The Cafes: Confirming GETs Considered Harmful

Elliotte Rusty Harold says:

In particular I was using a GET to make something happen: confirm a message. What really shocked me was that Google’s GMail and possibly other clients will prefetch such URLs, maybe even before the user ever reads the e-mail. In other words, the confirmation can be accidental. Oops. As soon as Bill pointed it out, I saw my error. Google is absolutely within its rights to prefetch such a URL. I should not be using a GET to confirm the message. That needs to be done with a POST.

Is this really an issue? What email clients pre-fetch links in the email message? GMail uses such links to confirm an email address you'd like to send mail from, so I can't believe GMail will trip this. Here's how you can test this:

• Get a gmail account, call it foo@gmail.com
• Set some other account foo@example.com to forward mail to that gmail account.
• In Gmail, add foo@example.com to your "accounts" settings. Google will email foo@example.com with a GET link to confirm you actually receive this email.
• You'll receive that email at GMail, and can click the GET link to activate it.

Now, technically it is within a client's right to pre-fetch any URLs they desire. But in an email client that seems irresponsible, when some of those URLs might be:

• Click here to confirm for my spam list that your email address is valid! (Note, this is the same reason email clients don't usually display hotlinked images in-line by default anymore.)
• Click here to give me a fractional penny in some referrer/clickfraud scheme!

In short I find it hard to believe that any email client, even a browser based one, would pre-fetch any link in any email. It's just a bad idea. Does anyone have an example where this actually happens?

Tags: REST, CMS, web development