Why does JobScheduler not execute all commands via HTTP GET?
Version 1.7 and newer of JobScheduler brings restrictions to the JobScheduler Engine commands that can be carried out via HTTP GET, with only read access being allowed.
This means that all <show_... /> commands are allowed. Other commands such as <start_job …/>, <add_order …/>, <terminate …/> etc. are prohibited.
We have made this change in order to be compatible with existing HTTP standards to prevent cross-site scripting (see https://www.owasp.org/index.php/CSRF).
We will make a plugin available for users of HTTP GET, to enable commands to be sent from their own applications to the JobScheduler engine. This will require a modified URL but will enable all commands to be executed via HTTP GET.
Details about the changes to the use of HTTP GET can be found in our Trouble Ticket JS-1154.
Information about use of the plugin can be found in our Trouble Ticket JS-1155.