Re: Referer URI MUST NOT include a fragment

On Mon, Mar 02, 2009 at 08:24:33PM +0000, Vincent Murphy wrote:
> Thank you for your comment. Do you think the benefits outlined earlier
> outweigh these costs?
> 
> I think this ranks way below a data spill as discussed earlier.
> Authentication checks based on string equality may fail because of a
> fragment identifier but they definitely won't succeed.
> 
> It doesn't seem like a huge burden to implement string prefix checks
> instead. Its common knowledge that HTTP clients drop frag ids in
> requests so it wouldn't be a huge gap to expect people to understand a
> similar mechanism for Referer handling.
> 
> I don't really care about making life easier for those who wish to
> restrict deep linking... :)

The drawback of making any change here, is that the effect isn't just
on web server or web client developers, but the much broader
set of web application developers.  Dynamic tests on Referer: are often
done in things like mod_rewrite or JavaScript, making it harder
to make them perfectly general. Most uses of Referer: in real time
(as opposed to after the fact log analysis) are kind of hacky
and un-eligant.

The fact that you or I may not like the ways it is used (as a value
judgement) doesn't mean they aren't out there waiting to break.

-- 
    Albert Lunde  albert-lunde@northwestern.edu
                  atlunde@panix.com  (new address for personal mail)
                  albert-lunde@nwu.edu (old address)

Received on Monday, 2 March 2009 22:49:51 UTC