[whatwg] A thought: <a href="..." method="post">
ianb at colorstudy.com
Sat May 7 12:04:54 PDT 2005
Henri Sivonen wrote:
> On May 7, 2005, at 01:55, Ian Bicking wrote:
>> I was just thinking about the recent problems introduced by the Google
>> Web Accelerator following links that have side effects (the typical <a
>> href="form?delete=10">[delete this]</a> stuff).
> Links like that are objectively wrong according to RFC 2616 (HTTP 1.1).
> Google is free to follow those links without being responsible for the
> side effects.
I think it's sufficient to note that this is an *extremely* common
pattern, regardless of RFC 2616. I think this might be a constructive
place to discuss why it is so common, and what could be provided to web
developers so they can do the right thing, but I don't think much is
achieved by just saying that the majority of web developers are wrong.
And it's the majority of web developers that use these kinds of links,
regardless of spec. Heck, Google uses these kinds of links.
>> One of the issues is that doing the Right Thing means creating a form,
>> and that effects the UI,
> There'd be a design bug somewhere if the UI wasn't affected! When
> something looks like a link to, the user has a good reason to expect
> that following the link causes a safe retrieval operation. When
> something looks like a button, the user has a reason to understand that
> pressing the button may cause an unsafe operation.
Without Web Forms and nested forms, it *is* a bug to effect the UI in
the ways that would be required, because isolated controls cannot be put
inside the context of a larger form that submits to a different location
and performs a different action. The only way to do that now would be
page. It is also made more difficult by the fact that a form is a
block-level element, and so has even more effect on the layout of the page.
And there's other much more safe operations that also cause side
effects. For instance, links that reorder items -- they aren't very
dangerous, you don't really have to warn users implicitly about their
effects, but it will cause problems if a UA clicks these links without
direct user request. I think there is a continuum, and by forcing safe
state-modifying actions to look different it has caused many developers
to do things that are unsafe with regard to HTTP, so that their UIs
better represent (in those developers' opinions) the functionality they
Developers use many techniques to indicate what a control will do.
Generally links give them more flexibility in how they indicate this,
I'm just trying to explain why this "incorrect" practice is so common.
I haven't thought about it a lot before now, so I'm making it up as I go
along, but emperically there must be reasons. It then would be helpful
to give developers tools that address those reasons, but allow them to
use POST the way they should.
Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
More information about the whatwg