-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use delete button instead of link url #391
Comments
Could you link to where the current implementation is out of compliance with W3C RFC. My understanding is that "Destructive actions shouldn't not be sent through GET requests unless appropriate precautions are taken." |
I opened this issue in consideration of your comment here, and the discussion that was taken in that issue. Below find the highlighted text where the article stipulates that all GET request are intended for retrieval operations, while POST, DELETE, and PUT are related in the sense that these method represent some SIDE effect it is more natural to have the DELETE operation be performed in a POST, because their close relationship. This seems to be the broader accepted convention and we can comply with this pretty easily thru the use of the enhanced WDYT? 9.1.1 Safe MethodsImplementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. |
Technically we are alerting users to the consequences of their actions, sending csrf, and changing method to delete. I prefer this to using a javascript hack like Rails UJS, or a inserting a form for a link. However, the world seems to be completely in the camp of not using GET for delete anymore. So I concede we should change it. I would like to suggest that we change it to some sort of syntax like WDYT? |
@elorest The meme is set and breaking it is an uphill battle. There is no W3C RFC regarding method override, but there is a meme that is hard to break. I concede that its not a battle worth fighting. I do like your approach of using the |
Quite frankly, I don't think we are violating anything. According to what I have read PUT and DELETE are no longer supported in HTML 5 forms and were in fact remove from the specs. However, GET, POST, PUT and DELETE are supported by the implementations of XMLHttpRequest (i.e. AJAX calls) in all the major web browsers (IE, Firefox, Safari, Chrome, Opera). Actually any other method other than GET and POST were not part of the original HTTP specification (HTTP/0.9, or I think HTTP/1.0) specs. So we either implement the UJS library, which I believe we can just copy and/or |
Some update about this 😅 |
@faustinoaq I like button_to to be semantically correct, link_to that generates a form is a little deceiving to me. People can weight in on this. I will go with the majority votes here |
It seems that we can close this issue since this was somehow resolved using an alternative approach here #715 WDYT? |
Agree |
Reference: #356
Currently generated views uses
This should use button tag instead, which generates a submit form and sends CSRF as a POST instead of a get. This will make more closely compliance with W3C RFC.
The text was updated successfully, but these errors were encountered: