Web applications: should extraneous/unneeded query string arguments just be ignored?_问答_开发者

Web applications: should extraneous/unneeded query string arguments just be ignored?

开发者 https://www.devze.com 2023-03-31 15:02 出处：网络

I am still fairly new to web application development, so perhaps this is a n00b question. It seems like most websites will just silently ignore query string arguments they do not need nor understand.

I am still fairly new to web application development, so perhaps this is a n00b question.

It seems like most websites will just silently ignore query string arguments they do not need nor understand. For example, a github URI usually looks like:

https://github.com/airbnb

Now if I just tack on a bogus query string, as in:

https://github.com/airbnb?foo=bar

The page loads just fine and doesn't complain about the query string.

This seems like a perfectly开发者_运维百科 reasonable behavior, and I spot-tested some other sites and they also ignored extraneous and/or unneeded query string arguments.

My questions are:

1) Is this the correct or de facto behavior of most web applications? (presumably answer is yes)

2) If (1) is yes, is the reason just common sense, convention, simplicity, etc? Or do standards like HTTP or REST have any guidance or interest in deciding how this is handled?

Alternatives would be to:

Explicitly guard against unknown query string arguments, which is perhaps a bit heavy-handed
Redirect to a "clean" version of the URL w/o the bogus strings. Again, perhaps this is unnecessary

The practice I have always followed while developing web applications is performing only the validation of expected parameters. You should not, IMHO, even read/parse any parameter which you do not expect, because the possibilities are practically infinite. Imagine that it is possible to perform a query like:
https://github.com/airbnb?foo=bar
and also:
https://github.com/airbnb?fooo=bar
and also:
https://github.com/airbnb?foooo=bar

So, if one is to refuse every single parameter not accepted, it would certainly be a little overwhelming. Just ignoring and not even reading them should be safe enough.

Refusing requests containing unexpected parameters will also bring additional challenges, for example: Google Analytics (and other tracking solutions as well) might reach your site using additional parameters.

Side note: if your app supports redirection, I recommend reading the following tip, just in case: http://guides.rubyonrails.org/security.html#redirection

The handling of extra parameters, including things like query strings on post requests, is entirely application-dependent. Different frameworks behave differently, and you'd be ill-advised to rely on any particular behavior.

If you're implementing, I would recommend being absolutely strict about parameter validation. That way, you won't have to rely on any of the above-referenced behavior, and as an added bonus, it makes it easy to write rules for webapp firewalls like mod_security.

"Be liberal in what you accept" is a recipe for security holes and interoperability problems.