27-Mar-2000 10:10 Klaus Weide wrote:
> On Mon, 27 Mar 2000, Philip Webb wrote:
>> 000326 T.E.Dickey wrote:
>> > 000325 LP wrote
>> >> Occasionally, lynx sends referer field pointing to local files,
>> >> incl temporary files, which may be not good because of security
>> >> (remote user may find temp file name generated by lynx).
>> >> the referer: field should not be sent if previous page was not http://
>> > there's the NO_FILE_REFERER setting to cover this -
>> > we could make a special case and suppress files
>> > Lynx happens to have opened for temporary use irregardless of that.
>>
>> it would seem a good idea to do that,
>> assuming there can never be a good use for referer fields to local files.
> There is, IMO,
> - for testing & debugging of Lynx itself,
> - for testing & debugging of authored pages (maybe if parts are
> uploaded to a server and parts are still tested on local disk),
> - for sites providing local services via lynx (freenet-style), or
> other kinds of local HTML pages on multiuser systems.
> As someone else already mentioned, there is a lynx.cfg option
> to turn it off. (It may be reasonable to change the default
> to NO_FILE_REFERER:TRUE.)
I think:
- one should disable file referer for lynx private pages (UIP),
- the default for NO_FILE_REFERER should be changed (as mentioned
above), as a consequense, change -nofilereferer command (rename??? or
made it a toggle).
> Klaus
