Hacker News new | ask | show | jobs
by iCarrot 2413 days ago
It depends on how you interpret correctness. RFC 2616 9.1.1 also used "SHOULD NOT" and not "MUST NOT", indicating that there are valid use cases. The issue is about whether your users are aware of (and are responsible for) the side-effect or not. In this case they are.
1 comments
oefrha 2413 days ago
Except when GET has side effects, one can embed the URL in an img tag and visitors would be triggering that side effect unknowingly. One can do this on most public forums. So no, users may not be aware.
link
iCarrot 2413 days ago
What you just described is actually a web beacon [1], in which case the one that embed the URL is the user (and not the one who load the <img>). Web beacon can be used to implement useful thing like visitor counter service [2].

[1]: https://en.wikipedia.org/wiki/Web_beacon

[2]: https://www.hitwebcounter.com/

link
oefrha 2413 days ago
It's also "useful" for cross-site request forgery.
link
iCarrot 2413 days ago
Cross-site request forgery is only "useful" in auth context. There is no auth in Volatile, nor in the hit counter.
link