W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2006

Re: DOM Level 2 HTML form.submit() safety / security

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 20 Apr 2006 13:42:31 -0700
Message-Id: <704BC795-B4A6-421E-A7AA-52EB095EA88C@mnot.net>
Cc: www-dom@w3.org
To: Joseph Kesselman <keshlam@us.ibm.com>

Well, the spec references HTML forms, which are themselves limited to  
two HTTP methods; GET and POST. So, it is very in-scope.

In theory the requirements are inherited and therefore no further  
specification is required, but in practice people didn't realise the  
implications of form.submit() until it was too late.

A note in errata would do the trick, I imagine; reminding  
implementers of the impact of referenced spec's requirements is a  
common pattern.


On 2006/04/20, at 1:24 PM, Joseph Kesselman wrote:

> The definition of submit() in the DOM HTML 2.0 spec says only  
> "Submits the
> form. It performs the same action as a submit button."
> Seems to me that this means the DOM implementation is free to  
> implement
> security checks on form submission, and have them applied here. The  
> only
> question seems to be whether there should be *additional*  
> constraints. I
> would submit that since the nature of those constraints is out of  
> the DOM's
> control, their existance is out of the scope of the DOM spec; take  
> it up
> with whoever's standardizing browser behaviors.
> ______________________________________
> "... Three things are most perilous: Connectors that corrode,
>   Unproven algorithms, and self-modifying code! ..."
>   -- "Threes" Rev 1.1 - Duane Elms / Leslie Fish
> (http://www.ovff.org/pegasus/songs/threes-rev-11.html)

Mark Nottingham     http://www.mnot.net/
Received on Thursday, 20 April 2006 20:42:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:13 UTC