query parameters in identity URLs
Brad Fitzpatrick
brad at danga.com
Mon Jun 27 19:05:20 PDT 2005
Look here:
http://www.livejournal.com/users/brad/2128127.html
See all the http://lafalafu.com/?******** URLs?
http://lafalafu.com/?h
http://lafalafu.com/?e
http://lafalafu.com/?l
http://lafalafu.com/?o
http://lafalafu.com/?you're%20welcome%20:)
That's because most webservers will return the base URL for any query
parameters.
I remember not expicitly truncating query parameters because I was
anticipating identity URLs like:
http://stupidsite.com/profile-page.aspx?guid=8sd787823-234-234-234-23d3
But I hadn't considered it as the lafalafu.com case above.
What should we do about it?
The easiest thing to do, to prevent casual abuse, is:
<link rel='openid.self' href='http://base.com/url.html' />
(sure, they can make their domain do whatever they want, though, which is
why I say _casual_ abuse)
Which is only required for a legitimate URL with a query string. URLs
without query strings don't require that.
But I don't want more link rels.
The other easy thing to do is just say identity URLs can't have query
strings.
Thoughts?
- Brad
More information about the yadis
mailing list