[Rd] CRAN form submission confirmation link

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Wed Sep 10 15:40:53 CEST 2014


There is a small problem in the CRAN submission form, which is not super
urgent but probably good to be aware of.

So I noticed that after I submitted a package, the submission was confirmed
without me actually clicking the link in the confirmation email (which
could be a potential security risk). I suspect that this happens because
many modern browsers use pre-rendering, which retrieves hyperlinks on a
page before the user actually clicks on it. This is perfectly legal because
the HTTP GET method [1] is defined to be "safe" and "idempotent", and
therefore a GET request should never change server state. And this is where
the current implementation of the confirmation page might violate HTTP.

I think the proper way to implement this would be if the link in the
confirmation email would lead to a page where the user has to click a
button which results in a POST request to confirm the submission.

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

	[[alternative HTML version deleted]]



More information about the R-devel mailing list