[WEB4LIB] Re: Telnet URL update

Thomas Dowling tdowling at ohiolink.edu
Fri May 28 08:43:29 EDT 1999 



> Dan, let me add another consideration to this discussion. One of the
things
> that can be tracked by web sites is the previous URL visited. After
logging in
> to a telnet site with a URL that includes the username and password,
will the
> next site visited be able to recover the complete URL, including the
username
> and password?
>
>   Walt Howe


If you're trying to track this information, it's important to understand
that the referer URL is sent voluntarily by the browser back to the
server; that some users rightly have privacy concerns about this; that
some browsers and proxies allow users to disable referer headers; and that
in some contexts the browser is specifically not supposed to send a
referer header.

Also, the referer is not intended to be simply the last URL requested by
the browser, but the URL of the page that referred the user to the new
page, i.e. the page with the hypertext link pointing at the new page.  So
while I can't answer for what cockeyed behavior browsers might actually
exhibit, my reading of the spec* certainly indicates that they should not
send any information about a telnet URL and I've never seen anything in
our logs to suggest they would send this.

Thomas Dowling
OhioLINK - Ohio Library and Information Network
tdowling at ohiolink.edu



(*The spec being RFC 2068, section 1437:

14.37 Referer

   The Referer[sic] request-header field allows the client to specify,
   for the server's benefit, the address (URI) of the resource from
   which the Request-URI was obtained (the "referrer", although the
   header field is misspelled.) The Referer request-header allows a
   server to generate lists of back-links to resources for interest,
   logging, optimized caching, etc. It also allows obsolete or mistyped
   links to be traced for maintenance. The Referer field MUST NOT be
   sent if the Request-URI was obtained from a source that does not have
   its own URI, such as input from the user keyboard.

        Referer        = "Referer" ":" ( absoluteURI | relativeURI )

   Example:

        Referer: http://www.w3.org/hypertext/DataSources/Overview.html

   If the field value is a partial URI, it SHOULD be interpreted
   relative to the Request-URI. The URI MUST NOT include a fragment.

     Note: Because the source of a link may be private information or
     may reveal an otherwise private information source, it is strongly
     recommended that the user be able to select whether or not the
     Referer field is sent. For example, a browser client could have a
     toggle switch for browsing openly/anonymously, which would
     respectively enable/disable the sending of Referer and From
     information.


)

More information about the Web4lib mailing list