Magic Bean Dip

The HTTP Content-Location header is a standards compliant solution for the 302 web page hijacking problem. Depending on how it’s evaluated, it can be effective as either an HTTP header, or as an HTML meta tag. If two different locations provide conflicting Content-Location data, then priority should be given to the information that was most likely generated by the person that controls the content.

It’s only effective if the Content-Location header from the domain that actually serves the content overrides any Content-Location header served with a redirect.

For example:

Googlebot finds a 302 redirect on hijacker.com that points to a page on v1.magicbeandip.com. Hijacker.com includes a Content-Location header pointing to a url on hijacker.com with the redirect, trying to fool Googlebot into thinking that the content actually does belong to them.

Googlebot follows the redirect to the page on v1.magicbeandip.com. My server actually serves the page content, but also includes a Content-Location header that points to a url on v1.magicbeandip.com. Since my server actually served the content, it’s more likely that my Content-Location header is correct, so my header should be used to determine the canonical url of the content.

Virtually all existing web pages don’t currently have a Content-Location header, so Googlebot can’t allow the canonical url of pages that don’t contain a Content-Location header to be changed by other domains. A Content-Location header should only be able to successfully specify a different canonical url if both urls provide a Content-Location header pointing to the same place. So in order for content from v1.magicbeandip.com to be canonicalized to hijacker.com, both domains have to send Googlebot Content-Location information pointing to the same place.

HTML Content-Location Meta Tag

In order to be effective, the Content-Location data from the person that controls the content must be used. Following this train of thought, it’s logical to recognize Content-Location data from an HTML meta tag as well.

<meta http-equiv="Content-Location" content="http://v1.magicbeandip.com/mycontent.html">

Since it’s very easy for the person controlling the content to create a meta Content-Location tag, this information should be given the higher priority than a Content-Location header served by either the same or different domains. And again, it can’t specify a url on a different domain unless both domains agree. If hijacker.com includes a Content-Location meta tag with a Refresh meta tag, then my domain must provide the same Content-Location information in order for it to be successful.

It Works, But There’s an Easier Way

Specifying the full url with a Content-Location header works, but adds another level of complexity to managing websites. In order to simplify things, I suggest creating a way to specify only the domain the content belongs to, instead of the full url. Determining the correct canonical url would be left up to Googlebot as long as the result is in the specified domain.

For example you could use an “X-Content-Domain” header and meta tag that would be prioritized the same way as I’ve outlined for the Content-Location header. The intent being to give priority to the information that was most likely provided by the person in control of the content.

If I had to choose one or the other I think I would choose X-Content-Domain over Content-Location.

This entry was posted on Monday, May 30th, 2005 at 8:12 pm and is filed under Internet, Search Engines. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.