- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 09 Nov 2007 10:41:01 +0100
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- CC: "public-html@w3.org" <public-html@w3.org>
Boris Zbarsky wrote: > Julian Reschke wrote: >> I don't see anything in Amazon, for instance, being a link but unsafe. > > As I always tell my students, as single example does not a proof make. That's a widely known site that almost everybody knows. Can you point to a widely used site that violates that principle? > ... >> How can it be not on purpose. It's not trivial to hide a POST behind a >> text link. > > Sure it is. <a onclick="form.sumbit()">. Should have said "with scripting turned off". > ... > I think you're trying to get the door closed after the horse escaped and > the barn burned down.... Well. I think that when we design new protocols or languages, saying "it's already broken, let's continue to add more stuff like that" is the wrong approach. But maybe it's just me. Best regards, Julian
Received on Friday, 9 November 2007 09:41:17 UTC