W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2006

Re: DOM Level 2 HTML form.submit() safety / security

From: Joseph Kesselman <keshlam@us.ibm.com>
Date: Thu, 20 Apr 2006 16:24:34 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: "Anne van Kesteren" <annevk@opera.com>, www-dom@w3.org, www-dom-request@w3.org
Message-ID: <OF4B29D0BF.F1D83A2F-ON85257156.006FCBE3-85257156.00701CDE@us.ibm.com>

The definition of submit() in the DOM HTML 2.0 spec says only "Submits the
form. It performs the same action as a submit button."

Seems to me that this means the DOM implementation is free to implement
security checks on form submission, and have them applied here. The only
question seems to be whether there should be *additional* constraints. I
would submit that since the nature of those constraints is out of the DOM's
control, their existance is out of the scope of the DOM spec; take it up
with whoever's standardizing browser behaviors.

"... Three things are most perilous: Connectors that corrode,
  Unproven algorithms, and self-modifying code! ..."
  -- "Threes" Rev 1.1 - Duane Elms / Leslie Fish
Received on Thursday, 20 April 2006 20:36:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:13 UTC