View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005632 | mantisbt | bugtracker | public | 2005-05-22 23:17 | 2005-05-31 11:23 |
Reporter | astax | Assigned To | ryandesign | ||
Priority | normal | Severity | tweak | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Summary | 0005632: Why "Edit", "Delete" and "Make private" links are replaced with buttons? | ||||
Description | Why those nice tiny links to "Edit", "Delete" and "Make private" for bugnotes are replaced with ugly large buttons? (Actually not only these links, but some other too). I see in history that it was a fix for 0005606, but the links in that issue exactly specify another much better way for fixing the problem with Google Web Accelerator. Moreover that Accelerator is now fixed, as I understood, and won't repeat this problem. | ||||
Tags | No tags attached. | ||||
Collective security wisdom and Internet RFC recommendations state that a form using the GET method, or links with GET parameters, must only be used for things that have no side-effects: viewing a bug report, for example, or searching for one. But if the action is to delete something or to edit it in any way, then the action should only be reachable via a form using the POST method. The Google Web Accelerator brought this issue to the forefront recently, but the recommendation is sound in all contexts. (Read up on "CSRF" (Cross-Site Request Forgery) attacks for more on this.) While clicking a bugnote's "Edit" link did not immediately edit data, it was probably changed to a button to match visually with the "Delete" and "Make Private" buttons, which, since they do change data, must be buttons. |
|