Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Timothe Litt <litt_at_acm.org>
Date: Mon, 17 Oct 2022 22:30:24 -0400
On 17-Oct-22 16:57, Daniel Stenberg via curl-library wrote:
> On Mon, 17 Oct 2022, Dmitry Karpov via curl-library wrote:
>
>>> I'm all for adding an option to add the host-only behaviour as an
>>> option, but not to make it the default.
>>
>> Yes, I also think that this is the right way to do it.
>
> I hear you. Thanks all for the feedback.
>
> If we're going forwward with this, the new behavior should be a new
> option. But, as this is a rarely used option already to begin within
> I'm not convinced I should push for adding this new option until
> someone actually expresses a desire to have it...
>
It can be a new value for the current option, you don't need a new
open. Just don't change the behavior of the current documented values
(0 & 1). The API & ABI need to be stable. The doc says that a value of
1 "automatically sets the Referer header ... "to the FULL URL when it
follows a redirect".
E.g. make the "strip path" value 2. Then existing callers will get the
full path that they currently do, and and new code can decide what works
for them. You could define an enum with 2 as
"CURL_OPTVAL_REFERRER_STRIPPATH" and 1 as
"CURL_OPTVAL_REFERRER_KEEPPATH". (and zero as "OFF")
I've no problem with the doc explaining the privacy issue and even
suggesting that STRIPPATH is a better choice in many (most?) cases.
Just so the API and ABI are stable.
Yes the browsers often break things - as Dan confirmed. That doesn't
make it right. And they have the advantage of a human being able to
change a setting; curl often runs in scripts or applications that aren't
as smart.
Onwards.
Received on 2022-10-18
Date: Mon, 17 Oct 2022 22:30:24 -0400
On 17-Oct-22 16:57, Daniel Stenberg via curl-library wrote:
> On Mon, 17 Oct 2022, Dmitry Karpov via curl-library wrote:
>
>>> I'm all for adding an option to add the host-only behaviour as an
>>> option, but not to make it the default.
>>
>> Yes, I also think that this is the right way to do it.
>
> I hear you. Thanks all for the feedback.
>
> If we're going forwward with this, the new behavior should be a new
> option. But, as this is a rarely used option already to begin within
> I'm not convinced I should push for adding this new option until
> someone actually expresses a desire to have it...
>
It can be a new value for the current option, you don't need a new
open. Just don't change the behavior of the current documented values
(0 & 1). The API & ABI need to be stable. The doc says that a value of
1 "automatically sets the Referer header ... "to the FULL URL when it
follows a redirect".
E.g. make the "strip path" value 2. Then existing callers will get the
full path that they currently do, and and new code can decide what works
for them. You could define an enum with 2 as
"CURL_OPTVAL_REFERRER_STRIPPATH" and 1 as
"CURL_OPTVAL_REFERRER_KEEPPATH". (and zero as "OFF")
I've no problem with the doc explaining the privacy issue and even
suggesting that STRIPPATH is a better choice in many (most?) cases.
Just so the API and ABI are stable.
Yes the browsers often break things - as Dan confirmed. That doesn't
make it right. And they have the advantage of a human being able to
change a setting; curl often runs in scripts or applications that aren't
as smart.
Onwards.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature