[whatwg] element "img" with HTTP POST method
Tab Atkins Jr.
jackalmage at gmail.com
Thu Dec 9 16:46:47 PST 2010
On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth <w3c at adambarth.com> wrote:
> We've seen use cases for a similar feature for iframes and hyperlinks.
> For example:
>
> <a href="/logout" post-data>Logout</a>
>
> would be more semantically correct that just <a
> href="/logout">Logout</a> because it would generate a POST instead of
> a GET.
Why wouldn't <form method=post
action=/logout><button>Logout</button></form> work, with some CSS to
make it look like a link if you wanted that?
On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <phil127 at gmail.com> wrote:
> There are quite a number of older web forums that sanitize their HTML using black lists and would not strip new attributes like "post-data". For malicious users, it would be very easy to include e.g. <img src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam URL)"> in their signature and have users doing involuntary posts by simply viewing a thread.
Indeed. You shouldn't be able to trigger POSTs from involuntary
actions. They should always require some sort of user input, because
there is simply *far* too much naive code out there that is vulnerable
to CSRF.
~TJ
More information about the whatwg
mailing list