Some folks keep pointing to section 9.1 of RFC 2616, the HTTP 1.1 spec, as the reason
why they think Google is right and unsafe-GET websites are wrong.
From the mentioned section:
In particular, the convention has been established that the GET and HEAD methods SHOULD
NOT have the significance of taking an action other than retrieval. These methods
ought to be considered “safe”.
In my view, SHOULD NOT is not MUST NOT. Being a web developer is also not a binding
promise to obey and defend RFC 2616. As developer, however, we need to protect ourselves
from attacks and misdoings. Clearly, both sides failed to do that.
Note that the same section also states:
Naturally, it is not possible to ensure that the server does not generate side-effects
as a result of performing a GET request; in fact, some dynamic resources consider
that a feature.
The important distinction here is that the user did not request the side-effects,
so therefore cannot be held accountable for them.
So even the HTTP 1.1 spec states that it is not possible to ensure that all HTTP GET
requests are safe. Yet GWA seems to assume otherwise. Are programs like GWA accountable?
While others may feel otherwise, I think they are because it is GWA itself initiating
the request blindly, not the user. Is the user giving GWA permission to make false
assumptions on behalf of the user by installing the software? Even offered as-is,
I think not. [Don Park's Daily Habit]