[whatwg] A thought: <a href="..." method="post">

Henri Sivonen wrote:
> On May 7, 2005, at 01:55, Ian Bicking wrote:
> 
>> I was just thinking about the recent problems introduced by the Google 
>> Web Accelerator following links that have side effects (the typical <a 
>> href="form?delete=10">[delete this]</a> stuff).
> 
> 
> Links like that are objectively wrong according to RFC 2616 (HTTP 1.1). 
> Google is free to follow those links without being responsible for the 
> side effects.

I think it's sufficient to note that this is an *extremely* common 
pattern, regardless of RFC 2616.  I think this might be a constructive 
place to discuss why it is so common, and what could be provided to web 
developers so they can do the right thing, but I don't think much is 
achieved by just saying that the majority of web developers are wrong. 
And it's the majority of web developers that use these kinds of links, 
regardless of spec.  Heck, Google uses these kinds of links.

>> One of the issues is that doing the Right Thing means creating a form, 
>> and that effects the UI,
> 
> 
> There'd be a design bug somewhere if the UI wasn't affected! When 
> something looks like a link to, the user has a good reason to expect 
> that following the link causes a safe retrieval operation. When 
> something looks like a button, the user has a reason to understand that 
> pressing the button may cause an unsafe operation.

Without Web Forms and nested forms, it *is* a bug to effect the UI in 
the ways that would be required, because isolated controls cannot be put 
inside the context of a larger form that submits to a different location 
and performs a different action.  The only way to do that now would be 
with Javascript, which would submit a form that existed elsewhere on the 
page.  It is also made more difficult by the fact that a form is a 
block-level element, and so has even more effect on the layout of the page.

And there's other much more safe operations that also cause side 
effects.  For instance, links that reorder items -- they aren't very 
dangerous, you don't really have to warn users implicitly about their 
effects, but it will cause problems if a UA clicks these links without 
direct user request.  I think there is a continuum, and by forcing safe 
state-modifying actions to look different it has caused many developers 
to do things that are unsafe with regard to HTTP, so that their UIs 
better represent (in those developers' opinions) the functionality they 
are providing.

Developers use many techniques to indicate what a control will do. 
Generally links give them more flexibility in how they indicate this,

I'm just trying to explain why this "incorrect" practice is so common. 
I haven't thought about it a lot before now, so I'm making it up as I go 
along, but emperically there must be reasons.  It then would be helpful 
to give developers tools that address those reasons, but allow them to 
use POST the way they should.

-- 
Ian Bicking  /  ianb at colorstudy.com  / http://blog.ianbicking.org

Received on Saturday, 7 May 2005 12:04:54 UTC