W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: XHR security risks

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 08 Jun 2006 17:18:12 +0200
Message-ID: <44883FB4.4050504@gmx.de>
To: Boris Zbarsky <bzbarsky@mit.edu>
CC: Charles McCathieNevile <chaals@opera.com>, Public Web API <public-webapi@w3.org>

Boris Zbarsky schrieb:
> 
> Charles McCathieNevile wrote:
>>> ... it exposes users to a potential security risk, and there's 
>>> nothing the user can do about it except disabling scripting. I think 
>>> that is a problem.
>>
>> SURE. That doesn't make it a bug per se. It also exposes the user to a 
>> bunch of functionality that they might appreciate. I thnk it's a 
>> decision to implement or not that way, and to use a user agent that 
>> does that or not. I would be surprised if desktop browsers for general 
>> release were so permissive.
> 
> All major desktop browsers allow form.submit() to happen with no user 
> confirmation.  And form.submit() is _very_ commonly used.

Well, what I'm concerned with is form.submit() and XHR/PUT/DELETE in 
things like onload events. Just because this works today doesn't mean 
it's ok from a systematic point of view.


Best regards, Julian
Received on Thursday, 8 June 2006 15:18:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT