Hi David, On 1/15/08, L. David Baron <dbaron@dbaron.org> wrote: > > 2) He notes that while some particular resources may indeed interpret > > empty body posts in the intended manner, others may not. If we understand > > him correctly, Roy is suggesting that a malicious (or negligent) author > > of Web pages with ping attributes could "trick" a user into causing such > > a POST to be sent to a resource that would interpret it in ways that were > > destructive. > > Does this introduce anything that form.submit() can't already do? No, but it makes that bad practice (invoking form.submit() as the direct result of a link click) more accessible to more developers. That's not good. BTW, I'm not against <a ping>, I'm just against the use of POST on the ping URI - GET would be fine. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.comReceived on Wednesday, 16 January 2008 03:37:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 07:02:18 GMT