[whatwg] <a href="" ping="">

Jasper Bryant-Greene jasper at album.co.nz
Tue Oct 25 14:36:15 PDT 2005

On Tue, 2005-10-25 at 14:24 -0700, Charles Iliya Krempeaux wrote:
> With web browsers, there are only 2 ways of doing a POST.  (At least
> only 2 ways I can think up right now :-)  )
> #1 is though an HTML form.  When a user submits an HTML form, they are
> fully aware of it.  And the browser has a chance to tell the user they
> are POST'ing to another domain.  (Which could be a social hack
> attempt.)

Yes, but look:

<form action="http://example.com/delete" method="post" id="deleteForm">
	<input type="hidden" name="photoID" id="93872">
	<input type="hidden" name="sid" id="oihsd8f9u238f3feswfsdf">

<script type="text/javascript">
	window.onload = function() {

No current browser I tested displays a warning. Most display it once,
the first time a POST is actioned after the browser is installed, but
default to never displaying it again.

It would only be an issue if the website sending the above code could
somehow find out the user's session ID (sid) on example.com. Which, if
everything works as it should, it can't.

Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand

More information about the whatwg mailing list