ok, so if I just do a get to a page, and this page do a POST to my
rest server, it will be HATEOAS compliant ??
I am ready to do that, but I see this just as a proxy ... the GET done
to the first server (the web page) has a side effect anyway :)
but ok, if anyone else has constraints against that.. I will do that :)
On Sun, Sep 27, 2009 at 5:09 PM, John Panzer <jpanzer_at_acm.org> wrote:
> Actually something like a separate form step is needed to help prevent
> xsrf anyway.
>
> On Sunday, September 27, 2009, Subbu Allamaraju <subbu_at_subbu.org> wrote:
>>>> So, what is the alternative ?
>>>
>>> Send a URL to an HTML page that includes a POST form with a button the
>>> user clicks on to confirm.
>>>
>>> (or send an HTML email with a form (not sure if the email client
>>> supports the form submission though)).
>>
>> It is a matter of a tradeoff between usability and safety. Confirming
>> by just clicking on the link is a well-established usage pattern on
>> the web. Most users will miss the flow if there is another HTML form
>> or some other user interaction on that page.
>>
>> When implementing this, just make sure to not fail the request if the
>> user clicks on the link again (i.e. implement as idempotent).
>>
>> Subbu
>>
>>
>> ------------------------------------
>>
>> Yahoo! Groups Links
>>
>> <*> To visit your group on the web, go to:
>> http://groups.yahoo.com/group/rest-discuss/
>>
>> <*> Your email settings:
>> Individual Email | Traditional
>>
>> <*> To change settings online go to:
>> http://groups.yahoo.com/group/rest-discuss/join
>> (Yahoo! ID required)
>>
>> <*> To change settings via email:
>> mailto:rest-discuss-digest_at_yahoogroups.com
>> mailto:rest-discuss-fullfeatured_at_yahoogroups.com
>>
>> <*> To unsubscribe from this group, send an email to:
>> rest-discuss-unsubscribe_at_yahoogroups.com
>>
>> <*> Your use of Yahoo! Groups is subject to:
>> http://docs.yahoo.com/info/terms/
>>
>>
>
--
Looking for a client application for this service:
http://fgaucho.dyndns.org:8080/arena-http/wadl