[whatwg] [WF2] form submission protocols and methods

Ian Hickson ian at hixie.ch
Mon Dec 19 18:19:23 PST 2005 

On Mon, 19 Dec 2005, Maciej Stachowiak wrote:
> > >
> > > I think this section is still somewhat problematic because a 
> > > reasonable behavior is to allow "get" posts to "file:" URLs from a 
> > > local file document that is not marked trusted in any special way, 
> > > as such a document can already do normal "file:" URL loads anyway 
> > > through other mechanisms.
> > 
> > Um, they shouldn't be able to. Or at least, in many UAs they can't.
> 
> Do you know of UAs that will prevent a file: URL document from loading another
> file: URL in a frame or iframe?

Sorry, I misunderstood. I thought you meant http->file, not file->file.


> Or apply any restrictions to scripting access to the resulting document. 
> I don't know of any that will.

Windows IE by default will disable script altogether in file: files. I 
haven't tested, but my understanding is that Windows IE will prevent 
"cross-domain" things on local file:s too, using a "magic comment" in the 
head to determine the "domain".


> Form submission to a file: URL with the get method doesn't afford any 
> new avenues of attack that this capability doesn't.

I understand what you mean.


> > > And this is much less risky than allowing execution of prgrams or 
> > > writing/deleting of files.
> > 
> > Depends on what file you allow access to (/dev/mouse?)
> 
> I don't think reading /dev/mouse will specifically do anything bad, but 
> I see your point.

There are definitely /dev/ resources that will cause all kinds of bad 
things if you attempt to read them, at least on some systems.


Anyway, this is all mostly out of scope, the spec's section now is 
non-normative and merely suggests something which (IMHO at least) could be 
useful for developers without requiring that it be enabled by default.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list