[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev http referer problem
|
From: |
Klaus Weide |
|
Subject: |
Re: lynx-dev http referer problem |
|
Date: |
Thu, 24 Feb 2000 14:00:31 -0600 (CST) |
On Thu, 24 Feb 2000 address@hidden wrote:
> In a recent note, Esa Pikkarainen said:
> >
> > But I found a strange problem: Lynx (Lynx/2.8.2rel.1 libwww-FM/2.14)
> > does not send the referer header if that referer address would
> > containd a query string. Is this a bug or by desing?
It is by design.
> > (I mean URLs like http://www.com/index.ihtml?step=true)
> >
> I believe it's a security feature -- the intent is to avoid passing sensitive
> information entered into one form to a different page, possibly on a different
> server.
Yes, and "Referer" was never meant to be a reliable means for tracking
links; you may want to read what the HTTP RFCs have to say on this header.
It's a bad design to rely on this header being always sent. Not only Lynx
users will be affected, but also users of some proxies (especially those
that intentionally strip out headers like "Referer" for privacy reasons).
It's also possible that one day one of the "major" browsers will start
suppressing this header (maybe optionally), for the same reasons as Lynx.
If you need to have session semantics, using cookies would be a better
way to implement this - cookies were invented for this purpose.
Lynx 2.8.3 (current development code) has a REFERER_WITH_QUERY lynx.cfg
option, with which the user can choose to always send the "Referer", or
only send the part before the '?'. But of course you can't (and
shouldn't) rely on that.
Klaus