Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On CURLOPT_AUTOREFERER privacy
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dan Fandrich via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 17 Oct 2022 10:16:41 -0700
On Mon, Oct 17, 2022 at 04:34:05PM +0200, Daniel Stenberg via curl-library wrote:
> On Mon, 17 Oct 2022, Timothe Litt via curl-library wrote:
>
> > > My initial PR for this work: https://github.com/curl/curl/pull/9750
> > >
> > Why change the default behavior?
>
> For improved privacy. Because the browsers sort of do it like this.
I agree with Timothe that this doesn't seem worthwhile breaking backward
compatibility. I discovered only recently that browsers have changed their
behaviour in this area when a site that was depending on receiving the full URL
broke. If someone is going to the trouble of enabling this option, then
they're doing so for a good reason and there's a reasonable chance they need
the full URL. I'm all for adding an option to add the host-only behaviour as an
option, but not to make it the default. I could probably be convinced to change
it in curl 8 when there's an expectation of some changes in behaviour.
Dan
Date: Mon, 17 Oct 2022 10:16:41 -0700
On Mon, Oct 17, 2022 at 04:34:05PM +0200, Daniel Stenberg via curl-library wrote:
> On Mon, 17 Oct 2022, Timothe Litt via curl-library wrote:
>
> > > My initial PR for this work: https://github.com/curl/curl/pull/9750
> > >
> > Why change the default behavior?
>
> For improved privacy. Because the browsers sort of do it like this.
I agree with Timothe that this doesn't seem worthwhile breaking backward
compatibility. I discovered only recently that browsers have changed their
behaviour in this area when a site that was depending on receiving the full URL
broke. If someone is going to the trouble of enabling this option, then
they're doing so for a good reason and there's a reasonable chance they need
the full URL. I'm all for adding an option to add the host-only behaviour as an
option, but not to make it the default. I could probably be convinced to change
it in curl 8 when there's an expectation of some changes in behaviour.
Dan
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-10-17