[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: PATCH: 2 small KHTML patches...
From: "Dawit A." <adawit () kde ! org>
Date: 2004-01-16 6:44:44
Message-ID: 200401160144.45015.adawit () kde ! org
[Download RAW message or body]
On Wednesday 14 January 2004 15:41, Dirk Mueller wrote:
> On Wednesday 14 January 2004 03:44, Dawit A. wrote:
> > Then I do not understand why this is a security/privacy issue then ? I
> > mean if the server did the redirecting using 302, we simply send the
> > referrer anyways, so I fail to see why doing it from KHTML on meta
> > redirection/refresh would be a problem.
>
> it is not a problem on meta redirection. the problem is that the new site,
the server we were redirected to with a 302 redirection, must not get the
previous referrer, with other words, a server redirection is not a user
action upon which the referrer header is supposed to get set.
But that is just it. I am trying to fix a bug introduced as a result of that
single fateful line. I am also a bit confused by your statement above. You
said "it is not a problem on meta-direction", but you went on to state that
the very same action when done by a server based redirection, i.e. 3xx
redirections it is wrong ?? Anyways, I agree with that to a certain extent.
Users should be informed about any redirection and they should decide whether
or not they want to allow or deny such action from taking place. However,
once a user approves the action, it should be treated as if the user clicked
on a link rather than entered a url IMHO.
> besides that we use the code path for javascript based redirections and
> there also referers must get cleared.
That is indeed a problem then. However, shouldn't the javascript handler call
another function that does sanity checks before calling such a sensitive and
commonly used function ?
> > Both Mozilla and IE do the same
> > thing as far as I can tell.
>
> No they don't. Read #42611.
Can you please explain to me how they work on the download section
http://www.wxwindows.org ? A bug ? They do send the referrer, the correct one
at that. With the referrer blanking line inplace at ::slotRedirection,
konqueror still sends the referrer header. It just happens to be the wrong
one, the top level url (http://www.wxwindows.org/).
> (use cvs annotate please when you wonder why code is there which you think
> should not be there).
Please feel free to revert this change or tell me and I will revert it.
However, the issue that prevents downloads from working at
http://www.wxwindows.org/ remains...
--
Regards,
Dawit A.
"Preach what you practice, practice what you preach"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic