W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2010

[whatwg] element "img" with HTTP POST method

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Thu, 9 Dec 2010 18:42:49 -0800
Message-ID: <AANLkTimFhsc1uczWN-=S0mdWNc3oim3VQsz+wsWER+CH@mail.gmail.com>
On Thu, Dec 9, 2010 at 6:26 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
>> On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth <w3c at adambarth.com> wrote:
>>> We've seen use cases for a similar feature for iframes and hyperlinks.
>>> ?For example:
>>>
>>> <a href="/logout" post-data>Logout</a>
>>>
>>> would be more semantically correct that just <a
>>> href="/logout">Logout</a> because it would generate a POST instead of
>>> a GET.
>>
>> Why wouldn't <form method=post
>> action=/logout><button>Logout</button></form> work, with some CSS to
>> make it look like a link if you wanted that?
>
> It's too much work. ?:)

But it's no work on your part.  ^_^


>> On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <phil127 at gmail.com> wrote:
>>> There are quite a number of older web forums that sanitize their HTML using black lists and would not strip new attributes like "post-data". For malicious users, it would be very easy to include e.g. <img src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam URL)"> in their signature and have users doing involuntary posts by simply viewing a thread.
>>
>> Indeed. ?You shouldn't be able to trigger POSTs from involuntary
>> actions. ?They should always require some sort of user input, because
>> there is simply *far* too much naive code out there that is vulnerable
>> to CSRF.
>
> Unfortunately, the attacker can already trigger POSTs with involuntary
> actions. ?That code is already vulnerable attack, sadly.

Via scripting, yes, which is usually stripped out by sanitizers (or
just plain doesn't work, like javascript urls in images).  I don't
believe there are any declarative ways to trigger involuntary POSTs,
are there?

~TJ
Received on Thursday, 9 December 2010 18:42:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:02 UTC