- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 23 Nov 2008 20:07:18 -0800
- To: Gavin Sharp <gavin@mozilla.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, "Roy T. Fielding" <fielding@gbiv.com>, HTML WG <public-html@w3.org>
Gavin Sharp wrote: > ----- "Julian Reschke" <julian.reschke@gmx.de> wrote: >>> Ok, then use <form>. ping="" is as easy to trigger as a form >>> submission. >> Not with scripting disabled, right? (yes, I use the FF noscript >> extension). > > You recognize that that makes you part of a small minority of web users, right? That it is currently possible to disable JavaScript in most shipping browsers doesn't change the fact that a significant portion of the Web requires it, and that all major browsers have it enabled by default. There's no reason to believe that <a ping> will be any harder to disable for users than JavaScript currently is, so I'm not sure I see how this point is relevant. > >>> We already have a way to create POST requests by simply navigating >>> a Web site. This isn't adding anything new as far as that goes. >> That is incorrect, unless you count "pressing buttons" as web site >> navigation. > > Again, you're discounting the presence of scripting. I think it's fair to say that arguments that ignore the fact that scripting is an important and nearly universal part of the Web aren't going to be very effective. Additionally, it is extremely easy to trick a user into clicking a button. All you need to do is make the button 0.1% opaque and cover the whole page area. <a ping> has exactly the same properties as <form> when it comes to generating POST. If you have scripts enabled they can cause POST to happen automatically. If scripts is disabled, they require that the user clicks on the page. The only difference that I can think of is that the default rendering is different, something that is very easily changed, and that most likely UIs are going to have a pref to turn off <a ping>. / Jonas
Received on Monday, 24 November 2008 04:09:22 UTC