intertwingly

Please pardon the provocative title, but this post is intended to surface one point I buried in yesterday’s presentation in the hopes that by making it a separate post it will attract a wider audience.

I intend for this to post to be constructive, so I will focus on two specific suggestions which hopefully will serve as the seed for the development of a set of best practices for AJAX.  Here are the two humble suggestions on things that people should standardize on:

• the data should first be encoded as octets according to the UTF-8 character encoding
• GET should never be used to initiate another operation which will change state

Rationale for these two suggestions follows.

Encoding

For the former, I proposed a simple test:

The first thing I want you to do is to copy the string “Iñtërnâtiônàlizætiøn” into your tool and observe what comes out the other side.

When expressed as a part of the query component of a URI, it should look like I%C3%B1t%C3%ABrn%C3%A2ti%C3%B4n%C3%A0liz%C3%A6ti%C3%B8n.

Standardizing improves interoperability, and the reason why I am suggesting UTF-8 is that it is backwards compatible with ASCII, can express the full range of the Unicode character set, and is widely implemented.

Idempotency

Looking into the current PHP implementation of SAJAX, you will see the following:

// Bust cache in the head
header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");    // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
               // always modified
header ("Cache-Control: no-cache, must-revalidate");  // HTTP/1.1
header ("Pragma: no-cache");                          // HTTP/1.0

This code should be a rather large clue that you are probably doing something wrong.  Apparently the author recognized that these headers are somewhat sporadically and inconsistently implemented, and hoped that by combining them that the chances of success would be improved.

The danger that the responses may be cached is actually the smaller of several concerns.  A much bigger concern is that unsuspecting grandmothers and bots everywhere can be tricked into modifying online databases simply by following a link.

Judicious use of HTTP GET can be a very good thing.  Perhaps toolkits can adopt a convention that procedure names that start with the characters “Get” use GET, everything else uses POST.