W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2006

Re: DOM Level 2 HTML form.submit() safety / security

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 20 Apr 2006 22:08:21 +0200
To: "Mark Nottingham" <mnot@mnot.net>
Cc: www-dom@w3.org
Message-ID: <op.s8bov70b64w2qv@id-c0020.oslo.opera.com>

On Thu, 20 Apr 2006 17:10:20 +0200, Mark Nottingham <mnot@mnot.net> wrote:
> I would suggest that the remedy is to add a note or security  
> considerations section, to the effect that unsafe requests (e.g., POST)  
> generated from HtmlFormElement.submit() MUST be authorised by the user.

I hope you mean this only for cross-domain stuff otherwise it doesn't make  
much sense. You could do the same with XMLHttpRequest for example and you  
really wouldn't want such requests to be authorised by the user.

(I also wonder what the value of having it controlled by the user is, it's  
just another dialog they will quickly learn to ignore.)

Anne van Kesteren
Received on Thursday, 20 April 2006 20:08:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:13 UTC