[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev HTTP_REFERRER
|
From: |
Klaus Weide |
|
Subject: |
Re: lynx-dev HTTP_REFERRER |
|
Date: |
Sat, 24 Jul 1999 00:15:08 -0500 (CDT) |
We are aware of this problem, esp. wrt. monster.
On Fri, 23 Jul 1999, Daniel Malament wrote:
> Am I correct that the current version of Lynx doesn't send HTTP_REFERRERs
> to web sites? I did a grep on the source and didn't find 'http_ref' or
> 'http-ref' anywhere.
You should have grepped for 'referer' (sic), case-insensitively.
Sure lynx sends referer, otherwise options like -nofilereferer and
-noreferer wouldn't make sense (see also equivalents in lynx.cfg).
It just doesn't send the header always - if the referer's URL is
in the form that would result from a GET form submission, i.e.
it has a question mark followed by parameter/value pairs, sending
of referer is suppressed. That is to *protect* users from divulging
potentially sensitive information to unrelated sites.
See more discussion in the lynx-dev archives.
It isn't really lynx's fault, no site SHOULD rely on referer, see
HTTP RFCs.
Something will be done about this in lynx, probably as a config option
with several choices (one of them to drop everything after '?' from
the URL), it is not completely trivial since referer-sending is controlled
in several places in the source, and may need some revision anyway. It's
"on my list". (If someone else wants to do it right now, go ahead.)
Any change in lynx code would not help all those users of current
versions, so the monster people (and others) should be convinced to
not do this. (a) It isn't any sort of reliable protection, (b) they
could prevent the problem for lynx users by refering to the pages that
require referer from pages that don't have '?'.
Klaus