UrlHosted Experiment: Host Content Within the URL

New submitter graphicore writes to point out an experimental "unhosted" app that challenges the concept of the URL. By putting the post data after the # mark, the URL is (mis-)used as the data storage. You can store your data within your bookmarks list, host it via a URL-shortener(!) like here: http://goo.gl/DYxr5m or attach it directly to a tweet I also attached the full-url to this slashdot post :-) This raises the question about who is hosting the content and it will probably break the internet. This is a quote from Google's shortener policy: "Please remember that goo.gl directs you to content that is already in existence on the internet. This is not content hosted by Google." It could also become a storage strategy for any other web app. The app is GPL v3, no strings attached. And there's always DNS, too.

It will break the Internet!!?!?!?!?!

[QuietLagoon]

... it will probably break the internet...

Oh no Mr. Bill. The Internet will be broken.

.
Give me a friggin' break. Get real.

Re:It will break the Internet!!?!?!?!?!

[ArmoredDragon]

I think it's more likely they'd just issue DMCA takedown notices to the URL shortener providers.

Re:It will break the Internet!!?!?!?!?!

Add a layer: Instead of posting content, post random strings. Only if XORed with another random string do you get content. At the same time, Alice posts string A, Bob posts string B, Carol posts string C, Dan posts string D, Eve posts string E. None of these strings have discernible content. A XOR B is a cat picture, A XOR C is a Beatles song, C XOR D is a PDF of the bible, D XOR E is a tarball of the Linux kernel. What do you take down?

Re:It will break the Internet!!?!?!?!?!

[davester666]

The website, of course.

Re:It will break the Internet!!?!?!?!?!

[arglebargle_xiv]

Did you even bother to read the rest of the summary? This actually causes real potential issues if someone stores copyrighted information in a URL-shortener's database.

Heck, my movie-warez site has been doing that for years. Sure, you have to click on 800 distinct URLs to get the content of a single frame of Game of Thrones in HD, but it's a small price to pay for thumbing your nose at the man.

Re:It will break the Internet!!?!?!?!?!

[znrt]

Did you even bother to read the rest of the summary? This actually causes real potential issues if someone stores copyrighted information in a URL-shortener's database. Because in that case, it ISN'T just a link to information - it is the information itself.

no, copyright is causing issues.

So, yes, this sort of thing can potentially open ISPs and hosting companies up to all sorts of unexpected liability. If upheld that way, when the courts get involved, it could, in fact, break the internet.

this very same technique has been used for ages in several tools to store and propagate user data.

if abused it could break url shortener services for a short while (*), which aren't essential at all. i actually never liked them, i want to know where i'm clicking to.

(*) i guess i would take any service just minutes to impose size limits.

Re:It will break the Internet!!?!?!?!?!

[ceoyoyo]

Yeah sure, the same issues you'd have if you put some copyrighted material into a Slashdot comment, or on any of the rest of those comment systems that infest websites. It's a problem that's been dealt with.

Besides, I expect that a URL shortener would reject your URL if you tried to put anything substantial (like a song) in the URL. It's not magic: all you're doing is attaching the data to the end of a URL.

Re:It will break the Internet!!?!?!?!?!

[ubrgeek]

I thought only my grandparents could manage that.

Re: It will break the Internet!!?!?!?!?!

[tepples]

Because there are plenty of other PDF Bibles on the Internet lawfully available without charge. There's the Project Gutenberg edition of the KJV, the World English Bible (an update to the ASV), the NET Bible, the New World Translation at JW.org, etc.

Re:It will break the Internet!!?!?!?!?!

[priyasehgalbolt]

UrlHosted Experiment is successful and that will never broken the internet connection. if you used this url = http://www.locksmithsinscottsd... + # By putting the post data after the # mark. and you use google url-shorter then URL will look like this : http://goo.gl/D1n9cG That will redirect to this URL not broken the internet connection.

Re:It will break the Internet!!?!?!?!?!

[morgauxo]

It would suck to lose URL shorteners. I'm not sure I would equate that with 'breaking the internet' though.

Still need a base URL "player"

[SuperKendall]

You still need to point to a base URL that knows how to unwrap the URL hosted content...

So who who host those, knowing that any URL directed there might be mistakenly attributed to content they are hosting? You could make it appear as if such a site is saying ANYTHING... it's like you pre-hacked yourself.

Re:Still need a base URL "player"

[im_thatoneguy]

Yes and no. You could fit a bittorrent tracker into it. Then you're hosting your bit torrent tracker files into a short URL.

It doesn't break the internet but it does dramatically shift the question of who is "Hosting" content and who is "just sharing a link". There is a lot of legal uncertainty about what constitutes for instance copyright infringement. If you post a link to a tweet with a serial number are you committing piracy? If the website has a widget which then embeds the tweet are you worse or better off? If you post a URL which has the serial number in the URL... are you then just sharing a link or are you sharing the content? Does Google's URL shortener bare any legal responsibility under safe harbor for taking down URLs that contain copyrighted material?

Re:Still need a base URL "player"

[lgw]

OK, now it makes sense, thanks. I was wondering what this was for, but "bit torrent tracker" makes it clear. Very nice hack indeed.

It won't break the internet, but it will perplex and confuse MAFIAA lawyers, and that's something.

Re:Still need a base URL "player"

[SuperKendall]

That is true, it still lets you store arbitrary data in a URL, but you could perform the same trick just by putting any ascii encoded data into a query param attached to any valid hostname, which a URL shortener would happily store and feed back.

I'm saying that when you give a link like this to someone else that has something like an article in the example, that site has to know how to parse the whole blob of data after the "#" to display. That opens the site that is willing to parse and display the encoded data to accusations they are saying anything I want to pretend they are saying - Swastikas or whatever.

I don't think it really creates any complication about who is sharing and storing content, because the content is in the link - it's plain someone storing that URL is also storing the content, just as it's pretty clear by sharing that link you are sharing any data inside the link also. Certainly a court would have no issue seeing it that way.

Does Google's URL shortener bare any legal responsibility under safe harbor for taking down URLs that contain copyrighted material?

Yes, if reported to them they absolutely do.

Re:Still need a base URL "player"

[Noah+Haders]

i dont get it.

Re:Still need a base URL "player"

[Fwipp]

And even if they aren't malicious enough to hack you, it's not a hard decision for google to say "Oops, we no longer support URLs longer than 200 characters," or just drop everything after the anchor tag, so they aren't stuck storing some million cat gifs in their database.

Re:Still need a base URL "player"

[phantomfive]

If you post a link to a tweet with a serial number are you committing piracy? If the website has a widget which then embeds the tweet are you worse or better off? If you post a URL which has the serial number in the URL... are you then just sharing a link or are you sharing the content? Does Google's URL shortener bare any legal responsibility under safe harbor for taking down URLs that contain copyrighted material?

Sometimes geeks think they can get around laws with this kind of 'clever' trickery, but the answer is no, if you are purposely sharing copyrighted material in the URLs, then you are still liable.

Re:Still need a base URL "player"

[Intron]

Most sites, /. for example, say anything you post is owned by you. That would include links that you post.

Re:Still need a base URL "player"

[im_thatoneguy]

Simply linking to data though is not copyright infringement. So if the public rightfully believes that simply sharing a link is legal they may not spend the necessary time nor have the technical knowledge to discern the difference from copying a URL and sharing it and copying actual copyrighted works and sharing them.

URLs are already a loop hole in copyright law in many countries. This would widen that hole since the entire copyrighted work could even theoretically be contained within a very long URL. Although a very long URL would obviously be far more noticeable.

So if you posted a URL that contained a torrent tracker to your Facebook your friends could continue to share that "Post" (w/ embedded and even concealed URL) without realizing that they are even committing copyright infringement by directly sharing the tracker not simply a link to the tracker.

Re:Still need a base URL "player"

[phantomfive]

Simply linking to data though is not copyright infringement

This is not "simply linking to data" and you know it.

So if the public rightfully believes ....

"Belief" doesn't enter into copyright law.

URLs are already a loop hole in copyright law in many countries. This would widen that hole since the entire copyrighted work could even theoretically be contained within a very long URL.

This is like a nerd dream that lacks understanding of how the law works.

Re:Still need a base URL "player"

[Rob+Riggs]

That "Anonymous Coward" dude is going to be in a world of hurt.

data://

[LiENUS]

Now he just needs to get the javascript powering this to fit in a data:// uri and it can be entirely hosted in the url.

Re:data://

[Tablizer]

Write Linux in tight Perl, it'll fit.

Re:Question

[bistromath007]

I usually see it used to make you jump down to a particular heading in, e.g., a wiki article. I think it also activates stuff in scripts sometimes?

Data URI Scheme

How is this different from the Data URI Scheme?

https://en.wikipedia.org/wiki/Data_URI_scheme

Re:Question

[Qzukk]

Not sure if serious, but I'll bite. The default action for URLs ending in #~~~~ is for the browser to find a tag named ~~~~ and scroll to that. It's used to link to a specific part of the page. Originally the tag needed to be an <a name="~~~~"> tag, but modern browsers will find any tag with id="~~~~" and use that.

It's used here because the browser does not send the #~~~~ part of the URL to the server, so you're not limited by the URL length limits in certain browsers*cough*IE*cough*. Instead, the webpage includes javascript that reads the window location variable to find the #~~~~ and parse it.

Re:Question

What's a # sign for at the end of some URLs? I've always wondered that since not all have them! Thanks for the answer.

Javashit developers abusing the structure of a URL.

It was supposed to go to an anchor tag - so that if index.html says [A NAME=foo] you could have a URL of the form index.html#foo that would go to the correct part of index.html.

Like everything else, it got ruined by Javashit when someone discovered you could manipulate things with it that had nothing to do with anchor tags.

And since Javashit "programmers" presume that everyone wants to run third-party executables within their browser, if they have nothing to supply their Javashit framework they just include the "#" and leave the rest of the URL blank.

Remember kids, without Javashit, it'd be a lot harder to have pop-ups, pop-unders, and interstitials, so always make sure your web page renders absolutely nothing without it active. The best and most portable web pages are single line obfuscated Javashit functions that load six typefaces and twenty scripts before rendering a single byte of the static HTML content that the user came from.

/even fucking nasa.gov has succumbed. Sigh.

A little disappointed

[Qzukk]

All this stuff about non-hosted content, and the image tag points to a wikimedia picture of a kitten instead of a data: URI?

pretty cool, let's do it local

[Noah+Haders]

i think this is kind of cool. it's clear that there's some sort of server thing that interprets the URL and spits back friendly HTMLs. it would be cool if this could be done locally, so alls you would need is a shortened URL and you would get a page of content. it would work well for wikipedia.

Re:pretty cool, let's do it local

[driblio]

That's what it is. You need a server to download the JavaScript, but that runs locally, and generates the html/content.

Re:pretty cool, let's do it local

[Lennie]

Just run a 100k webserver with an embedded single HTML file running on 127.0.0.1

Re:pretty cool, let's do it local

[Noah+Haders]

huh i thought that it took the URL, read it, and then sent back the plaintext. with the message you suggest there wouldn't be any plaintext transfer over the internet. that's a cool idea! also, the summary said "break the internet", which doesn't refer to KimK but rather to the fact that this method would prevent both search engine bots and hyperlinking. Kind of the fundamental cornerstone of the internet!

Re:pretty cool, let's do it local

[Noah+Haders]

what is 100k webserver. is that an OS like apache?

Malware

[fragMasterFlash]

How many of these URLs already exist and how much malware are they hosting?

Re:Cool

[Noah+Haders]

OO

Because that does not trick shorteners

[SuperKendall]

Something like :

data:text/html,<html><body>Hello</body></html>

Will not be "shortended" by a url shortener like bit.ly, whereas the "#" embedding technique will (but then you need to know how to decode it)

Re:Because that does not trick shorteners

[Lennie]

I like how you can do both too (doesn't work with shortners):

data:text/html,onload=function () { document.write (document.location.hash) }#whatever

Wow

[JustAnotherOldGuy]

My, what an exciting new way to fuck shit up and break all sorts of standards!

I just see an empty screen...

[fatquack]

and that's all. Why should I allow some unknown host to execute javascript?

WebSphere

[Tablizer]

Seems IBM WebSphere did something like that. Their default URL's were often longer than a Giraffe's intestines.

http://stackoverflow.com/quest...

Re: Question

[I'm+New+Around+Here]

Wait a sec. It's gonna let illegals invade your webpage? Who thinks up these stupid policies?

Re:So anyone can just submit their github project

[ThatsMyNick]

It the github/content is interesting, why not. Your question is like asking "So anyone can just write a few words in English, and that gets to the front page now?". Yes, and no. It depends on what those words are, and if they are interesting to the readers.

Re:Question

The smileys don't make your position any less smarmy. If you want the client to render something complex, a web browser is the wrong tool. You should write a client application. Of course this hasn't stopped legions of braindead idiots from including megabytes of javascript in their sites that does fuck knows what...

This is a stupid idea

[ModernGeek]

This is against everything we know about cross site scripting. It is like having ?errormessage=text at the end of a URL. We know the security implications of this, and we know not to do it. The potential for abuse is way too high.

Re:This is a stupid idea

[Lennie]

If you are worried about that, add some CSP (Content Security Policy) headers to the hosted HTML file.

Re:So anyone can just submit their github project

[h33t+l4x0r]

Everyone thinks their own content is interesting. If it really *is* interesting, someone else will submit it.

Re:Question

[hughbar]

It's really scary to see people asking this, apparently seriously, we've drifted so far from simplicity and standards back into a very specific world with lots more potential lock-in. This is the case for 'apps' too, they provide direct connection between the company and consumer, apart from snarfing up any data that they possibly can. Of course, I'm old, I do do apps and a lot of javascript, but I'm a big fan of open standards and KISS.

And there's always nginx rewrite, too — mdoc

[ConstantineM]

I might be subjective as I'm the author of it, but this somewhat remind me of my http://mdoc.su/ project, which is what I call a deterministic URL shortener, or, perhaps, better yet, a semantic URL provider.

The whole source code is an nginc.conf configuration file, and is just a bunch of regular expressions and `rewrite` and `location` rules, available under an BSD/ISC licence, of course -- that's the one that comes with "no strings attached", BTW!

http://mdoc.su/
http://mdoc.su/FreeBSD-10.2/fs
http://mdoc.su/f102/resolvconf
http://nginx.conf.mdoc.su/mdoc...
https://github.com/cnst/mdoc.s...

Re:So anyone can just submit their github project

[ThatsMyNick]

But in this case, the users that browse the firehose and recommend stories, and the editors have found it interesting, so I dont see the problem.

Re:Question

[mrvan]

You know what's scary?

(1) That someone on friggin' slashdot has no clue what the # in a url is, and thinks that asking it is easier than just friggin' googling it

(2) That another poster on slashdot answers in apparent earnest with "I usually see it used to make you jump down to a particular heading in, e.g., a wiki article. I think it also activates stuff in scripts sometimes?"

For crying out loud, where did all the nerds go? Reddit?

Ingenious

[Jo+Inge+Arnes]

I love this idea! Also, I have to add something: If the URL-shortner uses 302 to redirect to the full URL, the content part behind the anchor/hash will not be sent to the server. It will still available to the JavaScript returned from the server that is run in the browser. So the server will not know about the content. (This feature is already used by e.g. OAuth2) In addition, instead of accessing a remote server, the URL could point to localhost, and the user could run the "content unpacking" webserver locally (and maybe automatically prevent any unwanted cross-site requests, since this is the default behaviour of the browser)

Re: Ingenious

[Jo+Inge+Arnes]

The important part is of course the legal questions it raises.

Re:So anyone can just submit their github project

[h33t+l4x0r]

The link goes to a 2 day old undocumented and messy looking repo. So clearly those guys are asleep at the wheel.

Re:So anyone can just submit their github project

[ThatsMyNick]

People using the firehose. click a button to recommend stories. Obviously enough people recommended it. If they are a sleep, the story would like have been buried.

Re:Question

[Hognoxious]

If you want the client to render something complex, a web browser is the wrong tool. You should write a client application.

Wasn't that what Java was supposed to be for (after it was supposed to be for set-top boxes, but before it was supposed to be the new C0807)?

At the very least it's an unethical hack

[mariox19]

A person could use this app to run a blog of sorts, and as popular as it became the blogger would be hosting it on the cheap. You host the app and tweet the shortened URL's. The content is hosted, but not by you. The URL shortener hosts the content. But unlike LiveJournal or Wordpress.com, the URL shortener never agreed to hosting your content. You've essentially repurposed its functionality and subverted its intent.

I'm guessing the various URL shorteners will respond to this very quickly. The hack will end up being as short-lived as it is cool.

Re:At the very least it's an unethical hack

[narcc]

I have a different prediction: This "hack" will continue to function unabated as it won't generate enough interest to warrant action.

Re:Question

[elgatozorbas]

You know what's scary? That someone politely asks a question -which is completely on topic- and gets so much condescending flak about this. Not all nerds are html/scripting/ coding wizards.
And maybe, maybe, sometimes non-nerds stroll here accidentally. Let's quickly chase them away!

Da farq....

[Zanadou]

Jesus fa... what the fuck did I just read???

It reads like it's being said by an eight year old girl who's just been given two double espressos and a new kitten.

Re:Question

[drooling-dog]

Software/web development is the only field I can think of where practitioners delight in ridiculing people outside of their specialty for not knowing everything that they do. I don't see that with medical doctors or lawyers or pharmacists or physicists. Every profession seems to have its own standards for basic maturity.

Re:Question

[Intron]

A browser is a client application.

Re:Question

[Kjella]

Plain HTML/CSS is fine for read-only sites. If you make your navigation dependent on Javascript you should be taken out back and shot. On the other hand if you want a form with even a moderate level of validation, date pickers, chained selects, chosen filters, basic HTML editing (in my case, an email template) or whatever then AJAX is pretty much the only way to go. The whole "put everything in a POST and rerender the whole page on every change" method is just terrible, both from a user and developer perspective. I must admit I haven't looked terribly hard at alternatives since I'm experimenting on an intranet site but even without trying very hard I needed jQuery, jQuery.UI and TinyMCE to fulfill the requirements. And at that point you're really there where you need Javascript anyway, so if another script or library can solve a problem well...

Not that I really want to include every library under the sun, but there's so much basic functionality for a web application I feel is missing. Sort of like being back at plain C++ without the Qt library, sure you could reinvent the wheel but why? Not that I really should expect it to, I mean originally it was just a bit of text mark-up with linking. Unfortunately it's not the 90s anymore, we don't want plain text sites and thick applications. We expect the apps to live in the browser unless they have some really special needs. Mostly it's a good thing, the Javascript sandbox is pretty strong. It's Java, Flash, ActiveX and all the other plug-ins that have been the huge exploit vectors. I guess you could go all RMS on this, but whether the server sends me "x=4" or "x=2+2, you do the math" doesn't really concern me.

Re:WTF

[Intron]

First time I read the summary I was like WTF is this, an advertisement?

Second time, I'm still wondering WTF. Someone needs to go back and read what a URL (ahem, URI, excuse me) actually is. It's a LINK: connecting things... not storing app preferences and shit. That's like, real, old school... before sessions, and cookies!

At one time it was. Then on the second day Tim Berners-Lee said "Let there be forms"

Re:Question

[fisted]

Way to miss the point.

Re: Question

[Will.Woodhull]

Slashdot is always at its worst this time of year. It's a seasonal thing, related to the start of the academic year and the great number of wannabee clever-than-thous who are suddenly thrust into new environments and forced into searching for new sources of ego food. It will get better around the Fall Quarter midterm exams.

Until then, us graybeards must suffer the little children and their antics. Some of them will mature into tomorrow's hope; others will drop out or flunk out.

Re:Question

[Will.Woodhull]

While there are definitely Javashit programmers, Javascript has evolved into a solid programming language with some interesting pieces of elegance.

As to the Javashit programmers, that is a case of the 99% giving the rest of the Javascript programmers a bad name.

Re:Congratulations

[sims+2]

Someone mod parent up.
Hashb.in has been around for several months longer.

Mr fister may have not known about it tho.

Re: Question

[I'm+New+Around+Here]

Oh no! An anonymous coward on a webpage called me names! How will I ever sleep tonight? You are a mean man, mr ac.

T-shirt business?

[CanEHdian]

This will break the T-shirt business! All those whose living depends on selling t-shirts with DeCSS source code, "09 F9" AACS key, etc. as all we need now is a shortened url (white t-shirt + that marker that you have still have from freeing CDs from Sony's key2audio protection).

Mobile Gaming application of concept

[Cruciform]

Since getting at game saves is not something the average user can easily do in most cases on mobile platforms, would this be a useful method for sharing save games?
Just drop a URL to the desktop and now anyone can have full hearts, the champion sword, and the unobtainium underpants.

Re:Question

[Oligonicella]

..the only field I can think of where practitioners delight in ridiculing people outside of their specialty for not knowing everything that they do.

It's a pan-field nerdish thing. Just watch The Big Bang Theory.

medical doctors or lawyers or pharmacists or physicists

Oh yeah they do and with some frequency.

Re: Question

[Oligonicella]

Link or lie, AC.

Re:So anyone can just submit their github project

[Oligonicella]

What they do and what they *tell you* they do can be two entirely different things. This is after all, SlashDot, home of "don't give a shit about the users". You know, Beta, serial posts by favored buddies, etc.

This raises the question about who is hosting

[wisnoskij]

This raises the question about who is hosting the content and it will probably break the internet.

No, absolutely not. No on both those assertions. In fact, it really clears up who is responsible for the content of the link. As the same host contains both the "link" and the data. People have been converting data to text and embedding it directly into HTML pretty much since HTML has existed. It is neat if often the wrong way to go about it, but also very useful for userscript developers.

Not a Broken the Internet issue !

[andy+carrol]

As i felt that is the ISP related issue. if you don't getting internet properly. So try some other internet connection. Host it via a URL-shortener is the some old way technique to saturate the internet connection and redirect according to Google's shortener policy.

It's kind of hard to Google punctuation

[tepples]

That someone on friggin' slashdot has no clue what the # in a url is, and thinks that asking it is easier than just friggin' googling it
# is punctuation, and general-purpose web search engines have historically choked on queries not for letters or digits.

Validate input on both client and server

[tepples]

Client side input validators LOL.

Where do you work?

Presumably somewhere that realizes the value of validating input once quickly on the client and again securely on the server.

Collapsing a subtree

[tepples]

If you're so dead-set against JavaScript, would you rather have to reload all comments to a Slashdot article every time you expand or collapse a subtree?

On which platform?

[tepples]

Three million downloads across how many different platforms' app stores? How do you normally reply when someone asks about wanting to use your client application on a platform for which your client application is not currently available?