GET the problem
So there’s been a lot of blogosphere reverberation over the Google Web Accelerator which follows every link on every page you visit in order to speed up your browsing experience, including links such as “delete this post,” and now everyone is talking about how web applications should be written not to allow unsafe operations from
POST requests. The GET mess has a good roundup of all the handwringing that has been posted, and I won’t duplicate it all here.
David Heinemeier Hansson has a plan for patching things up for now that involves a facility which masks non-idempotent links behind
It is really only a small step from his good approach to what I consider the really proper solution: the same link which leads to a page with a button should also have an
onclick handler attached which shows an “Are you sure?” prompt and converts the request to
POST on confirmation – and that request would then be executed immediately without the intermediary page with the button. This means fewer roundtrips and a more reactive interface where supported but no trouble yet all of the functionality where not.
This isn’t any news. It’s much like the right way to do chromeless popups (put the link into a plain
<a href="" target="_blank"> and attach an
onclick handler for opening the chromeless popup and inhibiting the default link behaviour). It’s much like the right way to use XMLHttpRequest.
It’s called graceful degradation.