[whatwg] A thought: <a href="..." method="post">

On May 7, 2005, at 01:55, Ian Bicking wrote:

> I was just thinking about the recent problems introduced by the Google 
> Web Accelerator following links that have side effects (the typical <a 
> href="form?delete=10">[delete this]</a> stuff).

Links like that are objectively wrong according to RFC 2616 (HTTP 1.1). 
Google is free to follow those links without being responsible for the 
side effects.

> One of the issues is that doing the Right Thing means creating a form, 
> and that effects the UI,

There'd be a design bug somewhere if the UI wasn't affected! When 
something looks like a link to, the user has a good reason to expect 
that following the link causes a safe retrieval operation. When 
something looks like a button, the user has a reason to understand that 
pressing the button may cause an unsafe operation.

> One might expect <a href="form?delete=10" method="POST">[delete 
> this]</a> to do a post request to "form" with a request body of 
> "delete=10".

-1. Makes the safety of links non-obvious to users.

> can be implemented in Javascript fairly easy.

But shouldn't.

> The Google Web Accelerator will still be broken

It is not broken! The server-side apps that use GET for non-safe, 
non-idempotent operation are broken.

-- 
Henri Sivonen
hsivonen at iki.fi
http://hsivonen.iki.fi/

Received on Saturday, 7 May 2005 01:43:54 UTC