W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: XHR security risks

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 08 Jun 2006 10:10:12 -0500
Message-ID: <44883DD4.5050606@mit.edu>
To: Charles McCathieNevile <chaals@opera.com>
CC: Julian Reschke <julian.reschke@gmx.de>, Public Web API <public-webapi@w3.org>

Charles McCathieNevile wrote:
>> ... it exposes users to a potential security risk, and there's nothing 
>> the user can do about it except disabling scripting. I think that is a 
>> problem.
> 
> SURE. That doesn't make it a bug per se. It also exposes the user to a 
> bunch of functionality that they might appreciate. I thnk it's a 
> decision to implement or not that way, and to use a user agent that does 
> that or not. I would be surprised if desktop browsers for general 
> release were so permissive.

All major desktop browsers allow form.submit() to happen with no user 
confirmation.  And form.submit() is _very_ commonly used.

-Boris
Received on Thursday, 8 June 2006 15:10:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT