W3C home > Mailing lists > Public > public-html@w3.org > November 2007

Re: Feedback on the ping="" attribute (ISSUE-1)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 08 Nov 2007 11:47:00 -0600
Message-ID: <47334B94.6080401@mit.edu>
To: Thomas Broyer <t.broyer@gmail.com>
CC: public-html@w3.org

Thomas Broyer wrote:
> Take a look at what browsers are
> doing: when you first use a <form method=POST> the browser tells you
> you're about to send information to a server and asks you whether
> you're OK to continue.

Really?

Firefox 2 puts up that dialog the first time you perform any form 
submission, whether GET or POST, to a non-https URI.  It's a "sending 
form data insecurely" dialog, not a "sending POST" dialog.

Firefox 3 will default this dialog to off, for what it's worth.

Safari doesn't prompt at all for any of this stuff as far as I can tell.

Opera 9 seems to behave like Firefox 2.

I don't have IE on hand to test with.

> So, why couldn't it be the same with ping-enabled links? The first
> time the user clicks such a link, the browser tells her she's about to
> tell a tier she's following this link, that this could be used to
> remunerate one or both the parties involved, make statistics, etc. and
> asks her whether she's OK to do the ping; with an option (check-box)
> to configure the browser not to prompt her the next time she clicks a
> ping-enabled link.

Please read http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf if 
you haven't yet.  It summarizes the situation with security dialogs well.

-Boris
Received on Thursday, 8 November 2007 17:49:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:50 UTC