A common mistake is to use GET for an action that updates a resource. GET is defined
as a safe method (see the upcoming sidebar, ???Safe and Idempotent Methods???); it
should be used for retrieval, not updates. Using GET for updates causes many problems
because it breaks the assumptions that the client and any proxies may have
about the nature of GET requests.
This problem came into the Rails public eye in 2005, when the Google Web Accelerator
was released. The Web Accelerator is a proxy that uses the time the user is viewing a
page to prefetch the outgoing links from that page, reducing the latency between clicking
on a link and seeing the resulting page. Because following a link that updates the
server could have catastrophic results (consider prefetching every ???Delete??? link on a
page full of users), the Accelerator only followed standard web links (which use GET).
However, many popular web applications (including 37signals??™ Backpack) were vulnerable.
Many Rails applications were affected, as the Rails ???pretty URL??? convention
dictated URLs like /people/delete/123, rather than the conventions of other web
frameworks, which led to URLs like /people.php?action=delete&id=123. The end result
was a scramble among web developers to convert all GET links with side effects into
POSTs. Later, the Google team added a feature to the Web Accelerator so that it would
not prefetch links with query strings, but there was a scramble nevertheless.
Pages:
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294