Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
MajesticHobo2 7 days ago

Not sure I agree with this part:

> Allow all GET, HEAD, or OPTIONS requests.

> These are safe methods, and are assumed not to change state at various layers of the stack already.

Plenty of apps violate this assumption and do allow GET requests to alter state.

chrisfosterelli 7 days ago | parent | next [-]

IMO apps that do this have a bug, and possibly a security one. This causes issues with prefetching, bot traffic, caching, CSRF, and just plain violates HTTP standards.

pinoy420 6 days ago | parent | next [-]

Not really. If I have a service where I need one click to perform an action and store data. It has to be a GET. You can’t post from a url… purist dogma for the sake of purist dogma

FireInsight 6 days ago | parent [-]

One click to perform an action and store data? Have you heard of HTML forms with method="post"?

whatabtemaillnk 6 days ago | parent [-]

[dead]

pstuart 7 days ago | parent | prev [-]

Agreed. Those methods should be treated as idempotent.

almog 7 days ago | parent [-]

> Those methods should be treated as idempotent

Idempotency still implies it can change state on the initial call, which to me feels wrong in the context of GET/HEAD/OPTIONS.

Mavvie 7 days ago | parent [-]

Indeed, the correct term here is nullipotent.

simonw 7 days ago | parent | prev | next [-]

Those apps are beyond helping already. They need to fix theselves.

cryptonector 6 days ago | parent | prev | next [-]

This is on the server side, on the app. If your supposedly-safe methods aren't safe, then CSRF may not be your biggest problem.

paulhodge 6 days ago | parent | prev | next [-]

That’s bad because visiting an evil site can easily trick your browser into performing one of those requests using your own credentials. CORS doesn’t stop the backend state effect from happening.

MajesticHobo2 6 days ago | parent [-]

That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.

motorest 6 days ago | parent | prev | next [-]

> Plenty of apps violate this assumption and do allow GET requests to alter state.

Yeah, that's not a justification. From a RESTful API design perspective, this just means plenty of apps are buggy/critical design problems. A bug in a random app does not mean HTTP verb lose their semantics.

nchmy 6 days ago | parent | prev [-]

The entire WordPress ecosystem says hello