[jessegreathouse]

Because access to that resource can be replicated by simply viewing network traffic logs. Sending authorization info in the headers over SSL would be much more safe.

[morgante]

First of all, any secure resource should only be accesses over SSL so I assume that.

The path is exactly as secure as authorization headers. Network logs will not show the path of SSL requests (it's encrypted).

[zaroth]

URL based Bitcoin wallets proved this not to be the case. URLs get picked up by Omnibar, Skype, etc. they find their way into search results... I wouldn't even trust secret material in the fragment-id even though that in theory is safer.

[ikeboy]

Doesn't excluding them in robots.txt solve the search engine problem?

[_Understated_]

Following the rules laid out in a robots.txt file is optional. The reputable search engines tend to play by the rules but dodgy ones? Not so sure.

[ikeboy]

The dodgy ones don't have access to the URLs. The example was Skype links: if Microsoft scrapes those, they'll follow the rules and not make them available in searches.

If you give your link to a dodgy search engine, you've lost.