GET requests and “wings fall off” buttons
October 24th, 2005Bill de hÓra is outraged that people are blaming Google Web Accelerator (GWA) for following HTTP GET links, rather than blaming the morons^H^H^H^H^H^Hweb developers who built web sites that use innocent-looking GET requests for actions with side effects, like (say) delete or launch missile attack.
I don’t know if GWA itself is useless hype, an evil conspiracy, or a good thing (I suspect some combination of the first two), but Bill’s right that the assumption that it’s always safe to follow a GET link is one of the basic pillars of the web. Initiating a potentially dangerous action in response to a GET request is on the same level as putting a “wings fall off” button on the arm of an airliner seat — sure, we’d prefer that the passenger not hit the button, but why is the button there in the first place?
October 25th, 2005 at 04:58:13
Actually, a single GET request can cause you to be fined and loose your job under idiotic UK law:
http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
No, following that link won’t cause you to wind up in court, at least as far as I know, but it will tell you of a case were it happened. Not actually following an embedded link but using a made up URL (just appending “/../../..” to an existing one for quite plausible reasons) but the principle’s the same.
October 25th, 2005 at 06:03:22
Good point. A GET request can also keep you out of business school:
http://blogs.law.harvard.edu/philg/2005/03/08