> Just because a crawler won't submit a form > doesn't mean that a user (or a non-compliant > crawler) won't. It's also not complicated for a > user to modify the headers to issue a post > instead of a get or vice versa. The point being, > if you have something that > can trigger a data > change, you have to assume someone can > execute it regardless of whether it is a POST or > a GET and regardless of > whether it was initiated > by a crawler or something else.
Often, when a rule seems pointless, you may simply be missing the point. In this case, the point has nothing to do with security. It's about following a simple convention. If you follow this convention, you don't have to worry about other programs that conform to those conventions. That's the whole point of having conventions. And, I can guarantee from my personal experience as a Google Search Appliance consultant, this is a regular and ongoing problem. Typically, when implementing enterprise search, you configure your GSA to crawl content that requires credentials; users can then, when searching, enter their own credentials to view private search results if those credentials allow. The GSA may be configured to crawl millions of documents across many servers, public and private, which may correspond to hundreds of separate applications. If one developer of one application doesn't understand this basic "web development 101" concept, hilarity often ensues. And, frankly, this is a basic concept of web development, just like conformance to standards like HTML and CSS. Dave Watts, CTO, Fig Leaf Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291133 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
