- From: Ian Bicking <ianb@colorstudy.com>
- Date: Sat, 07 May 2005 14:04:54 -0500
Henri Sivonen wrote: > On May 7, 2005, at 01:55, Ian Bicking wrote: > >> I was just thinking about the recent problems introduced by the Google >> Web Accelerator following links that have side effects (the typical <a >> href="form?delete=10">[delete this]</a> stuff). > > > Links like that are objectively wrong according to RFC 2616 (HTTP 1.1). > Google is free to follow those links without being responsible for the > side effects. I think it's sufficient to note that this is an *extremely* common pattern, regardless of RFC 2616. I think this might be a constructive place to discuss why it is so common, and what could be provided to web developers so they can do the right thing, but I don't think much is achieved by just saying that the majority of web developers are wrong. And it's the majority of web developers that use these kinds of links, regardless of spec. Heck, Google uses these kinds of links. >> One of the issues is that doing the Right Thing means creating a form, >> and that effects the UI, > > > There'd be a design bug somewhere if the UI wasn't affected! When > something looks like a link to, the user has a good reason to expect > that following the link causes a safe retrieval operation. When > something looks like a button, the user has a reason to understand that > pressing the button may cause an unsafe operation. Without Web Forms and nested forms, it *is* a bug to effect the UI in the ways that would be required, because isolated controls cannot be put inside the context of a larger form that submits to a different location and performs a different action. The only way to do that now would be with Javascript, which would submit a form that existed elsewhere on the page. It is also made more difficult by the fact that a form is a block-level element, and so has even more effect on the layout of the page. And there's other much more safe operations that also cause side effects. For instance, links that reorder items -- they aren't very dangerous, you don't really have to warn users implicitly about their effects, but it will cause problems if a UA clicks these links without direct user request. I think there is a continuum, and by forcing safe state-modifying actions to look different it has caused many developers to do things that are unsafe with regard to HTTP, so that their UIs better represent (in those developers' opinions) the functionality they are providing. Developers use many techniques to indicate what a control will do. Generally links give them more flexibility in how they indicate this, I'm just trying to explain why this "incorrect" practice is so common. I haven't thought about it a lot before now, so I'm making it up as I go along, but emperically there must be reasons. It then would be helpful to give developers tools that address those reasons, but allow them to use POST the way they should. -- Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
Received on Saturday, 7 May 2005 12:04:54 UTC