Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet

UrlHosted Experiment: Host Content Within the URL 138

New submitter graphicore writes to point out an experimental "unhosted" app that challenges the concept of the URL. By putting the post data after the # mark, the URL is (mis-)used as the data storage. You can store your data within your bookmarks list, host it via a URL-shortener(!) like here: http://goo.gl/DYxr5m or attach it directly to a tweet I also attached the full-url to this slashdot post :-) This raises the question about who is hosting the content and it will probably break the internet. This is a quote from Google's shortener policy: "Please remember that goo.gl directs you to content that is already in existence on the internet. This is not content hosted by Google." It could also become a storage strategy for any other web app. The app is GPL v3, no strings attached. And there's always DNS, too.
This discussion has been archived. No new comments can be posted.

UrlHosted Experiment: Host Content Within the URL

Comments Filter:
  • ... it will probably break the internet...

    Oh no Mr. Bill. The Internet will be broken.

    .
    Give me a friggin' break. Get real.

    • by ubrgeek ( 679399 )
      I thought only my grandparents could manage that.
  • You still need to point to a base URL that knows how to unwrap the URL hosted content...

    So who who host those, knowing that any URL directed there might be mistakenly attributed to content they are hosting? You could make it appear as if such a site is saying ANYTHING... it's like you pre-hacked yourself.

    • by im_thatoneguy ( 819432 ) on Friday September 18, 2015 @10:24PM (#50553965)

      Yes and no. You could fit a bittorrent tracker into it. Then you're hosting your bit torrent tracker files into a short URL.

      It doesn't break the internet but it does dramatically shift the question of who is "Hosting" content and who is "just sharing a link". There is a lot of legal uncertainty about what constitutes for instance copyright infringement. If you post a link to a tweet with a serial number are you committing piracy? If the website has a widget which then embeds the tweet are you worse or better off? If you post a URL which has the serial number in the URL... are you then just sharing a link or are you sharing the content? Does Google's URL shortener bare any legal responsibility under safe harbor for taking down URLs that contain copyrighted material?

      • by lgw ( 121541 )

        OK, now it makes sense, thanks. I was wondering what this was for, but "bit torrent tracker" makes it clear. Very nice hack indeed.

        It won't break the internet, but it will perplex and confuse MAFIAA lawyers, and that's something.

      • That is true, it still lets you store arbitrary data in a URL, but you could perform the same trick just by putting any ascii encoded data into a query param attached to any valid hostname, which a URL shortener would happily store and feed back.

        I'm saying that when you give a link like this to someone else that has something like an article in the example, that site has to know how to parse the whole blob of data after the "#" to display. That opens the site that is willing to parse and display the encoded

      • If you post a link to a tweet with a serial number are you committing piracy? If the website has a widget which then embeds the tweet are you worse or better off? If you post a URL which has the serial number in the URL... are you then just sharing a link or are you sharing the content? Does Google's URL shortener bare any legal responsibility under safe harbor for taking down URLs that contain copyrighted material?

        Sometimes geeks think they can get around laws with this kind of 'clever' trickery, but the answer is no, if you are purposely sharing copyrighted material in the URLs, then you are still liable.

        • Simply linking to data though is not copyright infringement. So if the public rightfully believes that simply sharing a link is legal they may not spend the necessary time nor have the technical knowledge to discern the difference from copying a URL and sharing it and copying actual copyrighted works and sharing them.

          URLs are already a loop hole in copyright law in many countries. This would widen that hole since the entire copyrighted work could even theoretically be contained within a very long URL. A

          • Simply linking to data though is not copyright infringement

            This is not "simply linking to data" and you know it.

            So if the public rightfully believes ....

            "Belief" doesn't enter into copyright law.

            URLs are already a loop hole in copyright law in many countries. This would widen that hole since the entire copyrighted work could even theoretically be contained within a very long URL.

            This is like a nerd dream that lacks understanding of how the law works.

        • by Rob Riggs ( 6418 )
          That "Anonymous Coward" dude is going to be in a world of hurt.
      • by Intron ( 870560 )

        Most sites, /. for example, say anything you post is owned by you. That would include links that you post.

    • by Fwipp ( 1473271 )

      And even if they aren't malicious enough to hack you, it's not a hard decision for google to say "Oops, we no longer support URLs longer than 200 characters," or just drop everything after the anchor tag, so they aren't stuck storing some million cat gifs in their database.

  • Now he just needs to get the javascript powering this to fit in a data:// uri and it can be entirely hosted in the url.

  • by Anonymous Coward

    How is this different from the Data URI Scheme?

    https://en.wikipedia.org/wiki/Data_URI_scheme

    • Something like :

      data:text/html,<html><body>Hello</body></html>

      Will not be "shortended" by a url shortener like bit.ly, whereas the "#" embedding technique will (but then you need to know how to decode it)
      • by Lennie ( 16154 )

        I like how you can do both too (doesn't work with shortners):

        data:text/html,onload=function () { document.write (document.location.hash) }#whatever

  • by Qzukk ( 229616 ) on Friday September 18, 2015 @10:29PM (#50553987) Journal

    All this stuff about non-hosted content, and the image tag points to a wikimedia picture of a kitten instead of a data: URI?

  • i think this is kind of cool. it's clear that there's some sort of server thing that interprets the URL and spits back friendly HTMLs. it would be cool if this could be done locally, so alls you would need is a shortened URL and you would get a page of content. it would work well for wikipedia.

    • That's what it is. You need a server to download the JavaScript, but that runs locally, and generates the html/content.
      • huh i thought that it took the URL, read it, and then sent back the plaintext. with the message you suggest there wouldn't be any plaintext transfer over the internet. that's a cool idea! also, the summary said "break the internet", which doesn't refer to KimK but rather to the fact that this method would prevent both search engine bots and hyperlinking. Kind of the fundamental cornerstone of the internet!

    • by Lennie ( 16154 )

      Just run a 100k webserver with an embedded single HTML file running on 127.0.0.1

  • How many of these URLs already exist and how much malware are they hosting?
  • My, what an exciting new way to fuck shit up and break all sorts of standards!

  • and that's all. Why should I allow some unknown host to execute javascript?

  • Seems IBM WebSphere did something like that. Their default URL's were often longer than a Giraffe's intestines.

    http://stackoverflow.com/quest... [stackoverflow.com]

  • And that gets to the front page now?
    • It the github/content is interesting, why not. Your question is like asking "So anyone can just write a few words in English, and that gets to the front page now?". Yes, and no. It depends on what those words are, and if they are interesting to the readers.

      • Everyone thinks their own content is interesting. If it really *is* interesting, someone else will submit it.
        • But in this case, the users that browse the firehose and recommend stories, and the editors have found it interesting, so I dont see the problem.

          • The link goes to a 2 day old undocumented and messy looking repo. So clearly those guys are asleep at the wheel.
            • People using the firehose. click a button to recommend stories. Obviously enough people recommended it. If they are a sleep, the story would like have been buried.

              • What they do and what they *tell you* they do can be two entirely different things. This is after all, SlashDot, home of "don't give a shit about the users". You know, Beta, serial posts by favored buddies, etc.
  • This is against everything we know about cross site scripting. It is like having ?errormessage=text at the end of a URL. We know the security implications of this, and we know not to do it. The potential for abuse is way too high.

    • by Lennie ( 16154 )

      If you are worried about that, add some CSP (Content Security Policy) headers to the hosted HTML file.

  • by ConstantineM ( 965345 ) on Saturday September 19, 2015 @01:52AM (#50554507)

    I might be subjective as I'm the author of it, but this somewhat remind me of my http://mdoc.su/ [mdoc.su] project, which is what I call a deterministic URL shortener, or, perhaps, better yet, a semantic URL provider.

    The whole source code is an nginc.conf configuration file, and is just a bunch of regular expressions and `rewrite` and `location` rules, available under an BSD/ISC licence, of course -- that's the one that comes with "no strings attached", BTW!

    http://mdoc.su/ [mdoc.su]
    http://mdoc.su/FreeBSD-10.2/fs [mdoc.su]
    http://mdoc.su/f102/resolvconf [mdoc.su]
    http://nginx.conf.mdoc.su/mdoc... [conf.mdoc.su]
    https://github.com/cnst/mdoc.s... [github.com]

  • Ingenious (Score:3, Insightful)

    by Jo Inge Arnes ( 2803455 ) on Saturday September 19, 2015 @05:45AM (#50554925)
    I love this idea! Also, I have to add something: If the URL-shortner uses 302 to redirect to the full URL, the content part behind the anchor/hash will not be sent to the server. It will still available to the JavaScript returned from the server that is run in the browser. So the server will not know about the content. (This feature is already used by e.g. OAuth2) In addition, instead of accessing a remote server, the URL could point to localhost, and the user could run the "content unpacking" webserver locally (and maybe automatically prevent any unwanted cross-site requests, since this is the default behaviour of the browser)
  • A person could use this app to run a blog of sorts, and as popular as it became the blogger would be hosting it on the cheap. You host the app and tweet the shortened URL's. The content is hosted, but not by you. The URL shortener hosts the content. But unlike LiveJournal or Wordpress.com, the URL shortener never agreed to hosting your content. You've essentially repurposed its functionality and subverted its intent.

    I'm guessing the various URL shorteners will respond to this very quickly. The hack will end

    • by narcc ( 412956 )

      I have a different prediction: This "hack" will continue to function unabated as it won't generate enough interest to warrant action.

  • Da farq.... (Score:3, Funny)

    by Zanadou ( 1043400 ) on Saturday September 19, 2015 @08:11AM (#50555239)

    Jesus fa... what the fuck did I just read???

    It reads like it's being said by an eight year old girl who's just been given two double espressos and a new kitten.

  • This will break the T-shirt business! All those whose living depends on selling t-shirts with DeCSS source code, "09 F9" AACS key, etc. as all we need now is a shortened url (white t-shirt + that marker that you have still have from freeing CDs from Sony's key2audio protection).
  • Since getting at game saves is not something the average user can easily do in most cases on mobile platforms, would this be a useful method for sharing save games?
    Just drop a URL to the desktop and now anyone can have full hearts, the champion sword, and the unobtainium underpants.

  • This raises the question about who is hosting the content and it will probably break the internet.

    No, absolutely not. No on both those assertions. In fact, it really clears up who is responsible for the content of the link. As the same host contains both the "link" and the data. People have been converting data to text and embedding it directly into HTML pretty much since HTML has existed. It is neat if often the wrong way to go about it, but also very useful for userscript developers.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...