- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 28 Oct 2007 11:21:26 +0100
- To: Henri Sivonen <hsivonen@iki.fi>
- CC: Geoffrey Sneddon <foolistbar@googlemail.com>, HTML WG <public-html@w3.org>
Henri Sivonen wrote: > On Oct 27, 2007, at 19:12, Julian Reschke wrote: > >> Geoffrey Sneddon wrote: >>> Having read this entire thread, I don't see why anything is actually >>> wrong. In this context the difference between GET and POST is >>> negligible — both can technically be used to do what is desired, >>> though using GET would be breaking RFC 2616 (or rather, breaking a >>> SHOULD NOT). If we >> >> No, sorry, that's incorrect. >> >> If you want to do something silently (without the user's consent), you >> simply have to use a safe method. > > So would you ban XHR POST and script-initiated form submissions? I would want the XHR spec to clarify that it's not OK to initiate unsafe methods without the user's consent. I would also deprecate script-initiated form submissions from something like onload(). > The ping attribute does have the same security risks that cross-domain > XHR POST with empty entity body would have if the access-control > Method-Check weren't there. That is, if a POST handler has been > programmed to trigger stuff on mere POST without a body, a malicious > ping attribute could be used to trigger that action. > >> And if you consider the desired effect non-safe (which I don't), then >> the consequence is that you just can't do it. > > It is about idempotent vs. non-idempotent and side effects. > > If you are counting ad impressions, clearly you don't want to > a) count Google Web Accelerator (or similar) prefetches > b) leave impressions uncounted due to an intermediate cache satisfying > the request. Yes. But the same problem can (and is) already used without "ping", and even if you use "ping", you still could do it with a safe method (HEAD/Cache-Control:no-cache). Best regards, Julian
Received on Sunday, 28 October 2007 10:21:46 UTC