I’ve banned query strings

Posted by susam 22 hours ago

I’ve banned query strings(chrismorgan.info)

471 points | 243 commentspage 5

gojomo 17 hours ago|

Trying to boostrap some taboo against novel unpermissioned URL munging is silly prudishness.

Ensuring both sides of a hyperlink agree/consent was a design flaw that limited the uptake of pre-web hypertext systems. The web's laissez-faire approach demonstrated a looser coupling was far better for users, despite all the new failure modes.

Of course any site/server has the practical power free to treat inbound requests as rigorously (or harshly) as they want. But by the web's essential nature, it is equally part of the inherent range-of-freedom of outlink authors to craft their URLs (and thus the resulting requests) however they want. URLs are permissionless hyperlanguage, not the intellectual property of entities named therein.

Plenty of sites welcome such extra info, and those that don't want it can ignore it easily enough – including by just not caring enough about the undefined behavior/failures to do nothing.

Though, when a web publisher has naively deployed a system that's fragile with respect to unexpected query-string values, they should want to upgrade their thinking for robustness, via either conscious strictness or conscious permissiveness. Thereafter, their work will be ready for the real web, not a just some idealized sandbox where scolding unwanted behavior makes sense.

lofaszvanitt 13 hours ago||

IMDB recently went haywire

they added these ugly qses into every click on their site, bonkers: ?ref_=nm_ov_bio_lk

himata4113 10 hours ago||

?referrer=123 still works, so I guess it's selective.

arexxbifs 18 hours ago||

Running your own small website is a constant battle against grifters and bad online etiquette. When people hotlink images, I usually make a point of having some personal fun with mod_rewrite.

ashley95 16 hours ago||

But ?fbclid is not banned?

creatonez 14 hours ago|

It is. Your ad blocker is removing it, so it doesn't trigger the error page.

fragmede 14 hours ago||

It's just a string though. A project that I'll never get to is a custom webserver so that QR codes can use the smaller characterset, so it can link to a URL with parameters without forcing the larger character set.

lloydatkinson 18 hours ago||

This is really cool. My site is hosted by cloudflare, so I guess I could do the same with a cloudflare worker... maybe?

shevy-java 18 hours ago||

> It’s my website: I can do what I want with it.

> And you can do what you want with yours!

That does not make a lot of sense. Yes, you can do what you want with your website, but query-string is a way for users to query for additional information or wants or needs. I use them on my own websites to have more flexibility. For instance:

    foobar.com/ducks?pdf

That will download the website content as a formatted .pdf file.

I can give many more examples here. The "query strings are horrible" I can not agree with at all. His websites don't allow for query strings? That's fine. But in no way does this mean query strings are useless. Besides, what does it mean to "ban" it? You simply don't respond to query strings you don't want to handle. We do so via general routing in web-applications these days.

creatonez 14 hours ago||

> "query strings are horrible"

That's not at all what the article says. You're responding to a weird strawman that doesn't resemble the article's actual point.

pessimizer 18 hours ago||

> foobar.com/ducks?pdf

This isn't relevant when talking about links to his site. This is relevant when talking about links to your site.

> Besides, what does it mean to "ban" it? You simply don't respond to query strings you don't want to handle.

It means that you're going to get some sort of 400 error when you follow a link to his site with a query string attached to it. He simply will not respond to query strings that he doesn't want to handle, which is all of them.

throw310822 7 hours ago|

Whatever floats your boat

More comments...