[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev HTTP_REFERER missing when posting from CGI
From: |
Walter Ian Kaye |
Subject: |
Re: lynx-dev HTTP_REFERER missing when posting from CGI |
Date: |
Mon, 31 Dec 2001 12:36:17 -0800 |
At 11:26a +0000 12/31/2001, David Woolley didst inscribe upon an
electronic papyrus:
Suppressing the query string is a policy issue.
But why doesn't the lynx.cfg setting have any effect? I think that is a bug!
From the Lynx point of view, I believe it is simply that it might
contain passwords, but, it is also worth noting that if you look at
sample output from web log analysis products you will see that
people analyze the query strings, when the referer is a search
engine, to find the keywords used. This, and the general ability to
do click trailing, including cross site click trailing, mean that a
significant number of people consider Referer to be an invasion of
privacy.
With that attitude, Lynx should summarily reject all third-party cookies.
It doesn't, and neither should it summarily reject the referer query string.
Because of the privacy issues, you should not write sites that
depend on Referer. They will not only break for Lynx, but also for
people who install proxies that deliberately introduce a bogus
Referer.
So I have to write some kind of expiring-token thing then?
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden