Google Web Accelerator

The reason is that many web developers don’t have a clue about the difference between the http methods GET and POST. Some know approximately the technical difference but not why one should use one method over the other. According to the RFC the GET method should never “alter the world”. In other words – POST should be used whenever there is a need to alter data and GET should only ever be used to fetch data.

So what does this have to do the Google Web Accelerator? It is very common in web applications to present, for example, lists of data like users or articles with links to either display or delete the data.

Consider what happens if the application user has GWA installed when all the links are prefetched. All the links will be invisibly followed and all data deleted. Many applications protect links like this with onclick handlers that ask the user if they want to delete the data. As the GWA has no concept of javascript it just ignores this fact and the links will be prefetched anyway with potentially disastrous results.

It is not Google that has done anything wrong. They follow the guidelines in the RFC on the correct usage of GET and POST.

Personally I think my applications are safe. I usually follow the guidelines on GET and POST but not always. But as I use only javascript calls to fetch or do things in my applications I am safe.

Safe

<a href="#" onclick="deleteUser(372);">Delete user</a>

Very dangerous (and wrong)

<a href="deleteUser.php?id=372">Delete user</a>

A safeguard for Apache

RewriteCond %{HTTP:x-moz} ^prefetch
RewriteRule ^/*admin/.* - [F,L]

I found the Apache solution on the blog of Christian Stocker who got it from the Syntax CMS blog through Planet OSCOM. (The blogging world of today…) Anyway, it is most likely a good idea to review your applications before users of your applications starts using GWA and this becomes a serious issue.