[whatwg] <a href="" ping="">
ian at hixie.ch
Wed Oct 26 11:40:47 PDT 2005
On Tue, 25 Oct 2005, Charles Iliya Krempeaux wrote:
> With web browsers, there are only 2 ways of doing a POST. (At least
> only 2 ways I can think up right now :-) )
> #1 is though an HTML form. When a user submits an HTML form, they are
> fully aware of it. And the browser has a chance to tell the user they
> are POST'ing to another domain. (Which could be a social hack attempt.)
> #2 is with XmlHttpRequest. But XmlHttpRequest isn't able to access
> other sites AFAIK... so this kind of thing isn't an issue with it.
#3 -- combine #1 with script, so the user isn't aware of it.
> Conceptually (at least from my point-of-view) POST'ing is suppose to
> require a user's approval. (XmlHttpRequest kind of gets around that
> requirement, but you are NOT allowed cross-domain access via
> XmlHttpRequest, so it is actually not a problem.) Developers should
> feel safe in the assumption that mutable operations on their site will
> not happen without the user knowing about it (due to their browser
> telling them).
That might be a good ideal, but in practice it is not the case.
Also, bear in mind that the POST done from a ping="" is content-free.
There are no POST arguments or anything, so you can't send arbitrary data
to have something happen (unless the server side has a bug and treats the
GET arguments as POST arguments, I guess).
> To get around this whole issue we could just use a totally new HTTP
> method (other than "GET" or "POST"). Maybe "PING".
I think we'll draw the line at extending HTTP. We're in hot enough water
extending HTML and the DOM...
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg