
How not to do URL redirects (… the way Quora does) - acharekar
http://engineering.webengage.com/2012/01/19/how-not-to-do-url-redirects-the-way-quora-does/
======
kogir
Best I can tell, there is zero incentive for Quora (or any other site, for
that matter) to care. Their current redirect logic in no way hurts their user
experience.

Right now they protect their users' privacy. What benefit do they realize by
providing their users' viewing history to other sites?

I personally think that the referer header was never a good idea. I disable it
in my browser, and appreciate sites that do right by their users with privacy
protecting default behaviors.

~~~
avlesh-singh
Of course there is zero incentive for anyone to do it. And if everyone chose
to link the way Quora does, you get a Google Analytics dashboard which cannot
tell you what all URL's are sending traffic to your site/blog. I find it
really difficult to imagine.

~~~
mcgwiz
The long term effect would be that websites can no longer use referrer as a
metric. What difference would that make? HTTP resources (webpages) shouldn't
change semantic meaning depending on the referrer anyway. Doing so is arguably
an unintended use (or abuse) of HTTP.

~~~
avlesh-singh
Absolutely! And see the funny reasons people have been citing in favor of such
an act - [http://www.quora.com/Why-does-Quora-redirect-to-URLs-in-a-
wa...](http://www.quora.com/Why-does-Quora-redirect-to-URLs-in-a-way-that-
loses-the-original-referrer)

------
yuvadam
I hate to crash the party, but why is the premise that "overriding links is
absolutely okay" taken for granted?

Says who? Google and their `/url`? Facebook and their `l.php`?

~~~
larrik
Why wouldn't it be okay? This is a link on their own website, they can control
it how they want.

~~~
avlesh-singh
That's the point. It is okay as long as they play nice with HTTP headers and
other info which needs to be passed downstream.

~~~
waitwhat
Quora don't "need" to do anything. You just want them to.

------
sequoia
This is probably _not_ the case, but is it possible that Quora is
intentionally stripping the referer header? Duck Duck Go does just this in the
interest of user privacy: why should site X know where I came from and what I
was searching? <https://duckduckgo.com/privacy.html> Seems unlikely in this
case but possible.

Incidentally, it seems that encrypted.google.com does this but not regular
google. EDIT: This happens for all https->http requests, it's not a google
feature (TIL).

~~~
jimktrains2
The User-Agent generates the Referrer header, not the site. Also,
encrypted.google.com doesn't do it, the HTTPS standard says that browsers
shouldn't send referrer headers to sites not in the same domain or not with
https.

~~~
sequoia
You are right, I'm writing carelessly. I meant strip loosely as "causes the
header to not be sent" or not in full.

------
entropyneur
I don't see how this could be a result of simple mistake. There doesn't seem
to be any reason to do redirects this way except hiding the referrer.

~~~
acharekar
Exactly what is pointed out in the post. Why would someone want to hide the
original referrer for a link.

~~~
brador
That's not the only thing they're doing...

<http://nerdr.com/quora-needs-to-die/>

Seems they're going down the annoying search visitors by hiding information
route (similar to what expertsexchange was riled on for, although not quite as
bad yet).

------
buddydvd
It's most likely done intentionally to protect against leaking the clicker's
identity. See the issue Facebook had back then:
<http://www.benedelman.org/news/052010-1.html>

~~~
avlesh-singh
Sending an incorrect site referrer to a downstream website doesn't solve the
identity problem! HTTP headers have existed even before all these applications
came into being. One just has to abide by some of those basics.

~~~
buddydvd
It can be fixed through a double redirect. Basically, redirect the browser to
a internal page that redirects to the original page and have that page
redirect to the outbound link.

For example:

Say you're on this page: <http://site.com/article?_uid=123> (_uid being the
identity leaking query param) and clicked a link that appears to point to:
<http://google.com/>

When a user clicks on that link, the page redirect the user to
[http://site.com/redirect?target=http%3A%2F%2Fgoogle.com&...](http://site.com/redirect?target=http%3A%2F%2Fgoogle.com&src=http%3A%2F%2Fsite.com%2Farticle)

The server will then redirect the browser back to: <http://site.com/article>

And when the server sees that request with referrer set to
/redirect?target=http%3A%2F%2Fgoogle.com, it will then parse out the target
url and redirect the browser to <http://google.com>.

This way, the target url can be given a meaningful referrer url without
compromising user's identity.

~~~
mkjones
Isn't that exactly what Quora is doing?

~~~
buddydvd
OP's blog post says Quora is not doing that. It says Quora's redirecting to
gigaom.com from
[http://www.quora.com/_/redirect?url=http%3A%2F%2Fgigaom.com%...](http://www.quora.com/_/redirect?url=http%3A%2F%2Fgigaom.com%2F2010%2F06%2F08%2Fhow-
zynga-survived-farmville%2F&sig=4f01ab) instead of [http://www.quora.com/What-
are-everyday-apps-that-use-cloud-c...](http://www.quora.com/What-are-everyday-
apps-that-use-cloud-computing).

The technique I described allows Quora to customize the referrer associated
with an outbound link.

~~~
mkjones
Ah yes, I misread your post. The trouble with that approach is that you have
to enumerate the dangerous params, and if the actual page URL needs a private
parameter to work, you can't get rid of it.

~~~
buddydvd
Right, but you can always pass the canonical url to the redirector. That lets
you avoid maintaining a whitelist/blacklist of query params. This should be
trivial for Quora as most of their pages already contain the meta tag
specifying the canonical url:

    
    
        <link rel="canonical" href="http://www.quora.com/What-are-everyday-apps-that-use-cloud-computing" />
    

They just need to update their outbound link interceptor to take that version
instead of the actual url.

------
ck2
_We let you create surveys and display those on your website in a “targeted”
manner_

A better title for your article would have been:

 _why to never rely on referers_

(which can be blocked or purposely malformed)

~~~
avlesh-singh
Absolutely! The post might have got some attention from Quora in that case :)

------
gecco
Would we get the right referer if 302 is done via quora redirect?

~~~
avlesh-singh
Not sure if I understood this correctly. If Quora chose to send a Location:
some-url and Status: 302, it would have definitely worked as expected.

~~~
gecco
So what should an app do if it wants ro track all outbound links and send the
real url as referer to the outbound link

~~~
entropyneur
The best way to do it is probably to track clicks on outbound links using
javascript.

~~~
stevendaniels
Aren't there a few cases when this method won't work?

~~~
entropyneur
Are you referring to the fact that the browser will interrupt your tracking
request because it already started loading the linked page? I haven't really
tried, but I believe this can be dealt with if your server-side code expects
it to happen.

------
mnutt
Since you are a hosted service, you could periodically loop through all of the
Quora redirect links you've received and resolve them. This might be against
Quora's TOS, though.

I believe Twitter does this with URL shortener links posted in tweets.

------
mthreat
Has anyone asked on Quora, why Quora does this?

~~~
avlesh-singh
Someone finally asked the question on Quora - [http://www.quora.com/Why-does-
Quora-redirect-to-URLs-in-a-wa...](http://www.quora.com/Why-does-Quora-
redirect-to-URLs-in-a-way-that-loses-the-original-referrer)

------
casca
So Quora works for you now? That must be nice...

~~~
avlesh-singh
Seems you saw a Quora survey on our site? We had to change the targeting rules
to make it a generic "referring site starts with Quora.com" kinda rule instead
of specific URL's :(

