Tuesday, March 21, 2006

The Cafes: Confirming GETs Considered Harmful

Elliotte Rusty Harold says:
In particular I was using a GET to make something happen: confirm a message. What really shocked me was that Google’s GMail and possibly other clients will prefetch such URLs, maybe even before the user ever reads the e-mail. In other words, the confirmation can be accidental. Oops. As soon as Bill pointed it out, I saw my error. Google is absolutely within its rights to prefetch such a URL. I should not be using a GET to confirm the message. That needs to be done with a POST.
Is this really an issue? What email clients pre-fetch links in the email message? GMail uses such links to confirm an email address you'd like to send mail from, so I can't believe GMail will trip this. Here's how you can test this:
  • Get a gmail account, call it foo@gmail.com
  • Set some other account foo@example.com to forward mail to that gmail account.
  • In Gmail, add foo@example.com to your "accounts" settings. Google will email foo@example.com with a GET link to confirm you actually receive this email.
  • You'll receive that email at GMail, and can click the GET link to activate it.
Now, technically it is within a client's right to pre-fetch any URLs they desire. But in an email client that seems irresponsible, when some of those URLs might be:
  • Click here to confirm for my spam list that your email address is valid! (Note, this is the same reason email clients don't usually display hotlinked images in-line by default anymore.)
  • Click here to give me a fractional penny in some referrer/clickfraud scheme!
In short I find it hard to believe that any email client, even a browser based one, would pre-fetch any link in any email. It's just a bad idea. Does anyone have an example where this actually happens?

Tags: , ,


Post a Comment

<< Home