XHR redirects

[Richard Cornford]

I meant to qualify your statement further. I mean that making
the request or not is not that important so long as both (1)
access to the result is denied and (2) the request is actually
idempotent. A GET request is supposed to be idempotent, but
if it's not, then having that request made on redirect could
cause problems.

You mean that if people create systems that depend on HTTP without any
regard for how HTTP is supposed to work the results may cause someone
"problems"? Well, yes, but who is responsible for that? Is it
reasonable/realistic to expect a User Agent to anticipate and/or
mitigate all possible manifestations of incompetence in web
developers?

I have absolutely no idea what you are talking about.

At some point a few years back a browser plug-in was released;
I think it might have been Google Web Accelerator. [1] This
tool was supposed to speed up browsing by pre-fetching and
caching links it thought you might visit off the current page.
It makes perfect sense, except that a number of web
applications out there had non-idempotent GET request,
especially hyperlinked "delete row" actions. People
started unintentionally altering all sorts of data using
this tool. Granted, it was the fault of people not smart
enough to develop properly with HTTP, but it was pretty easy
to blame Google. The plug- in is long gone now.

While web site/application developers should be held responsible for
their own mistakes, the developers of such an "accelerator" should
have been able to anticipate the consequences of their actions from
the simple observation that most web developers are more or less
technically ignorant and/or incompetent (and so will be acting in
ignorance of applicable standards, or disregarding them as unimportant
in the 'real world').

Of course Google have a problem in making that judgment for themselves
as presumably they believe their own web developers to be 'above
average', 'cutting edge', etc. and that would have to modify their
perception of the general quality of web developers upwards.

Richard.

 

[Scott Sauyet]

On Feb 26, 1:15 pm, Richard Cornford  wrote:

I meant to qualify your statement further.  I mean that making
the request or not is not that important so long as both (1)
access to the result is denied and (2) the request is actually
idempotent.  A GET request is supposed to be idempotent, but
if it's not, then having that request made on redirect could
cause problems.

You mean that if people create systems that depend on HTTP without any
regard for how HTTP is supposed to work the results may cause someone
"problems"? Well, yes, but who is responsible for that? Is it
reasonable/realistic to expect a User Agent to anticipate and/or
mitigate all possible manifestations of incompetence in web
developers? [ ... ]

No, it is not reasonable to expect that. But in the aftermath of the
web accelerator debacle, I think it would be reasonable for UA-
developers to avoid making HTTP calls that might seem to be breaking
security and which cannot return results to the calling code.
Obviously they can't anticipate everything, but they do know that
there are many possible non-idempotent GET calls. I would hope that
they take that into account and don't make the request.

-- Scott