[Rd] CRAN form submission confirmation link
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Wed Sep 10 15:40:53 CEST 2014
There is a small problem in the CRAN submission form, which is not super
urgent but probably good to be aware of.
So I noticed that after I submitted a package, the submission was confirmed
without me actually clicking the link in the confirmation email (which
could be a potential security risk). I suspect that this happens because
many modern browsers use pre-rendering, which retrieves hyperlinks on a
page before the user actually clicks on it. This is perfectly legal because
the HTTP GET method [1] is defined to be "safe" and "idempotent", and
therefore a GET request should never change server state. And this is where
the current implementation of the confirmation page might violate HTTP.
I think the proper way to implement this would be if the link in the
confirmation email would lead to a page where the user has to click a
button which results in a POST request to confirm the submission.
[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
[[alternative HTML version deleted]]
More information about the R-devel
mailing list