Ian Bicking: the old part of his blog

Google at it again

Apparently Google is at it again with the Google Web Accelerator. If you don't remember the GWA, it's the tool that prefetches requests on your behalf. Including links like "delete this", or "read this message", or "logout". Instead of resolving the problems in this version, it has made those problems even worse. All I can think is what the fuck? I know they don't want to be evil, but I just assumed that they also didn't want to be stupid...?

To all you who think that it's okay to vaguely obey some W3C spec, in the face of prevailing practice: you are wrong. Just absurdly and completely wrong. It's like being some obnoxious adult who stares in bafflement when a kid says "It ain't here", then responds "I don't understand you, did you mean 'it isn't here'?" Yeah, right; ain't is a word and we all know it. And GET isn't always safe, and we all know it. Pretending bafflement, as though you spend all your time reading the HTTP specs and no time using the web and noticing how the web works.

Quoting the W3C is doubly obnoxious, because they also produce the HTML spec, which they've sat on for years without providing conscientious developers the tools in HTML to do the Right Thing -- no nested forms, nothing that produces POST requests with anchor-like behavior, and generally no alternatives for generating POST requests except full-fledged forms and Javascript hacks. Nor have they provided the detail in HTTP to do the Right Thing in any case -- I still haven't seen any reasonable solution to the issue of tracking read mail: an operation that absolutely should be GET (and be accessed through link-like behavior), and yet also should have side effects (that the mail is marked as read). X-Moz: prefetch isn't in the HTTP standard (and apparently they've even stopped using that!)

I stand by my previous comments. You can tell Google what you think here.

Created 25 Oct '05

Comments:

Oh yes, the thing which made the obnoxious "Web 2.0" crowd throw all the toys out of their pram, wasn't it? It's interesting that you previously mentioned the WHAT-WG and their supposedly superior work on standardising the Web, which mostly seems to involve the main participants implementing fancy gadgets in their browsers and then writing them up in the WHAT-WG specifications as some kind of exercise in legitimacy. Here's an example of the WHAT-WG relevance factor these days:

http://www.whatwg.org/specs/web-apps/current-work/#broadcasting0

Quite where broadcasting to Bluetooth devices fits into the Web and why there's a rush to standardise this (and presumably deal with the security implications later) remains as much a mystery as why there are special sms and smsto protocol schemes in the Web Forms 2.0 specification, and yet no-one seems to be interested in getting basic stuff like character encodings done in a sane way:

http://www.whatwg.org/specs/web-forms/current-work/#the-charset

Anyway, I'd like to see a decent response to Jim's last comment on the "GWA and RFC 2616" article. It seems to me that the form toolkits used by the "Web 2.0" crowd really must be toys if they fail to support the relatively simple use case he puts forward.

# The Badger

You mean his suggestion to use <input type="submit" name="delete-id-1" value="Delete this address"> ? There a couple problems with this: (a) no nested forms, so it can be difficult to put a submit button in an arbitrary location, and (b) there remain links that are not "safe", but are truly link-ish, and (c) there's less control available over buttons, which can be a problem in some circumstances (buttons tend to be visually weighty, and CSS controls are limited).

Unsafe GET links did not start with Web 2.0 apps; they are as old as the web itself, and old and largely unmaintained web applications have these bugs. The idea that we should "fix" these applications because GWA exposed a "bug" is incredibly unrealistic. Though in a practical sense, it does seem that this incarnation of the GWA is somewhat improved, as it doesn't prefetch links with variables (i.e., ?). Maybe that will be enough, I'm not sure.

# Ian Bicking

Web Forms 2 supports nested forms in XHTML. It also supports a form attribute on form controls so you can associate them with any form even when they are not a descendant of any. Quite cool and there are some experimental implementations out there.

# Anne van Kesteren

Google does unsafe GET links themselves.

Including google adwords links.

Lets start prefetching all those links and see what google has to say ;)

# Rene Dudfield

Ads are indeed another intriguing example of how hard prefetching is do with the web we have.

# Ian Bicking