The Cafes: Confirming GETs Considered Harmful
Elliotte Rusty Harold says:
In particular I was using a GET to make something happen: confirm a message. What really shocked me was that Google’s GMail and possibly other clients will prefetch such URLs, maybe even before the user ever reads the e-mail. In other words, the confirmation can be accidental. Oops. As soon as Bill pointed it out, I saw my error. Google is absolutely within its rights to prefetch such a URL. I should not be using a GET to confirm the message. That needs to be done with a POST.Is this really an issue? What email clients pre-fetch links in the email message? GMail uses such links to confirm an email address you'd like to send mail from, so I can't believe GMail will trip this. Here's how you can test this:
- Get a gmail account, call it firstname.lastname@example.org
- Set some other account email@example.com to forward mail to that gmail account.
- In Gmail, add firstname.lastname@example.org to your "accounts" settings. Google will email email@example.com with a GET link to confirm you actually receive this email.
- You'll receive that email at GMail, and can click the GET link to activate it.
- Click here to confirm for my spam list that your email address is valid! (Note, this is the same reason email clients don't usually display hotlinked images in-line by default anymore.)
- Click here to give me a fractional penny in some referrer/clickfraud scheme!
Tags: REST, CMS, web development