Blocked!


Why?
You have reached this page because you are using Acorn Phoenix, an experimental version of the !Browse web browser that was developed by Acorn but never publically released. We refuse to support this browser and actively block it because of the following reasons..

  • Broken referer handling - We use referers sent by your web browser to verify that you are viewing drobe.co.uk appropriately. Too many people are externally inlining our images in their own webpages and forums, without asking for permission, and unfairly increasing our bandwidth usage.
  • Security vulnerabilities - Phoenix leaks information about previously visited sites and has leaked usernames, passwords and URLs. This is unacceptable and you should be made aware of this.

What about !Browse?
!Browse users are not blocked because a significant proportion of our readerbase uses !Browse. However, we've found that !Browse is broken in the same way as Phoenix and we are contemplating blocking !Browse before the end of 2003 if the security and referer flaws are not addressed. This is not a decision we've taken lightly. A suitable patch for !Browse and Phoenix may be developed to fix these flaws.

What else can I use?
There are other RISC OS browsers available that you may wish to upgrade to.

I'm not convinced!
Ok, here's what we're talking about when we mean referers are broken:

  1. Go to some website, maybe iconbar.com
  2. Browse around there for a bit.
  3. Type into the URL bar the address of a webserver you have access to referer information/logfiles for (http://localhost/ for example)
  4. Be amazed as the bug manifests itself by putting an iconbar.com referer in your webservers logs (for localhost) when really it should not.
  5. Imagine what this means on sites that store session id's, login details, etc, in the url as well as tracking implications.

Particular Phoenix users have been visiting sites of dubious content and we'd rather not have anything to do with those sites in our logs. Our stance is subject to change but this is how we stand at the moment.
In the meantime, section 14.36 of the HTTP RFC might amuse you, basically the bit that says "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard."

What else can I do?
If you have a patch that fixes the referer issue with Browse 2.07/2.08 then we would be more than happy to host it /providing/ it does not contain any of the original Browse code. Something like how !CDFix worked maybe?


Drobe Team, 9 Sep 2003 | Contact