adamchainz
commented
7 months ago What situations do you consider returning content from a POST as valid? I always try to apply “Post/Redirect/Get”. Users might re-POST accidentally by pressing refresh, restarting their browser, or whatever.
Still, let’s add a check that the page was loaded with GET. No need to make it configurable. I think it should work to only render/inject the template tag for GET requests. Can you give that a try and make a PR?
Description
By default, POSTs will be auto reloaded, and can mutate state depending on the url behaviour.
Often, a POST will redirect, so it's not a problem. But sometimes returning content directly from the POST response is valid. If a user leaves the page open, it will then be reloaded as a POST, which I don't think is desirable.
As an example, we had a POST view that generates a one-time password to use. We store the hashed version in the db, but display the plain text version to the user in the POST response body. When django-browser-reload reloads the page, it does a POST (which in our cases generates a new one-time password, invalidating the old one). We don't redirect as we don't want to store the plain text version of the password in a url (or in the session, ideally).
Would you support the idea of config option to disable reloading of anything except GETs? On by default, for b/w compat?