Sirsha.com

Sometimes I like to think about...  stuff... .. .
Welcome to Sirsha.com Sign in | Join | Help
in Search
Home Blog Photos

Sirsha Development Resources Blog

because everyone always wants more documentation...

REST Doesn't Mean Lazy

When Dare explained how some web apps were misunderstanding REST, I wondered how long it would be before something terrible happened via some company's so-called REST API that allowed a user to delete something (or order something) via GET. I think we all know that time came last week when Google unleashed the first public beta of the Google Web Accelerator. There were several problems with GWA: caching a user's page and then showing that page to a different user, the expected browser/installation issues, and GWA's habit of prefetching things like "delete this post" links, "delete my account" links, and "log out" links. Some of these problems are squarely GWA's problems but I think the majority of the problems stemmed from lazy web devs (including myself).

I do most of my web work in ASP.NET so if anything, I abuse POST more than I should, so I wasn't too worried about my ASP.NET apps. I had an internal-only time tracking app I wrote a few years ago that had destructive GET links, but that app is now retired and I haven't done anything like that in years. EXCEPT...

Most of the apps I use that have a "log out" link can fall prey to this. When a user with GWA running visits a site of mine and logs in, GWA could (would? should?) prefetch the log out page and end the user's session. How annoying would that be?

But I don't see this as Google's problem, it is mine. I know what the specs have to say about things like this and, though not required, I know they recommend against using GET for this sort of thing unless needed. And there really is no reason why that "log out" link isn't a button that POSTs except that it is easier for me to use a link.

But since when does "it is easier for me" excuse me from doing something correctly?

Dare isn't the only one who warned us, but apparently not everyone listened or believed. The "log out" link my biggest flaw but others were caught in much worse situations. Google is releasing a new version that corrects some of the problems, but as long as my app is flawed, there is no reason this won't happen again next week with another app.

Here are a few interesting related links with some good points brought up on the subject.:
Joe Gregorio says "I told you so".
Backpack gets bit
Nik Cubrilovic: Poor Web Applications and Pre-fetch Security Issues

Published Sunday, May 08, 2005 4:41 PM by sjh
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Jeff Atwood said:

> GWA's habit of prefetching things like "delete this post" links, "delete my account" links, and "log out" links

LOL, I never considered this. You're talking about that firefox-specific prefetch feature, right?
May 9, 2005 12:30 AM
 

Shannon J Hager said:

Not sure if Google Web Accelerator only does (did?) that for Firefox or not. I never got a chance to test it, I downloaded GWA the second it came out, then realized that I probably didn't want to install it until the second or third huge hole was fixed (judging from the last couple Google tools). Sure enough, the bugs started showing up within hours, so I just deleted the installation program and decided to skip it completely.

The last time I dealt with a caching proxy like this was the few weeks I was on AOL a couple years ago and I *really* disliked it whenever I noticed it was working, because the only time I ever noticed was when it screwed something up.
May 9, 2005 7:14 PM

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

Recent Posts

Tags

News

Archives
Copyright 2003-2006 Shannon J Hager
Powered by Community Server, by Telligent Systems