[guran]

Fick följande meddelande igår, som handlar om att aldrig använda länkar för utförande av kritiska åtgärder, då länkar kan klickas automatisk. Automatiskt klickad länk kan ske på en länk som t.ex. raderar något i din databas. Använd knappar i stället.

"Everyone makes mistakes, even Google. Mistakes are what beta
programs are for. One mistake in the beta release of Google Web
Accelerator [1] (GWA) last week is proving to be a valuable
reminder for Web developers.

Among other things [2], Google Web Accelerator speeds up your
browsing experience by scouring pages you visit for links and
quietly preloading them in the background in case you decide to
click one of them. Can you spot the problem?

A misguided design trend of avoiding buttons in favour of
hyperlinks in Web applications is the problem. Web applications
increasingly include links that delete records, confirm actions,
and take all manner of sensitive and potentially irreversible
actions. And here comes GWA, ready to click them all for you
automatically!

So whose fault is this? If you believe 37signals [3], whose
just-launched Backpack [4] application fell prey to link-happy
GWA last week, it's Google's fault [5] for not anticipating the
side-effects of its link prefetching. If you believe Google,
it's developers' fault [6] for not complying with Web standards.

According to the W3C [7], hyperlinks and forms that use the HTTP
GET method of submission should only be requests for content or
information (such as a search). Actions--and especially actions
for which the user will be held accountable--should always be
performed using HTTP POST requests, which in most cases means
clicking a submit button, not a hyperlink.

Developers who use ASP.NET, for example, need to think twice
before using the deceptively simple LinkButton control, which
simulates a form button using a hyperlink. Who knew the innocent
hyperlink could cause so much trouble?

The trend away from buttons and towards hyperlinks in Web design
is therefore a dangerous one. Before using a hyperlink, designers
should ask themselves: what if this link gets clicked
automatically?

Interestingly, some of the conversations that have sprung out of
the GWA prefetching mess have started to look at Web application
security issues like cross-site scripting (XSS) with fresh eyes.
Read on for the low-down on these issues."