[Catalyst] Re: Converting a GET request to a POST request

[Aristotle Pagaltzis]

* Ronald J Kimball <rkimball at pangeamedia.com> [2010-11-22 18:50]:
> I want to convert a GET request to a POST request, inside my
> Catalyst app, before dispatching happens. For example, I want
> to take a request like:
>
> GET /foo?method=POST&body={"foo":1}&content-type=text/javascript
>
> and convert it into a request like this:
>
> POST /foo
> Content-Type: text/javascript
>
> {"foo":1}

This is really, really, really bad. It’s roughly like modifying
a file system to be allow file deletion as a side effect of
opening a file. GET is supposed to be safe, that is, it should be
free of side effects that the user cannot be held responsible
for. It is very, very easy to get a browser to send GET requests
incidentally, eg. by putting the link in a `<img src>` or
a stylesheet `<link>` and getting a user to visit. Things like
Google Web Accelerator and other automated user agents (like
search engines of course) also generally assume that GET is safe.
Much web infrastructure also assumes that GET requests are
cacheable, so if there are any proxies between the app and the
user, sending multiple pseudo-POST requests may not actually do
anything.

> Background: I'm implementing a REST API using
> Catalyst::Controller::REST. The API will be accessed via Ajax
> running on third party websites, using JSONP to get around the
> same-origin policy. Unfortunately, JSONP can only make GET
> requests. So, I want to take that GET request and turn it into
> a POST before Catalyst::Action::Deserialize does its magic.

The same-origin policy is not there by mistake, but to keep your
users safe from malicious 3rd party sites they may visit.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>