[whatwg] <a href="" ping="">

Jasper Bryant-Greene jasper at album.co.nz
Fri Oct 21 23:39:30 PDT 2005 

On Fri, 2005-10-21 at 23:34 -0700, S. Mike Dierken wrote:
> > 
> > It definitely should be a POST, because the action performed by it is not
> idempotent. See [1].
> I agree is seems logical to use POST - the actual URI being visited by the
> user likely would be in the content body (although a request header similar
> to Referer could be used) and no state from the server is being retrieved,
> but it still bugs me. Maybe I'm just reacting to the (lack of) privacy
> issue.

See below.

> > [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2
> 
> Section 9.1.1 - "...allow the user to be aware of any actions they might
> take which may have an unexpected significance..."
> "...This allows user agents to represent other methods, such as POST, PUT
> and DELETE, in a special way, so that the user is made aware of the fact
> that a possibly unsafe action is being requested."
> 
> Will the user-agent represent these links in a special way, so the user is
> made aware of the fact that a possibly unsafe action is being requested?

I think the issue is how this action can possibly be unsafe.

> > I would say it's OK to send a POST as a side effect because 
> > it's going to an URL where the developer expects a POST. 
> But that's not what the user clicking the link expects.

It has no effect on them. It merely allows the website owner to track
their clicks in the same way they already do with redirects.

> > If you can come up with a reason why it's not safe, I'd like to hear it.
> My initial reaction was to be concerned about a malicious link that
> triggered a POST for a resource that becomes modified or deleted - like
> href="http://www.flickr.com/photos/dierken/?delete=39177102&magic_cookie=528
> 479cac210fc6z837c0ac708334fe6"

I would certainly hope that Flickr requires authentication before an URL
like that had any effect, in which case the developer of the website
would only be able to delete their own photos, or photos of those whom
they had stolen the authentication details for. This is not exactly a
new problem.

> (Those freaking blockheads at Flickr just
> deleted my picture when I pasted that URI into the browser window. Losers -
> when will they realize that an anchor is not a UI widget. Thank goodness
> that I don't have a pre-fetch utility running or I'd lose all my vacation
> photos.)
> 
> But of course anybody that can cause that extra attribute to appear on an
> anchor, likely has enough control to do some damage anyway.

Exactly. If Flickr wanted to delete your photos, I don't think they'd
bother to try to fool you into clicking on a link. They'd just delete
them.

-- 
Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand

More information about the whatwg mailing list