google news verification email misuses HTTP GET from Gerald Oskoboiny on 2003-10-24 (www-archive@w3.org from October 2003)

From: Gerald Oskoboiny <gerald@impressive.net>
Date: Fri, 24 Oct 2003 04:17:05 -0400
To: news-feedback@google.com
Cc: public message archive <www-archive@w3.org>
Message-ID: <20031024081705.GA25611@impressive.net>

Hi,

I just signed up for a Google News Alert, and when I accessed the
"verify" URI in the verification email, it immediately approved
my request.

This violates the HTTP protocol; retrieving a URI (i.e., an HTTP GET)
should not have side effects like confirming a registration; you
should use HTTP POST for that.

Further reading on GET vs POST:

    Forms: GET and POST
    http://www.w3.org/Provider/Style/Input

    Axioms of Web architecture: Identity, State and GET
    http://www.w3.org/DesignIssues/Axioms#state

    HTTP 1.1 section 9.1: Safe and Idempotent Methods
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1

    HTML 4.01 section 17.13: Form submission
    http://www.w3.org/TR/html4/interact/forms.html#h-17.13

I understand that you probably implemented it this way to try to
make it more usable, but this actually has the opposite result:
instead of users becoming trained that following hypertext links
is safe and submitting forms requires careful thought, they learn
that sometimes links have side effects, and sometimes they don't,
which is bad.

Also, I might want to have an agent running on my computer that
prefetches any URIs it sees in incoming email into my cache, so I
can read then with no latency later, or read them offline while
travelling. I should be able to run such a prefetcher without
worrying about side effects from noncompliant sites.

Please change the verification process to display a simple web form
that says "confirm my request" which is then posted to confirm.

Thanks!

----- Forwarded message from newsalerts-noreply@google.com -----

Date: Fri, 24 Oct 2003 01:02:33 -0700
From: newsalerts-noreply@google.com
Subject: News Alerts (BETA) Verification Email
To: gerald@impressive.net

Google received a request to start sending News Alerts for the search
[ spf spam ] to gerald@impressive.net.

Verify this News Alert request:
http://www.google.com/newsalerts/verify?s=1234b693c705c542&f=1

Cancel this News Alert request:
http://www.google.com/newsalerts/remove?s=1234b693c705c542

Thanks,
The Google News Team
http://www.google.com/newsalerts

----- End forwarded message -----

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/

Received on Friday, 24 October 2003 04:18:42 UTC