[whatwg] element "img" with HTTP POST method

Julian Reschke julian.reschke at gmx.de
Fri Dec 10 00:23:57 PST 2010


On 10.12.2010 01:46, Tab Atkins Jr. wrote:
> ...
> Indeed.  You shouldn't be able to trigger POSTs from involuntary
> actions.  They should always require some sort of user input, because
> there is simply *far* too much naive code out there that is vulnerable
> to CSRF.
> ...

Thanks, Tab.

It's sad that the discussion even got that far.

If the URI length is a problem because of browsers, fix the browsers to 
extend the limits, instead of adding a completely new feature.

Best regards, Julian



More information about the whatwg mailing list