W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

GET becoming unsafe?

From: David Orchard <orchard@pacificspirit.com>
Date: Wed, 3 Jun 2009 11:29:34 -0700
Message-ID: <2d509b1b0906031129yb1fc0a8p76b827468b715613@mail.gmail.com>
To: Technical Architecture Group WG <www-tag@w3.org>
I saw some discussion from that TAG minutes about cross-site scripting
and GET's perhaps becoming viewed as unsafe.

While not quite the example of the GET resulting in POST, our mobile
web based apps are never performing POST because of cross-site
scripting restrictions so we use GET for all operations.  As I've
mentioned before, this pains me.

The interesting problems is that our mobile application is a browser
based app using phonegap.  phonegap allows us to do cross platform
mobile development using web technologies.  The application is a
bundle of phonegap + all our code.  We can access all the device
specific information, such as location using an api.  This is no
different from native code.  Thus the browser sandbox, specifically
cross-site, is completely inappropriate for an app that uses an
embedded browser.  Yet we have to deal with it so it's all GET.

There's some irony that doing cross platform web based development
using html, javascript, etc. requires breaking one of the crucial
foundations of Web Arch.

Cheers,
Dave
Received on Wednesday, 3 June 2009 18:30:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT