--- (in the Yahoo!Prox-list forum) Michael B?rschgens wrote:
> I've found the following line in a webpage:
>
> <link rel=stylesheet type="text/css"
> href="http://www.house27.ch/counter/trans.php?ID=9322">
>
> Since I've never seen this before I think it is a new idea to slip
> through filters.
--- my reply:
Yep, it's definitely a web beacon ~~ calling that URL returned
a zero-length text/html content-typed document.
Here's the counteracting webfilter I propose:
Name = "strip web beacons posing as stylesheets"
Active = TRUE
Bounds = "<links*>
Limit = 512
Match = "*rel=$AV(stylesheet)*&"
-indent-"*href=$AV(*([?=]|.pl|.php|.cgi)*)"
-indent-"|(^*href=$AV(*(.css|.txt)*))"
Here's my rationale:
~~ 512byte limit because the LINK tag may be padded with with several
attributes
~~ path to a valid CSS should never have a questionMark or equalSign
(I've seen valid stylesheets returned with commas in the path, FWIW)
~~ the file extension patterns might seem "obvious" but if they're
not explicitly stated, "href=pathname/MuckUp.css.cgi" could slip by
~~ Although dot-css is the convention, I continually encounter a lot
of dot-txt -named stylesheets
Discussion invited:
Should the filter also include (look for) .asp and other executables?
I think accounting for the common script extensions is enough ~~
because, eventually... some dastardly weenie will just
serve all his stylesheets from a www2.domain.com webserver which has configured so that ".css" files are associated with (handled by) perl and are executable. The script will transparently count ya & will return the (a) valid stylesheet.
-xartica
