|
|
|
|
|
|
by squiggleblaz
2396 days ago
|
|
|
If a user types in web browser: https://www.example.com/webpage?q=54#{"userdata":"its a secret"} Then the web browser sends a message to the server that looks something like this: GET /webpage?q=54 HTTP/1.1
Host: www.example.com
Cookie: well maybe there's a cookie here
Although it's encrypted with ssl and there's some hopefully irrelevant messages along with it (which aren't irrelevant so they can be used to fingerprint you).As you can see, the bit that comes after the hash isn't ever sent from the client to the server. It was originally meant so that you could link to a particular section of a longer web page, so it was quite irrelevant. Nowadays it's exposed to javascript. This means that the code can rely on it - it can read and set it. The javascript author could read it and use it in an entirely inbrowser javascript app. Or the javascript author could read it and send it to the server in a more secure channel, like the body of a POST request, to reduce the chances it gets stored in server logs. But what comes after the hash is never processed by any standards compliant web server not transmitted by any standards compliant web browser/client. |
|
|