google web alerts verification email misuses HTTP GET from Gerald Oskoboiny on 2004-03-30 (www-archive@w3.org from March 2004)

From: Gerald Oskoboiny <gerald@impressive.net>
Date: Tue, 30 Mar 2004 17:10:13 -0500
To: alerts-feedback@google.com
Cc: public message archive <www-archive@w3.org>
Message-ID: <20040330221013.GA21468@impressive.net>

Hi,

I just signed up for a Google Web Alert, and when I accessed the
"verify" URI in the verification email, it immediately approved
my request.

This violates the HTTP protocol; retrieving a URI (i.e., an HTTP GET)
should not have side effects like confirming a registration; you
should use HTTP POST for that.

Further reading on GET vs POST:

    Forms: GET and POST
    http://www.w3.org/Provider/Style/Input

    Axioms of Web architecture: Identity, State and GET
    http://www.w3.org/DesignIssues/Axioms#state

    HTTP 1.1 section 9.1: Safe and Idempotent Methods
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1

    HTML 4.01 section 17.13: Form submission
    http://www.w3.org/TR/html4/interact/forms.html#h-17.13

I understand that you probably implemented it this way to try to
make it more usable, but this actually has the opposite result:
instead of users becoming trained that following hypertext links
is safe and submitting forms requires careful thought, they learn
that sometimes links have side effects, and sometimes they don't,
which is bad.

Also, I might want to have an agent running on my computer that
prefetches any URIs it sees in incoming email into my cache, so I
can read them with no latency later, or read them offline while
travelling. I should be able to run such a prefetcher without
worrying about side effects from noncompliant sites.

Please change the verification process to display a simple web form
that says "confirm my request" which is then posted to confirm.

Thanks!

----- Forwarded message from webalerts-noreply@google.com -----

Date: Tue, 30 Mar 2004 09:11:25 -0800 (PST)
From: webalerts-noreply@google.com
Subject: Web Alerts (BETA) Verification Email
To: gerald@impressive.net

Google received a request to start sending Web Alerts for the search
[ ... ] to gerald@impressive.net.

Verify this Web Alert request:
http://www.google.com/webalerts/verify?s=b1e4a49cf20b36db&f=1

Cancel this Web Alert request:
http://www.google.com/webalerts/remove?s=b1e4a49cf20b36db

Thanks,
The Google Web Alerts Team
http://www.google.com/webalerts

----- End forwarded message -----

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/

Received on Tuesday, 30 March 2004 17:29:59 UTC