[Catalyst] Catalyst + Ajax

Brandon Black blblack at gmail.com
Wed Dec 7 11:45:52 CET 2005


On 12/5/05, Alex Pavlovic <alex at taskforce-1.com> wrote:
> You should take a look at Google Adwords, GET's are
> used almost everywhere for destructive purposes, deleting
> an adgroup or campaign for example. Do you think
> they care ?
>

It arguably matters less if the URL is only valid/reachable within an
authenticated session by a user.  The big problem with non-read-only
operations happening on a GET request is that a spider could index
your page and pull up all those URLs via GET if it happens to see
them, thus triggering real operations on your database when it
shouldn't.  If automated spiders and such cannot reach the pages in
question that part is kinda moot.

There are implications for human browsing too.  If I start on
index.html and click a GET link "increment_important_counter.cgi"
which displays me some new output with a no-cache header, and then
move on from there to another page, and then use the back button to
return to the no-cache output, the browser will re-issue the request
and the server-side counter gets incremented a second time against my
will (whereas if the operation had been via POST, the browser would at
least stop and warn you about re-sending POST data first).  I suppose
as long as the writing operation that occurs for a given GET request
(arguments included) is invariant (can be repeated without causing
further real changes) and is only accessible from a logged-in session,
it's not as bad.  But the safe thing is just to only do readonly
actions from within GET urls.



More information about the Catalyst mailing list