[whatwg] <a href="" ping="">

[Ian Hickson]

On Tue, 25 Oct 2005, Charles Iliya Krempeaux wrote:
> 
> With web browsers, there are only 2 ways of doing a POST.  (At least 
> only 2 ways I can think up right now :-)  )
> 
> #1 is though an HTML form.  When a user submits an HTML form, they are 
> fully aware of it.  And the browser has a chance to tell the user they 
> are POST'ing to another domain.  (Which could be a social hack attempt.)
> 
> #2 is with XmlHttpRequest.  But XmlHttpRequest isn't able to access 
> other sites AFAIK... so this kind of thing isn't an issue with it.

#3 -- combine #1 with script, so the user isn't aware of it.


> Conceptually (at least from my point-of-view) POST'ing is suppose to 
> require a user's approval.  (XmlHttpRequest kind of gets around that 
> requirement, but you are NOT allowed cross-domain access via 
> XmlHttpRequest, so it is actually not a problem.)  Developers should 
> feel safe in the assumption that mutable operations on their site will 
> not happen without the user knowing about it (due to their browser 
> telling them).

That might be a good ideal, but in practice it is not the case.

Also, bear in mind that the POST done from a ping="" is content-free. 
There are no POST arguments or anything, so you can't send arbitrary data 
to have something happen (unless the server side has a bug and treats the 
GET arguments as POST arguments, I guess).


> To get around this whole issue we could just use a totally new HTTP 
> method (other than "GET" or "POST").  Maybe "PING".

I think we'll draw the line at extending HTTP. We're in hot enough water 
extending HTML and the DOM...

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'