search

cben / mathdown

Collaborative markdown with math
https://www.mathdown.net
Other
420 stars 46 forks source link

Security: hide secret doc id from Referer header #10

Open cben opened 11 years ago

cben commented 11 years ago

Almost not an issue now but blocker for #9: Since the URL is secret, directly linking to external sites would expose the URL in Referer: header.

Should probably use an extra redirect. Is there a way to keep the link structure search-engine friendly? Links on public pages should count as links. OTOH, if they're publicly editable they probably shouldn't to deter spam?

Alternitive: I'm again tempted to keep secret portion in #fragment, which should not (though sometimes did) leak via Referer.

cben commented 9 years ago

Confirmed: clicking ⚠ Alpha quality! ⚠ (link to GH issues) sends Referer: http://mathdown.net/?doc=about to Github.