From: Scott Sauyet on
On Mar 1, 7:31 am, Richard Cornford <Rich...(a)litotes.demon.co.uk>
wrote:
> On Feb 26, 7:37 pm, Scott Sauyet wrote:
>> On Feb 26, 1:15 pm, Richard Cornford  wrote:

>>> Alright, what if the request is actually idempotent?
>
>> I meant to qualify your statement further.  I mean that making
>> the request or not is not that important so long as both (1)
>> access to the result is denied and (2) the request is actually
>> idempotent.  A GET request is supposed to be idempotent, but
>> if it's not, then having that request made on redirect could
>> cause problems.
>
> You mean that if people create systems that depend on HTTP without any
> regard for how HTTP is supposed to work the results may cause someone
> "problems"? Well, yes, but who is responsible for that? Is it
> reasonable/realistic to expect a User Agent to anticipate and/or
> mitigate all possible manifestations of incompetence in web
> developers? [ ... ]

No, it is not reasonable to expect that. But in the aftermath of the
web accelerator debacle, I think it would be reasonable for UA-
developers to avoid making HTTP calls that might seem to be breaking
security and which cannot return results to the calling code.
Obviously they can't anticipate everything, but they do know that
there are many possible non-idempotent GET calls. I would hope that
they take that into account and don't make the request.

-- Scott