari:
[http://img.skitch.com/20081222-kr2k6gwm1b8cbt3i7xqy6n5x9c.pn...](http://img.skitch.com/20081222-kr2k6gwm1b8cbt3i7xqy6n5x9c.png)

URL 2 in Safari:
[http://img.skitch.com/20081222-dk57nxe9epdxx9u5gt71gu1u4p.pn...](http://img.skitch.com/20081222-dk57nxe9epdxx9u5gt71gu1u4p.png)

Please report security bugs at <http://support.github.com> \- not in old
Hacker News comments which may never been seen. Thanks.

~~~
gojomo
Sorry, should have specified: Safari 3 on Windows. All my tests were on
Windows, none on MacOS or Linux.

If it hadn't still been your 'topmost' comment, and a recent top story
possibly still monitored by multiple GitHubbers -- or if I hadn't received an
ack by this morning -- I would have tried an alternate means of report.

Or, if I thought this was a higher-risk issue. (Your general user-management
already seems well-fortified by https against all but superficial mischief.)

Still, I understand the preference that a security bug however small be
reported directly first, and I'll respect that in the future.

------
wastedbrains
OK everyone share your personal pages / github user names...

<http://danmayer.github.com>

(lame site but just put it up for the hell of it)

------
babyshake
I really like this, but I think a lot of the examples so far aren't really
taking advantage of what makes this different.

What makes Github different is that it's connected to your version control, so
I don't see this being especially useful for things like personal websites,
but it could be a great way to supplement the admin and analytics offered by
Github already.

~~~
Locke
Yeah, this might make a nice tool for publishing any api docs (checkout a
separate branch, generate, commit, and push your api docs), or code coverage
reports, etc.

I don't know if it's really taken off, but a bug tracking tool like ditz could
really benefit from this (it can generate an html report based on the bug
"database" stored in your git repo).

<http://ditz.rubyforge.org/>

------
Raphael
GitHub is taking over the world. I wouldn't be surprised if non-programmers
start finding uses for it.

~~~
tdavis
I would be _incredibly_ surprised if such a thing happened. Not because GitHub
isn't awesome (it is), but because most non-programmers would look at you
funny if you said "distributed version control". I mean, most people can
barely use the Internet competently.

------
tlrobinson
If would be neat if you could integrate the wiki into the site, with matching
style (just a simple HTML layout for the wiki plus control of the CSS). If we
could do that, I would consider moving a whole open source project's site to
this.

~~~
mct
It _is_ a wiki, if you treat it like one. That's what's so cool about it.

Two years ago, we moved the Philadelphia LUG website
(<http://phillylinux.org/>) from a set of static HTML pages to a subversion
repository. I dropped in a post-commit hook to update the DocumentRoot after
each checkin, and the site instantly became the best wiki I've ever used.
Revision history is handled by diff, and svn blame. Updates are made with your
favorite $EDITOR. And, as an added bonus, you get to use real HTML rather than
some silly wiki markup language. I love it.

~~~
boucher
One of the most important parts of being a wiki is having a low barrier to
entry. Revision control systems (git even more so than svn or cvs) is a huge
barrier to entry.

~~~
gnaritas
As is _real HTML_. Wikis have simplified markup for a reason.

------
lallysingh
Anyone else click on the link for you.github.com, expecting a demo page?

------
raju
This looks really cool. Looking forward to trying it out...

