← Back to context

Comment by mtlynch

6 years ago

Thanks for reading!

That's an interesting point. I did take it for granted that browsers guarantee web apps that they don't send the URL fragment to the server. I've never looked into it, but your comment sent me to read RFC 3986.

From my reading, the RFC does seem to prohibit browsers from sending the URL fragment:

>Fragment identifiers have a special role in information retrieval systems as the primary form of client-side indirect referencing... As such, the fragment identifier is not used in the scheme-specific processing of a URI; instead, the fragment identifier is separated from the rest of the URI prior to a dereference, and thus the identifying information within the fragment itself is dereferenced solely by the user agent, regardless of the URI scheme.

Granted, the wording isn't 100% clear, so maybe I'm imposing my own hopeful interpretation on the RFC.

I agree that if I were storing, say, military secrets, I wouldn't choose the URL fragment as a storage medium. But if the expectation is "this is a place where I can put user data and the browser won't leak it to other places," then the URL fragment seems to me a sensible place to store data, on par with browser local storage.

This is in contrast with plain URLs which third party servers receive through the HTTP referer header. The browser leaks query parameters to other places, too, notably HTTP proxies. But Stripe's JS library was the first I'd seen of a system that exposes URL fragments to an external service.

6 comments

mtlynch

Reply
ucarion  6 years ago

Putting secret information in a URI is explicitly called out as a bad idea in the very RFC you reference:

> URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).

https://tools.ietf.org/html/rfc3986#section-7.5

As an aside, if you're going to be making any security judgments from an RFC, every RFC since RFC2223 has a Security Considerations section. You usually want to start there.

  • mehrdadn  6 years ago

    It's fairly obvious that this is about keeping secrets from other users locally whereas the fragment discussion is about keeping secrets from the server and that these two are not the same thing. People reasonably see the fragment as none of the server's business independently of whether it's any other local user's business (the latter fact itself being no one else's business to care about).

    • dzhiurgis  6 years ago

      Seems like both Stripe and website author are misusing the browser feature.

      Seems like core problem is lack of storage API that can only be accessed from JS that's executes from same domain?

      Edit: Seems localStorage does isolate per domain, but I am not sure whether it's for page itself or for external JS too.

      1 reply →

cornishpixels  6 years ago

The fragment is, at the very least, exposed to JavaScript. It's also has several problems which are explicitly called out (for the query string) in your own link: Shoulder surfing, cache, history