Re: Feedback on the ping="" attribute (ISSUE-1)

On Sun, 4 Nov 2007, Mark Baker wrote:
> > >
> > > So it seems it would be good to clarify whether following an audited 
> > > link is safe (in HTTP terminology) or not.
> > >
> > > If it is, it should use a safe method.
> >
> > If the entire HTTP request and response transaction is safe, then it 
> > doesn't matter what method we use, since using an explicitly "safe" 
> > method wouldn't make the transaction any safer (in the HTTP sense).
> 
> You appear to be confusing two different things, Ian.  When we say that 
> an HTTP message is "safe", we're using the word to refer to the meaning 
> of the message.

In that case I don't understand what we are discussing. Could you define 
the terms in more detail?


On Sun, 4 Nov 2007, Julian Reschke wrote:
> > >
> > > Please educate me: how do I silently do a POST without having 
> > > scripting enabled?
> > 
> > Try test.html in this directory:
> > 
> >    http://damowmow.com/playground/demos/http/002/
> 
> For the record; I was expecting something more spectacular :-) I don't 
> think this qualifies as "silently", because you're tricking the user to 
> click on something that looks like a link, but isn't.

It causes a post which the user isn't expecting, and it can post arbitrary 
content. It's far worse than ping="" ever would be, and there's not really 
any chance of us removing support for it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 5 November 2007 23:12:49 UTC