- From: Mark Baker <distobj@acm.org>
- Date: Sun, 25 Nov 2001 21:16:44 -0500 (EST)
- To: moore@cs.utk.edu (Keith Moore)
- Cc: dcrocker@brandenburg.com (Dave Crocker), dee3@torque.pothole.com (Donald E. Eastlake 3rd), discuss@apps.ietf.org
> > The resolution of some URI aren't safe. I saw an "aim:" URI scheme > > recently that allowed resolution of a URI to send an AIM message. That > > is a Bad Thing. > > I don't think it's inherently bad, any more than > mailto:discuss-request@apps.ietf.org?Subject=subscribe > is bad. What's bad is for client implementors to make it possible > for "clicking" on such a URI (or having it appear in a script or > image tag on a web page) to result in a message being sent > without explicit user verification. Absolutely, but that's exactly what I mean by safe; no side effects upon resolution. mailto: is safe because 1) RFC 2368 defines semantics that doesn't send the email, and 2) no implementation that I know about automatically sends the email either. MB -- Mark Baker, Chief Science Officer, Planetfred, Inc. Ottawa, Ontario, CANADA. mbaker@planetfred.com http://www.markbaker.ca http://www.planetfred.com
Received on Sunday, 25 November 2001 21:19:11 UTC