[Bug 549358] Move project resources to eclipseprojects.io
Bugzilla Link | 549358 |
Status | NEW |
Importance | P3 normal |
Reported | Jul 17, 2019 16:04 EDT |
Modified | Dec 22, 2021 09:07 EDT |
Depends on | 549360, 549359 |
Description
Projects can host two types of application-like resources on the eclipse.org domain, in which the project committers are the content owners:
- websites, at eclipse.org/projectname\
- virtual servers, at projectname.eclipse.org
This practice of using the eclipse.org domain is outdated by virtue of being insecure. It facilitates cross-site scripting, cross-site forgery requests and, above all, it enables these applications to access domain-wide cookies, such as those used for certain types of authentication.
While we trust our committers, we feel this outdated practice creates unnecessary exposure and is a security auditing nightmare for the Foundation.
In bug 543323 we acquired the domain "eclipseprojects.io" and we'll tackle migration over an extended period of time.
** Our primary objective is to improve security. Secondary objective is to
** create as little burden on committers as possible. Third objective is to
** minimize breakage.
Here is the proposed timeline:
Now: Phase I : existing project vservers, and new ones, get a mapping on
eclipseprojects.io, in the form of
(servicename).(projectname).eclipseprojects.io
Q2 2020: Phase II : Sandbox all eclipse.org project pages onto
(projectname).eclipseprojects.io
Projects can opt out of a website if they wish, and can use\
the PMI as their default web presence:\
(https://projects.eclipse.org/projects/technology.babel)
Q2+ '20: Phase III: Work with projects to fix broken elements in the above
sandbox
Q1 2021: Phase IV : Migration
Redirect (301 Moved) eclipse.org/projectname/* to
projectname.eclipseprojects.io/*
This should avoid broken links
All new projects would get an eclipse.org/projectname\
redirect to their eclipseprojects.io presence.