If you use the “new” Blogspot interface, try saving a draft post and then previewing it. You’ll see you’re previewing it using a link that looks something like:
One would assume that Blogspot knows you are “you” because you are signed in to Blogspot and it identifies you using a cookie. So it shouldn’t be possible for anyone else on the Net to view your unpublished blog post right? Wrong.
If anyone else sees that link with the token, they simply paste it into their browser and they can view your unpublished blog entry.
I thought that this would present a problem if you’re previewing a blog entry and you click an external link you included in your blog post. This would send your “preview” URL to that external site as a referrer, which means that external site can access your unpublished blog entry. Google seem to have anticipated this and they prevent you from clicking anything on the page by putting a DOM overlay on the preview page.
I thought perhaps if I logged out of Blogspot, that security token would expire and no one would be able to access my unpublished blog entry. Nope. It’s still accessible.
Providing security through the hope that no one will discover a hidden URL in a world where URL sharing has become a deep part of everything we do is not a good design. Blogspot team please fix this. Thanks.