Re: Automatic Entry and Forms

Mike Wexler (mwexler@frame.com)
Fri, 23 Feb 1996 10:37:58 -0800


Message-Id: <9602231837.AA09950@orion>
To: Dan Delaney <dgdela01@homer.louisville.edu>
Cc: www-html@w3.org
Subject: Re: Automatic Entry and Forms 
In-Reply-To: Your message of "Fri, 23 Feb 1996 12:39:42 EST."
             <Pine.OSF.3.91.960223121018.3649C-100000@homer.louisville.edu> 
Date: Fri, 23 Feb 1996 10:37:58 -0800
From: Mike Wexler <mwexler@frame.com>

I'm all for having the ability to auto enter these common fields, but if you
think "the bad guys" are going to limit there ploys to get information 
that you don't want to give to using type="hidden", your missing
a lot of other possibilities. What if somebody sets the background color
of there page to black and sets the foreground color of the type-in field
to black? You'll never see it. What if the form looks like it has only a 
few entries on it, but there are 10,000 blank lines followed by some
extra fields? I can think of several other ways to accomplish this.

This is probably beyond the scope of such a spec, but a browser could
do something like say 
	I'm about to fill in your name, address, city, state, zip,
	credit card number, expiration date, and social security number.
	If you press a submit button this information will be submitted
	to http://crime.org/cgi-bin/gotcha.pl. By the way, this 
	information will be sent over an unsecure link.
                
	       ---
               |X| Warn me again next time.
               ---

		<OK>  <CANCEL>  <HELP>  

> On Fri, 23 Feb 1996, Mary Holstege wrote:
> > those of us on the more paranoid side are instead imagining forms such as t
his
> >     <form action="/cgi-bin/laughing-all-the-way-to-bank">
> >         <input type="hidden" name="social-security-number">
> >         <input type="hidden" name="date-of-birth">
> >         <input type="hidden" name="visa-number">
> >         <input type="hidden" name="visa-expiration">
>