* Pedro Melo <[EMAIL PROTECTED]> [2007-08-09 00:05]: > On Aug 8, 2007, at 1:38 PM, A. Pagaltzis wrote: > >If you do in fact modify state on the server based on > >information in the URI, I hope that you at least require POST > >for these requests? > > We always redirect after POST.
That wasn’t what I was talking about at all. The question is whether your URIs include commands, and if so, whether retrieving them with GET will trigger changes to records just the way POST does. In that case you have a problem. > >Otherwise things like Google Web Accelerator or Firefox’s > >prefetching will badly break your app, proxy caches may cause > >heisenbugs, and all sorts of other mayhem. > > I understand the dangers of not redirecting after POST :) Again it has nothing to do with redirecting after POST. It’s about whether you allow GET, which is supposed to be safe, ie if a client causes data loss by using GET to inspect a resource, it’s not the client’s fault, it’s the server’s. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
