Recently working on setting up a server, I investigated mod_rewrite to prevent easy hot-linking of a specific element and stumbled on a Safari/Firefox idiosyncrasy. It still has me worried I am nothing but a big dodo, though…
Imagine the following: when visiting domain A, your browser loads a page that calls a JavaScript file located on domain B. The JavaScript file itself loads a CSS file hosted on domain B as well into the page you are visiting on domain A.
So far, pretty straightforward, no? Well, as soon as I added my mod_rewrite rules, Safari would keep accessing the CSS while Firefox would miserably fail. Inspection of my logs reported Firefox was sent back a 403 code (forbidden) when attempting to fetch the CSS after parsing the script.
Why? Well, my mod_rewrite rules were funky, I admit it. A good rule wouldn’t have triggered the issue. Yet, my typo helped me realize this: Safari, when obeying the script on domain B still sends domain A as the referral header which, in a way, makes perfect sense since it is parsing this script because domain A told it to. Firefox however sends domain B as the referrer, which, in away, makes perfect sense since the script calling the CSS file is located on domain B.
Being no HTTP expert, I am stuck wondering what is the proper behavior. Personally, I like them both…
Quit being a cheeky monkey and let people link to things. Problem solved.
Anonymous,
Thanks for your input. The reason I put this script in place is that the file, downloaded in itself makes little to no sense — it is part of a group of documents. Since linking to it could cause more confusion than anything, it was decided to "protect" it so. Now, I have never been hot on preventing hot-linking since it is, indeed, a rather important element of the Internet and can be a very positive thing.
I should also mention this is not my personal server.
FJ
I've not thought about it a lot, but it sounds like Firefox may be erring on the side of security here?
JulesLt,
I guess the two development teams indeed chose to go for what seemed to them the most secure and sensical. To a webmaster, I guess Safari's way is most useful, since it accurately reflects where a visitor comes from but, to a developer, Firefox behavior provides more information on where the point of failure lies.
FJ
Safari's way is the most correct to me since JS is a client-side language and it have to rely on where the client is at.