query parameters in identity URLs
brad at danga.com
Mon Jun 27 19:05:20 PDT 2005
See all the http://lafalafu.com/?******** URLs?
That's because most webservers will return the base URL for any query
I remember not expicitly truncating query parameters because I was
anticipating identity URLs like:
But I hadn't considered it as the lafalafu.com case above.
What should we do about it?
The easiest thing to do, to prevent casual abuse, is:
<link rel='openid.self' href='http://base.com/url.html' />
(sure, they can make their domain do whatever they want, though, which is
why I say _casual_ abuse)
Which is only required for a legitimate URL with a query string. URLs
without query strings don't require that.
But I don't want more link rels.
The other easy thing to do is just say identity URLs can't have query
More information about the yadis