- From: Jon Barnett <jonbarnett@gmail.com>
- Date: Mon, 12 Nov 2007 21:43:17 -0600
- To: "Daniel Glazman" <daniel.glazman@disruptive-innovations.com>
- Cc: "Boris Zbarsky" <bzbarsky@mit.edu>, "Mark Baker" <distobj@acm.org>, "public-html@w3.org" <public-html@w3.org>
On Nov 12, 2007 11:57 AM, Daniel Glazman <daniel.glazman@disruptive-innovations.com> wrote: > Jon Barnett wrote: > > > Users do indeed know the difference between a GET and a POST after the > > fact - when they press the refresh button or the back button. > > BWAHAHAHAHA !!!!! That must be a joke. Not only they don't know the > difference, but they don't even know what's a GET. > Normal people don't even make the difference between the Web and the > Internet, come on ! > ... > </Daniel> > Thanks for the rude response. The point I made was that the browser prompts prompts the user before letting them repeat an unsafe request. That's the difference between GET and POST that's explicitly shown to a user - how they understand it is up to the browser to communite. How that warning is worded is irrelevant "The page you are trying to view contains POSTDATA" or "Refreshing this page may perform such actions as double-charging a credit card." or "This page has expired" - the wording is irrelevant, but the point is that after the fact, when attempting to refresh the page or clicking the back button, the user sees a difference between a POST and a GET in the warning that lets them know that repeating a POST request may do something unwanted. Again, the technicality of the warning is irrelevant as long as the repercussions are clear (and if they're not that's the browser's fault.) And the only reason for making that point is to show why POST is appropriate for @ping - it performs an action that shouldn't be repeated by accident. In the case of @ping, the user doesn't need to see a warning because the final destination was a GET request, but the browser knows not to repeat the POST request without explicit action from the user (actually clicking the link that causes the ping). This is the only distinction between "safe" and "unsafe" that matters here - not whether the user understands the difference between POST and GET before clicking something, but whether the action should be repeated without the user doing something. I hope this clarifies the point in a way you won't need to quote out of context and rudely respond to. -- Jon Barnett
Received on Tuesday, 13 November 2007 03:43:29 UTC