Comments on: The GET mess

By: gabriele

gabriele — Sat, 14 May 2005 11:40:00 +0000

just a thing: Am I wrong or the “acceleration by prefetching links” always existed in mozilla?

By: Lawrence Oluyede

Lawrence Oluyede — Tue, 10 May 2005 15:12:47 +0000

Scott: as tom said, the problem is that GWA impersonate the user and has his rights to do things. Additionally it doesn’t care about Javascript so it’s not safe to wrap /delete behind some scripting code. The solution? (or a part of it) use POST and not GET. Anyway GWA by now is not longer available

By: Tom Moertel

Tom Moertel — Mon, 09 May 2005 20:50:14 +0000

Scott asked, "Why are non-authenticated persons/bots whatever allowed to do such actions in the first place? Shouldn't those areas for administration aka delete be protected with authentication?"

Google Web Accelerator (GWA) is not a bot. It is an intermediary agent acting on behalf of an user (i.e., a "proxy" in the terminology of RFC 2616, "HTTP/1.1"). When a user makes an HTTP request via his web browser, the request is passed to GWA, which then fulfills the request on behalf of the user and responds with the result. Thus the agent is authorized to see and do whatever the user is.

By: Scott

Scott — Mon, 09 May 2005 17:49:00 +0000

Maybe I am not getting something? Why are non-authenticated persons/bots whatever allowed to do such actions in the first place? Shouldn’t those areas for administration aka delete be protected with authentication? I am talking about the action itself too. Is the Google pre-fetch logging in before it does this? I don’t see the problem. If it is a problem with Google shouldn’t it be a problem for anyone browsing and figuring out “Hey I can put /delete/003 in my app and do it by hand” and deleting other’s items? I make sure the person doing such things is authenticated to do so in the method itself.

By: soulhuntre » core/dump » Google Web Accelerator - so much for not being evil.

Mon, 09 May 2005 01:06:29 +0000

[...] “http://blog.ianbicking.org/breaking-the-web-we-have.html”>Breaking the Web We Have A song for the lovers � Blog Archive � The GET mess [...]

By: Aristotle Pagaltzis

Aristotle Pagaltzis — Sun, 08 May 2005 15:08:29 +0000

Btw: the log’s called “Franklinmint,” but the person’s called Robert Sayre.

By: Lawrence Oluyede

Lawrence Oluyede — Sat, 07 May 2005 08:46:27 +0000

Thanks a lot Tim, you’re definitely right.

By: Tim Lucas

Tim Lucas — Sat, 07 May 2005 06:06:42 +0000

Although a good summary of the GET vs POST debacle, it should be noted that using POST over GET only provides you with slightly greater security, and is definately not considered secure by itself.

A good summary of the security issues can be found here: http://www.squarefree.com/securitytips/web-developers.html#CSRF