W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2006

Re: DOM Level 2 HTML form.submit() safety / security

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 20 Apr 2006 13:15:21 -0700
Message-Id: <BC26EEA3-6301-4179-B673-E262A3B41D9D@mnot.net>
Cc: www-dom@w3.org
To: "Anne van Kesteren" <annevk@opera.com>

As I said, one way the user could give permission is to configure the  
browser to allow same-site POSTs to be automatically submitted -- but  
that should be the users' decision.

XmlHttpRequest isn't (yet) a W3C Recommendation; it's just an  
interface that a lot of people like. Part of the process of  
standardising it is to rationalise it with the Web architecture as  
well as good security practice -- as the Web API WG's charter requires.


On 2006/04/20, at 1:08 PM, Anne van Kesteren wrote:

> On Thu, 20 Apr 2006 17:10:20 +0200, Mark Nottingham <mnot@mnot.net>  
> wrote:
>> I would suggest that the remedy is to add a note or security  
>> considerations section, to the effect that unsafe requests (e.g.,  
>> POST) generated from HtmlFormElement.submit() MUST be authorised  
>> by the user.
> I hope you mean this only for cross-domain stuff otherwise it  
> doesn't make much sense. You could do the same with XMLHttpRequest  
> for example and you really wouldn't want such requests to be  
> authorised by the user.
> (I also wonder what the value of having it controlled by the user  
> is, it's just another dialog they will quickly learn to ignore.)
> -- 
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>

Mark Nottingham     http://www.mnot.net/
Received on Thursday, 20 April 2006 20:15:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:13 UTC