We are migrating a web application from ASP.NET webforms to MVC. We understand when and why we should be using HttpGet vs HttpPost. However, old habits die hard and we’re finding places where we forgot to do the right thing.
Although we should fix all of the incorrect usages, because of various CSS/layout issues that’s actually not totally trivial. In an web application, where 100% of the pages are hidden behind login, what are the dangers of having a delete button that does a GET?
What kinds of things, if any, are out there that will follow links without the user having to click/confirm the action?
One risk is with tools such as Fasterfox that may prefetch link targets so that they can be displayed immediately if a user clicks them at a later time. If configured in a certain way, Fasterfox could possibly visit this ‘delete’ URL eventhough the user never clicked the link.
That being said, I’ve had no problems with using GET for an “Empty trash” button in a webmail app that’s had ~10,000 daily users for several years. It’s possible that this type of prefetching will never be a problem for your users either.