All the Perl that's Practical to Extract and Report

Safari 4 likes clicking

AndyArmstrong on 2009-07-02T10:24:32

Installing Safari 4 had a pretty strange effect for me: Lights in the house switched on and off at random.

It turns out that Safari likes to visit your favourite pages periodically to update its Top Sites browser. Which is fine unless some of the lights in your house are controlled by a web interface which uses GET for the light switch buttons.

Since it's private to the house network I hadn't bothered to password protect it. I assume Safari would have left it alone if I had. On a hunch I fixed the problem by switching the lighting control page to https - and it seems to have worked.

I can't help wondering 1) how many intranets it's attacked already and 2) does it know to refrain from clicking on sites that use cookie based auth (RT?) and if so, how?

Safari is not doing anything wrong

Aristotle on 2009-07-02T17:40:23

The HTTP spec states that GET should be safe and should never assume that the client is asking for any side-effects. Use PUT or POST for those.

Re:Safari is not doing anything wrong

AndyArmstrong on 2009-07-03T00:50:21

If I thought Safari was doing anything wrong I'd have been nastier about it. The point was that it's doing something that browsers haven't done in the past and that's going to cause a bit of head scratching until people realise that Safari goes off on little jaunts through your favourites when it feels like it. It's pretty common IME for people to assume that if they're on a private network they don't need to worry about using GET with side effects.

Years ago I had a client who couldn't understand how pages from their wiki-style public consultation site kept getting deleted. Turned out that GoogleBot was visiting their hidden "delete page" links...

Re:Safari is not doing anything wrong

Aristotle on 2009-07-03T04:09:36

Look for ["web accelerator" rails] for the last big brouhaha. I don’t know what to think about this… it’s not uncommon, but that doesn’t make it any less misguided, so I don’t know whether to fault the agents that do this sort of thing. More importantly, short of abstaining from such requests all together (which means withholding a nice feature), I don’t see what they could do, so I wouldn’t know how to fault them.