Sure they can have side-effect, the quote you include says as much. What it says is that "the side-effects of N > 0 identical requests is the same as for a single request." In other words, for a GET-request it should make no difference if you visit the link 1 time, or 200 times, the side-effects should be identical. There is allowed to be a difference between visiting the link 1+ times, and visiting 0 times. That's NOT the same as saying there should be no side-effects. An example: Voting for a story on Digg. If you vote yes for a certain story once, or 100 times, the result is the same: your vote is registered as a yes. Another example: Adding a certain book to your amazon wishlist. Whether you do the relevant GET-request once or 10 times, the side-effect is the same: that book will appear on your wishlist. (once, not 10 times!) So no, respecting the difference between GET and POST will do precisely nothing at all to combat this particular vulnerability, though it would have -other- advantages.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds