Re: XHR security risks

Boris Zbarsky schrieb:
> 
> Charles McCathieNevile wrote:
>>> ... it exposes users to a potential security risk, and there's 
>>> nothing the user can do about it except disabling scripting. I think 
>>> that is a problem.
>>
>> SURE. That doesn't make it a bug per se. It also exposes the user to a 
>> bunch of functionality that they might appreciate. I thnk it's a 
>> decision to implement or not that way, and to use a user agent that 
>> does that or not. I would be surprised if desktop browsers for general 
>> release were so permissive.
> 
> All major desktop browsers allow form.submit() to happen with no user 
> confirmation.  And form.submit() is _very_ commonly used.

Well, what I'm concerned with is form.submit() and XHR/PUT/DELETE in 
things like onload events. Just because this works today doesn't mean 
it's ok from a systematic point of view.


Best regards, Julian

Received on Thursday, 8 June 2006 15:18:20 UTC