Susam Pal removes a via= referral query parameter from Wander Console after realizing appending query strings to third-party URLs breaks pages and bypasses browser Referer controls.
Key Takeaways
Wander Console is a decentralized, self-hosted web discovery tool (50+ sites, 1500+ pages) that loads random recommended pages client-side with no server logic.
Adding ?via= to destination URLs caused a 404 on int10h.org/oldschool-pc-fonts/fontlist/ because that site uses query strings as font collection identifiers.
Appending referral params to URLs you do not own creates a new URL, potentially pointing to a different or missing resource.
The HTTP Referer header and Referrer-Policy already handle attribution with deliberate privacy controls; query string injection bypasses those standards.
Pal shipped the feature as opt-out instead of opt-in, compounding the mistake; version 0.6.0 removes it entirely (commit b26d77c).
Hacker News Comment Review
Commenters broadly agree that injecting arbitrary query strings into third-party URLs is the real problem, regardless of whether destination sites handle unexpected params gracefully.
Discussion split on whether Wander Console is novel: one commenter frames it as web rings reborn, citing value in human-curated discovery as an antidote to algorithmic feeds.
There is mild debate about proportionality: one commenter notes short, readable via= params are far less offensive than opaque tracking blobs like Facebook’s fbm= strings, suggesting the real issue is abuse of scale and opacity.
Notable Comments
@ergonaught: “Adding your own garbage to someone else’s URLs is in fact the problem” – concisely frames this as a consent and ownership issue, not just a technical edge case.
