On 11/17/05, Simon Willison <[EMAIL PROTECTED]> wrote: > HTTP purity is a nice ideal, but until the HTML form model contains > better support for calling HTTP verbs that reflect what you are > actually trying to do it just isn't practical in every case. It's > those edge cases that make GWA's behaviour a bad idea.
To pile on here, another "if only" bit is that if app-level auth was done through HTTP, then GWA could just not prefetch on any page that would have required auth headers. As it is, GWA can't know what cookie-based auth is doing. Following that line, I think GWA could be safer by just not prefetching any request that would pass along HTTP auth or -any- cookie. The down-side is obviously less pre-fetching, but it wouldn't be dangerous. And if you build a non-safe operation that general robots will trip over, well, too bad. ;-) This still leaves open sites which pass auth info in the URL, though.
