On Tue November 25 2008, Toshio Kuratomi wrote: > Till Maas wrote: > > It is recommended to not use GET requests to change state on the server, > > therefore it would be probably better to change these GET requests to > > POST requests. > > The proposal doesn't specifically mention POST there as well but it > should to make things clearer: > > "Every time we submit a form or make a GET request that can change state > on the server" > > s/submit/POST/ > /me changes that now. > > The reasons the proposal is explicit about GET are: > > 1) We'd have to constantly audit code for places where GET is being used > to alter state and change that. This is doable if the app authors are > aware of this but not so scalable if it's me going through and making > those changes. Now I am confused. Do you want to require the token for every request of an authenticated user then, regardless of whether or not they can change state on the server? Regards, Till
Description: This is a digitally signed message part.