RFC 2616, Section 9.1.1

Some folks keep pointing to section 9.1 of RFC 2616, the HTTP 1.1 spec, as the reason why they think Google is right and unsafe-GET websites are wrong.

From the mentioned section:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

In my view, SHOULD NOT is not MUST NOT. Being a web developer is also not a binding promise to obey and defend RFC 2616. As developer, however, we need to protect ourselves from attacks and misdoings. Clearly, both sides failed to do that.

Note that the same section also states:

Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature.

The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.

So even the HTTP 1.1 spec states that it is not possible to ensure that all HTTP GET requests are safe. Yet GWA seems to assume otherwise. Are programs like GWA accountable? While others may feel otherwise, I think they are because it is GWA itself initiating the request blindly, not the user. Is the user giving GWA permission to make false assumptions on behalf of the user by installing the software? Even offered as-is, I think not.

Advertisements