I didn’t imagine that I would stir up quite so much interest when I decided to ban query strings!
When I said, “if it isn’t there, it’s probably for a good reason”, I was fully aware of native apps, and decided to gloss over them, because I doubt (on no evidence) they’re so significant for me, and things like email and feed readers may well be web apps anyway.
While thinking about it—is it possible for a browser to know which app sent it the link, e.g. androidapp://com.example.app? Because that’d probably be a perfectly reasonable referrer, if a browser wanted to send it.
> Note that a handful of sites do choke on unexpected query strings, including YouTube (!)
I want to learn more about this.
I strongly disagree with a lot of claims here.
>> if it isn’t there, it’s probably for a good reason.
> which isn’t really true anymore. For most websites, the majority — not just the plurality, but the majority — of visitors arrive by following a link inside an email or an app
I don't think the statement is factually backed up. At least I hate native apps.
> Even so, my custom query string is, in my calculation, an expression of digital etiquette: rather than dump a load of anonymous traffic on your doorstep, I reveal who’s linking, so a website or online shop operator can trace it back and get in touch, if wanted or needed
Anonymity considered harmful these days?
> a wave of new subscriptions and weren’t sure if they were legitimate; a brief email correspondence assured them that yes,
It's not legitimate unless it's signed (and if anybody gives a shit to verify it).
> Note that a handful of sites do choke on unexpected query strings, including YouTube (!),
This is a good habit IMHO.
Anyway, I'm thankful to the original post because it was a good reminder to re-review my browser settings.
Honestly I don't understand why the EU focused on the stupid cookie law instead of referers which are clearly privacy-violating.
If you use Firefox I recommend you make sure `network.http.referer.XOriginPolicy` set to 1.
i'm confused, why would you go out of your way to add this tracking info to external links voluntarily? it doesn't benefit you, it just helps other websites segment their traffic?
Arbitrarily mutating the URL for a
third-party resource without any expectation that this might not actually be kosher is braindead. There's basically one valid (non-presumptuous) use case: ordinary HTML forms where the names of the fields are known. If this doesn't apply, then it should be the case that you're interacting with a documented service.
If there's a query parameter that you have a legitimate use for, like `q` for searching, obviously you should configure your web server to let it through.
Even in that case, you might want to block unexpected values as early as possible in your stack. For example, if you have a legitimate use for a certain set of `utm_source` values, but someone sends you bobby tables, you probably shouldn't log it blindly.
Ditto for the Referer header -- there's a lot of spam, and some of those strings might even be dangerous. You can't trust any of them anymore.
I didn’t imagine that I would stir up quite so much interest when I decided to ban query strings!
When I said, “if it isn’t there, it’s probably for a good reason”, I was fully aware of native apps, and decided to gloss over them, because I doubt (on no evidence) they’re so significant for me, and things like email and feed readers may well be web apps anyway.
While thinking about it—is it possible for a browser to know which app sent it the link, e.g. androidapp://com.example.app? Because that’d probably be a perfectly reasonable referrer, if a browser wanted to send it.
> Note that a handful of sites do choke on unexpected query strings, including YouTube (!)
I want to learn more about this.
I strongly disagree with a lot of claims here.
>> if it isn’t there, it’s probably for a good reason. > which isn’t really true anymore. For most websites, the majority — not just the plurality, but the majority — of visitors arrive by following a link inside an email or an app
I don't think the statement is factually backed up. At least I hate native apps.
> Even so, my custom query string is, in my calculation, an expression of digital etiquette: rather than dump a load of anonymous traffic on your doorstep, I reveal who’s linking, so a website or online shop operator can trace it back and get in touch, if wanted or needed
Anonymity considered harmful these days?
> a wave of new subscriptions and weren’t sure if they were legitimate; a brief email correspondence assured them that yes,
It's not legitimate unless it's signed (and if anybody gives a shit to verify it).
> Note that a handful of sites do choke on unexpected query strings, including YouTube (!),
This is a good habit IMHO.
Anyway, I'm thankful to the original post because it was a good reminder to re-review my browser settings.
Honestly I don't understand why the EU focused on the stupid cookie law instead of referers which are clearly privacy-violating.
If you use Firefox I recommend you make sure `network.http.referer.XOriginPolicy` set to 1.
i'm confused, why would you go out of your way to add this tracking info to external links voluntarily? it doesn't benefit you, it just helps other websites segment their traffic?
Arbitrarily mutating the URL for a third-party resource without any expectation that this might not actually be kosher is braindead. There's basically one valid (non-presumptuous) use case: ordinary HTML forms where the names of the fields are known. If this doesn't apply, then it should be the case that you're interacting with a documented service.
If there's a query parameter that you have a legitimate use for, like `q` for searching, obviously you should configure your web server to let it through.
Even in that case, you might want to block unexpected values as early as possible in your stack. For example, if you have a legitimate use for a certain set of `utm_source` values, but someone sends you bobby tables, you probably shouldn't log it blindly.
Ditto for the Referer header -- there's a lot of spam, and some of those strings might even be dangerous. You can't trust any of them anymore.