Re: Problem with 'target-new' property and alternative suggestion from Brian Sexton on 2004-09-16 (www-style@w3.org from September 2004)

From: Brian Sexton <discussion-w3c@ididnotoptin.com>
Date: Thu, 16 Sep 2004 13:52:30 -0700
To: "David Woolley" <david@djwhome.demon.co.uk>
Cc: <www-style@w3.org>
Message-ID: <005901c49c2f$158f8620$651aa143@desktop>

Thank you for the detailed reply, David.

> Most people with an efficiently configured browser will have a proxy
> configured.

Those are two entirely different things.  Most Web browsers I have seen do 
not offer proxy selection and even if they did, I suspect that most users 
would know nothing about it.  Then, of course, what precisely makes an 
"efficiently configured browser" is open to debate.

> If you have caching, the browser always makes the HTTP connection to the
> same machine and passes the whole URL forward.

Even if that is true, the host name and file path are sometimes separate to 
begin with, so a browser definitely needs a concept of the current host name 
even if it only uses it to concatenate with the requested file path to pass 
forward.

> Only when you get a proxy that connects to the real web server is it
> necessary to resolve the domain name and be able to discover that
> two domain name parts refer to the same machine.

That is an interesting point, but I do not think whether two host names 
refer to the same physical server makes any difference in whether the two 
are considered part of the same Web site; this is easy enough to configure 
either way.

> (However, resolving to the same machine name doesn't mean that the sites
> are related in ownership, as most web hosting services operate multiple
> virtual domains on the same machine . . .

Exactly.  For security reasons, this seems like a very good point to 
consider.

> . . . and very small businesses are likely to have their main content
> in visible subdirectories of a generic web hosting domain name (often
> using hacks with frames to try and hide this from GUI browser users).

With domain names and second-level domain hosting available for less than 
ten dollars annually and less than ten dollars per month respectively, I 
would not say that is likely so much as merely possible except perhaps in 
rural microcosms that are new to the Internet.  Nonetheless, being a 
possibility is enough when it comes to potential abuse, so that too is a 
good point to consider.

> Also, smaller businesses often try to pretend that a credit card
> payment processing site is part of their site, even though the domain
> name is different - this actually compromises SSL authentication, but
> is very common.)

This, however, is very likely; I have seen it via frames and local DNS 
trickery.  That is a hat trick of good points from you, David.

Received on Thursday, 16 September 2004 20:52:29 UTC