Actually something like a separate form step is needed to help prevent
xsrf anyway.
On Sunday, September 27, 2009, Subbu Allamaraju <subbu_at_subbu.org> wrote:
>>> So, what is the alternative ?
>>
>> Send a URL to an HTML page that includes a POST form with a button the
>> user clicks on to confirm.
>>
>> (or send an HTML email with a form (not sure if the email client
>> supports the form submission though)).
>
> It is a matter of a tradeoff between usability and safety. Confirming
> by just clicking on the link is a well-established usage pattern on
> the web. Most users will miss the flow if there is another HTML form
> or some other user interaction on that page.
>
> When implementing this, just make sure to not fail the request if the
> user clicks on the link again (i.e. implement as idempotent).
>
> Subbu
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
> <*> To visit your group on the web, go to:
> http://groups.yahoo.com/group/rest-discuss/
>
> <*> Your email settings:
> Individual Email | Traditional
>
> <*> To change settings online go to:
> http://groups.yahoo.com/group/rest-discuss/join
> (Yahoo! ID required)
>
> <*> To change settings via email:
> mailto:rest-discuss-digest_at_yahoogroups.com
> mailto:rest-discuss-fullfeatured_at_yahoogroups.com
>
> <*> To unsubscribe from this group, send an email to:
> rest-discuss-unsubscribe_at_yahoogroups.com
>
> <*> Your use of Yahoo! Groups is subject to:
> http://docs.yahoo.com/info/terms/
>
>