[whatwg] [WF2] form submission protocols and methods

Ian Hickson ian at hixie.ch
Mon Dec 19 14:40:21 PST 2005

On Mon, 12 Dec 2005, Maciej Stachowiak wrote:
> > > > > 
> > > > > http: - "put" and "delete" are little-used methods on the web.
> > > > 
> > > > Well, yeah, since there's basically no way to use them. This is 
> > > > partly intended to address this.
> > > 
> > > In theory you could use them through XMLHttpRequest, if that were 
> > > specified as allowed I think it would be more useful than allowing 
> > > them as form submission methods.
> > 
> > That's specified as allowed already.
> So you think they should be left in? It wouldn't be an unreasonable 
> burden to implement these so I'm willing to withdraw my objection if no 
> one else thinks it is a problem.

I think it would be useful (especially PUT, and especially in conjunction 
with the file-upload thing). As you say, it shouldn't be that hard to 
implement -- in fact, for PUT it's exactly the same behaviour as for POST, 
just with a different method name, and for DELETE you totally ignore the 
form data set.

> > Fair enough for the other protocols, but in the case of data:, it 
> > would actually be really useful from a debugging persective to be able 
> > to get ahold of the form submission data. Given how easy the 
> > definition for data: is to implement, do you still object to it?
> No strong objection, although the usefulness of this behavior seems 
> limited and it would have to be a special case in the code.

Yes, and yes. The usefulness is mostly limited to debugging, but the 
implementation burden should be small.

> > > "Untrusted content" is unclear. It implies the existence of 
> > > something that isn't "untrusted content", i.e. "trusted content". 
> > > Where is that defined? I do not believe it is defined anywhere, in 
> > > which case specifying its behavior seems non-useful.
> > 
> > I have rephrased this sentence.
> I think this section is still somewhat problematic because a reasonable 
> behavior is to allow "get" posts to "file:" URLs from a local file 
> document that is not marked trusted in any special way, as such a 
> document can already do normal "file:" URL loads anyway through other 
> mechanisms.

Um, they shouldn't be able to. Or at least, in many UAs they can't.

> And this is much less risky than allowing execution of prgrams or 
> writing/deleting of files.

Depends on what file you allow access to (/dev/mouse?)

> However, ignoring the method in this case would put UAs in conflict with 
> this non-normative section, so at minimum it seems they would have to 
> change to disallow "post", "put" and "delete" entirely or be in conflict 
> with this section. I'm not even sure if considering some content only 
> "trusted" enough for one of the four columns would satisfy this section.
> But this does not seem like a very serious problem, now that the section 
> is non-normative.

Right -- the entire section is non-normative so you can't be in conflict 
with it.

> > > Well, submission behavior is also unspecified for "gopher:", "sip:", 
> > > "nfs:", and so forth. I do not think it is the spec's job to list 
> > > every URI scheme.
> > 
> > No, but it's the spec's job to answer questions from implementors as 
> > to exactly what they are supposed to do when the user submits a form 
> > to a protocol they support. The protocols listed were those most 
> > likely to be encountered.
> Agreed, but this is difficult when the URI scheme is not properly 
> defined yet.

sms: and smsto: are gone.

> >    http://whatwg.org/specs/web-forms/current-work/#methodAndEnctypes
> I like most of the changes. I will review the revised file upload 
> behavior and comment on that. I would also like to review the "data:" 
> behavior in more detail to see if it seems appropriate. Other than that, 
> I feel my concerns have been addressed, and I'll get back to you on the 
> two points above.

Great, thanks.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list