Skip to content

The GET mess

Didn’t you heard about 37Signals rants about Google Web Accelerator?

I quoted some posts/comments/interesting points of view (you’ll be the judge):

The problem The accelerator scours a page and prefetches the content behind each link. This gives the illusion of pages loading faster (since they’ve already been pre-loaded behind the scenes). Here’s the problem: Google is essentially clicking every link on the page — including links like “delete this” or “cancel that.” And to make matters worse, Google ignores the Javascript confirmations. So, if you have a “Are you sure you want to delete this?” Javascript confirmation behind that “delete” link, Google ignores it and performs the action anyway.Jason Fried, 37signals.com

Comments of the above post It’s always a bad idea to put critical, data-damaging functions behind a regular old a-tag and http GET. It would be safer to do these operations with a POST. — Andrew

Yea but if you follow web standards you won’t have to worry about this and it’s all upside. GET requests should be safe and idempotent. If you can delete items with a GET request, you mind as well use tables for layout and Active X controls too. Unless google is following links with a POST, then they are following web standards and the issue is on your side. Caching proxies are an important part of the web and the HTTP specification lays out exactly what is respectful and disrespectful. — Ryan Tomayko

Quoting from section 9.1.1 Safe Methods of the HTTP 1.1 RFC (2616):

Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered “safe”. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.

Put simply, GET requests should be idempotent and safe. — Mark Rowe

David Heinemeier Hansson (the creator of Rails) replies in the comments So while you may rail on application developers for diverging with reasons you don’t deem to be good enough, it’s hardly news that this is the fact. Just like web developers can’t disregard the browser bugs in IE6, we have to work with and deal with what’s real.

Google is disregarding real and are thus blatantly disrespecting precedence. That’s where the problem is. Moreover, there’s no warning here. Shit will just start breaking left and right leaving users and application developers lost.

Having a standard is not an excuse for not looking out the windows.

DHH on his blog When car companies produce faulty vehicles that cause horrible accidents or aggravated injuries on regular mishaps, they do a recall. Google’s Web Accelerator is causing death and destruction on an admitted much lower level of criticality, but it too is in need of an immediate recall.

Comments of the above post This problem could be turned into a win for Rails. Just modify the link_to helper method to optionally specify whether to use GET or POST. If the developer wants to use a link to destroy a post, they’d enter something like . The result would be a link with a Javascript handler that simply sends the request as POST rather than GET. — Scott Raymond

Google didn’t screw this one up. The blame for this debacle lies with the programmers and designers who used GET-based links to trigger destructive events in ignorance/spite of the standards. — Tom Moertel

Be sure to read:

A Rails “patch”: http://david.backpackit.com/pub/37983

Have a look at mine REST tag in delicious too: http://del.icio.us/rhymes/rest

update: Tim Lucas in comments point at this: http://www.squarefree.com/securitytips/web-developers.html#CSRF.

David Heinemeier Hansson says: Rails will ship its next version with a link_to that looks just like a GET, but uses Javascript, or some other way, to do a POST. Since the HTML isn’t moving forward, we’ll just have to build on top and make it no harder than not to. We’re doing that with Ajax, we can do it with REST.Google: Recall, Developers: Improve

Sam Ruby points at three ways to take the unsafe GETs out of Rails

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • Facebook
  • Twitter
  • Google Bookmarks
  • FriendFeed
  • Google Buzz
  • HackerNews
  • Posterous
  • Reddit
  • Slashdot
  • Tumblr
This was written by Lawrence. Posted on Saturday, May 7, 2005, at 1:13 am. Filed under Uncategorized. Tagged . Bookmark the permalink. Follow comments here with the RSS feed. Both comments and trackbacks are currently closed.
  • http://www.toolmantim.com Tim Lucas

    Although a good summary of the GET vs POST debacle, it should be noted that using POST over GET only provides you with slightly greater security, and is definately not considered secure by itself.

    A good summary of the security issues can be found here: http://www.squarefree.com/securitytips/web-developers.html#CSRF

  • http://oluyede.org/blog Lawrence Oluyede

    Thanks a lot Tim, you’re definitely right.

  • http://plasmasturm.org/ Aristotle Pagaltzis

    Btw: the log’s called “Franklinmint,” but the person’s called Robert Sayre.

  • Pingback: soulhuntre » core/dump » Google Web Accelerator - so much for not being evil.

  • http://spurton.blogspot.com Scott

    Maybe I am not getting something? Why are non-authenticated persons/bots whatever allowed to do such actions in the first place? Shouldn’t those areas for administration aka delete be protected with authentication? I am talking about the action itself too. Is the Google pre-fetch logging in before it does this? I don’t see the problem. If it is a problem with Google shouldn’t it be a problem for anyone browsing and figuring out “Hey I can put /delete/003 in my app and do it by hand” and deleting other’s items? I make sure the person doing such things is authenticated to do so in the method itself.

  • http://community.moertel.com/ Tom Moertel

    Scott asked, “Why are non-authenticated persons/bots whatever allowed to do such actions in the first place? Shouldn’t those areas for administration aka delete be protected with authentication?”

    Google Web Accelerator (GWA) is not a bot. It is an intermediary agent acting on behalf of an user (i.e., a “proxy” in the terminology of RFC 2616, “HTTP/1.1″). When a user makes an HTTP request via his web browser, the request is passed to GWA, which then fulfills the request on behalf of the user and responds with the result. Thus the agent is authorized to see and do whatever the user is.

  • http://oluyede.org/blog Lawrence Oluyede

    Scott: as tom said, the problem is that GWA impersonate the user and has his rights to do things. Additionally it doesn’t care about Javascript so it’s not safe to wrap /delete behind some scripting code. The solution? (or a part of it) use POST and not GET. Anyway GWA by now is not longer available

  • gabriele

    just a thing: Am I wrong or the “acceleration by prefetching links” always existed in mozilla?