Hacker News new | ask | show | jobs
by hifier 4096 days ago
In that case, why is https://github.com/greatfire/ still returning the alert(..) js when not coming from Baidu?
1 comments
pyre 4096 days ago
> > The first round was cross-domain JavaScript, stopped with an "alert()".

> Second round was cross-domain <img>, stopped with referrer.

It does not mention that the alert() used the referrer.

link
hifier 4096 days ago
Apologies if I'm being dense, but is there some technical reason why it does not use the referrer to selectively block this traffic rather than blocking it for everyone?
link
pyre 4096 days ago
The content doesn't seem to be blocked if you remove the trailing slash. I don't really have an answer for you aside from that though.

E.g.:

- This works: https://github.com/greatfire

- This doesn't: https://github.com/greatfire/

So far as I know, most links (external or internal) to a Github user's page do not use the trailing slash, so the effects would presumably be minimal.

link
jurre 4095 days ago
Parsing the referrer would still require some work from their servers right?
link
hifier 4095 days ago
Sure. I suppose that could be the reason. However, something like HA proxy[1] and (IIRC) CDNs like Akamai can be configured to inspect the headers and take various action.

[1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html...

link