[whatwg] [WF2] form submission protocols and methods
ian at hixie.ch
Mon Dec 19 14:40:21 PST 2005
On Mon, 12 Dec 2005, Maciej Stachowiak wrote:
> > > > >
> > > > > http: - "put" and "delete" are little-used methods on the web.
> > > >
> > > > Well, yeah, since there's basically no way to use them. This is
> > > > partly intended to address this.
> > >
> > > In theory you could use them through XMLHttpRequest, if that were
> > > specified as allowed I think it would be more useful than allowing
> > > them as form submission methods.
> > That's specified as allowed already.
> So you think they should be left in? It wouldn't be an unreasonable
> burden to implement these so I'm willing to withdraw my objection if no
> one else thinks it is a problem.
I think it would be useful (especially PUT, and especially in conjunction
with the file-upload thing). As you say, it shouldn't be that hard to
implement -- in fact, for PUT it's exactly the same behaviour as for POST,
just with a different method name, and for DELETE you totally ignore the
form data set.
> > Fair enough for the other protocols, but in the case of data:, it
> > would actually be really useful from a debugging persective to be able
> > to get ahold of the form submission data. Given how easy the
> > definition for data: is to implement, do you still object to it?
> No strong objection, although the usefulness of this behavior seems
> limited and it would have to be a special case in the code.
Yes, and yes. The usefulness is mostly limited to debugging, but the
implementation burden should be small.
> > > "Untrusted content" is unclear. It implies the existence of
> > > something that isn't "untrusted content", i.e. "trusted content".
> > > Where is that defined? I do not believe it is defined anywhere, in
> > > which case specifying its behavior seems non-useful.
> > I have rephrased this sentence.
> I think this section is still somewhat problematic because a reasonable
> behavior is to allow "get" posts to "file:" URLs from a local file
> document that is not marked trusted in any special way, as such a
> document can already do normal "file:" URL loads anyway through other
Um, they shouldn't be able to. Or at least, in many UAs they can't.
> And this is much less risky than allowing execution of prgrams or
> writing/deleting of files.
Depends on what file you allow access to (/dev/mouse?)
> However, ignoring the method in this case would put UAs in conflict with
> this non-normative section, so at minimum it seems they would have to
> change to disallow "post", "put" and "delete" entirely or be in conflict
> with this section. I'm not even sure if considering some content only
> "trusted" enough for one of the four columns would satisfy this section.
> But this does not seem like a very serious problem, now that the section
> is non-normative.
Right -- the entire section is non-normative so you can't be in conflict
> > > Well, submission behavior is also unspecified for "gopher:", "sip:",
> > > "nfs:", and so forth. I do not think it is the spec's job to list
> > > every URI scheme.
> > No, but it's the spec's job to answer questions from implementors as
> > to exactly what they are supposed to do when the user submits a form
> > to a protocol they support. The protocols listed were those most
> > likely to be encountered.
> Agreed, but this is difficult when the URI scheme is not properly
> defined yet.
sms: and smsto: are gone.
> > http://whatwg.org/specs/web-forms/current-work/#methodAndEnctypes
> I like most of the changes. I will review the revised file upload
> behavior and comment on that. I would also like to review the "data:"
> behavior in more detail to see if it seems appropriate. Other than that,
> I feel my concerns have been addressed, and I'll get back to you on the
> two points above.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg