- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 08 Nov 2007 11:47:00 -0600
- To: Thomas Broyer <t.broyer@gmail.com>
- CC: public-html@w3.org
Thomas Broyer wrote: > Take a look at what browsers are > doing: when you first use a <form method=POST> the browser tells you > you're about to send information to a server and asks you whether > you're OK to continue. Really? Firefox 2 puts up that dialog the first time you perform any form submission, whether GET or POST, to a non-https URI. It's a "sending form data insecurely" dialog, not a "sending POST" dialog. Firefox 3 will default this dialog to off, for what it's worth. Safari doesn't prompt at all for any of this stuff as far as I can tell. Opera 9 seems to behave like Firefox 2. I don't have IE on hand to test with. > So, why couldn't it be the same with ping-enabled links? The first > time the user clicks such a link, the browser tells her she's about to > tell a tier she's following this link, that this could be used to > remunerate one or both the parties involved, make statistics, etc. and > asks her whether she's OK to do the ping; with an option (check-box) > to configure the browser not to prompt her the next time she clicks a > ping-enabled link. Please read http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf if you haven't yet. It summarizes the situation with security dialogs well. -Boris
Received on Thursday, 8 November 2007 17:49:55 UTC