PATCH: 2 small KHTML patches...

Dawit A. adawit at kde.org
Fri Jan 16 06:44:44 GMT 2004


On Wednesday 14 January 2004 15:41, Dirk Mueller wrote:
> On Wednesday 14 January 2004 03:44, Dawit A. wrote:
> > Then I do not understand why this is a security/privacy issue then ? I
> > mean if the server did the redirecting using 302, we simply send the
> > referrer anyways, so I fail to see why doing it from KHTML on meta
> > redirection/refresh would be a problem.
>
> it is not a problem on meta redirection. the problem is that the new site,  
the server we were redirected to with a 302 redirection, must not get the  
previous referrer, with other words, a server redirection is not a user 
action upon which the referrer header is supposed to get set.

But that is just it. I am trying to fix a bug introduced as a result of that 
single fateful line. I am also a bit confused by your statement above. You 
said "it is not a problem on meta-direction", but you went on to state that 
the very same action when done by a server based redirection, i.e. 3xx 
redirections it is wrong ?? Anyways, I agree with that to a certain extent. 
Users should be informed about any redirection and they should decide whether 
or not they want to allow or deny such action from taking place. However, 
once a user approves the action, it should be treated as if the user clicked 
on a link rather than entered a url IMHO.

> besides that we use the code path for javascript based redirections and
> there also referers must get cleared.

That is indeed a problem then. However, shouldn't the javascript handler call 
another function that does sanity checks before calling such a sensitive and 
commonly used function ?

> > Both Mozilla and IE do the same
> > thing as far as I can tell.
>
> No they don't. Read #42611.

Can you please explain to me how they work on the download section 
http://www.wxwindows.org ? A bug ? They do send the referrer, the correct one 
at that. With the referrer blanking line inplace at ::slotRedirection, 
konqueror still sends the referrer header. It just happens to be the wrong 
one, the top level url (http://www.wxwindows.org/). 

> (use cvs annotate please when you wonder why code is there which you think
> should not be there).

Please feel free to revert this change or tell me and I will revert it. 
However, the issue that prevents downloads from working at 
http://www.wxwindows.org/ remains...

-- 
Regards,
Dawit A.
"Preach what you practice, practice what you preach"




More information about the kde-core-devel mailing list