|
From: | Giuseppe Scrivano |
Subject: | Re: What triggers "A script modified the host part ..." warning? |
Date: | Thu, 10 Jan 2008 12:44:52 +0100 |
User-agent: | Thunderbird 2.0.0.9 (Windows/20071031) |
novakyu wrote:
In any case the browser doesn't know if a page is a static page or a dynamic page. All these rules are not visible outside, the browser doesn't know anything about them. Moreover, they don't modify the host part of the URL.Well, it's just simple <a href=" ... "> It uses relative links. :) There's one exception. I do use Apache's Rewrite module to hide the fact that some of the pages are served by a python script (a classic security-by-obscurity ;) ), and this is the relevant portion of .htaccess: RewriteEngine on RewriteBase / RewriteRule ^posts.shtml(.*) cgi-bin/posts.py RewriteRule ^posts-add.shtml(.*) /cgi-bin/restricted/posts-add.py RewriteRule ^blog.shtml(.*) cgi-bin/blog.py RewriteRule ^blog-add.shtml(.*) /cgi-bin/restricted/blog-add.py But I don't think the browser could detect that (other than the fact that it's passing GET variables to a static page), even if it wanted to.
Hm. You are right. I guess I didn't notice that the status-bar link changed after I click on it or ... even after I simply copy the link (by right-clicking). Then the question is ... should IceCat be warning me about that now? Because it's not.
That is exactly the behaviour we want to report to users.If you copy the link and paste it in the browser then you see it and you know what you are requesting, the browser can't detect this behaviour for example if you request a page like:
http://www.bad.site.com/track.me.html?redirect=my.real.site.com It looks and it is a regular HTTP request. Giuseppe
[Prev in Thread] | Current Thread | [Next in Thread] |