- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 5 Nov 2007 23:12:38 +0000 (UTC)
- To: Mark Baker <distobj@acm.org>, Julian Reschke <julian.reschke@gmx.de>
- Cc: HTML WG List <public-html@w3.org>
On Sun, 4 Nov 2007, Mark Baker wrote: > > > > > > So it seems it would be good to clarify whether following an audited > > > link is safe (in HTTP terminology) or not. > > > > > > If it is, it should use a safe method. > > > > If the entire HTTP request and response transaction is safe, then it > > doesn't matter what method we use, since using an explicitly "safe" > > method wouldn't make the transaction any safer (in the HTTP sense). > > You appear to be confusing two different things, Ian. When we say that > an HTTP message is "safe", we're using the word to refer to the meaning > of the message. In that case I don't understand what we are discussing. Could you define the terms in more detail? On Sun, 4 Nov 2007, Julian Reschke wrote: > > > > > > Please educate me: how do I silently do a POST without having > > > scripting enabled? > > > > Try test.html in this directory: > > > > http://damowmow.com/playground/demos/http/002/ > > For the record; I was expecting something more spectacular :-) I don't > think this qualifies as "silently", because you're tricking the user to > click on something that looks like a link, but isn't. It causes a post which the user isn't expecting, and it can post arbitrary content. It's far worse than ping="" ever would be, and there's not really any chance of us removing support for it. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 5 November 2007 23:12:49 UTC