Web applications: should extraneous/unneeded query string arguments just be ignored?
I am still fairly new to web application development, so perhaps this is a n00b question.
It seems like most websites will just silently ignore query string arguments they do not need nor understand. For example, a github URI usually looks like:
https://github.com/airbnb
Now if I just tack on a bogus query string, as in:
https://github.com/airbnb?foo=bar
The page loads just fine and doesn't complain about the query string.
This seems like a perfectly开发者_运维百科 reasonable behavior, and I spot-tested some other sites and they also ignored extraneous and/or unneeded query string arguments.
My questions are:
1) Is this the correct or de facto behavior of most web applications? (presumably answer is yes)
2) If (1) is yes, is the reason just common sense, convention, simplicity, etc? Or do standards like HTTP or REST have any guidance or interest in deciding how this is handled?
Alternatives would be to:
- Explicitly guard against unknown query string arguments, which is perhaps a bit heavy-handed
- Redirect to a "clean" version of the URL w/o the bogus strings. Again, perhaps this is unnecessary
The practice I have always followed while developing web applications is performing only the validation of expected parameters. You should not, IMHO, even read/parse any parameter which you do not expect, because the possibilities are practically infinite. Imagine that it is possible to perform a query like:
https://github.com/airbnb?foo=bar
and also:
https://github.com/airbnb?fooo=bar
and also:
https://github.com/airbnb?foooo=bar
So, if one is to refuse every single parameter not accepted, it would certainly be a little overwhelming. Just ignoring and not even reading them should be safe enough.
Refusing requests containing unexpected parameters will also bring additional challenges, for example: Google Analytics (and other tracking solutions as well) might reach your site using additional parameters.
Side note: if your app supports redirection, I recommend reading the following tip, just in case: http://guides.rubyonrails.org/security.html#redirection
The handling of extra parameters, including things like query strings on post requests, is entirely application-dependent. Different frameworks behave differently, and you'd be ill-advised to rely on any particular behavior.
If you're implementing, I would recommend being absolutely strict about parameter validation. That way, you won't have to rely on any of the above-referenced behavior, and as an added bonus, it makes it easy to write rules for webapp firewalls like mod_security.
"Be liberal in what you accept" is a recipe for security holes and interoperability problems.
精彩评论