- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 08 Dec 2009 08:10:53 -0800
- To: sird@rckc.at
- Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Dec 8, 2009, at 8:05 AM, sird@rckc.at wrote: > passwords ARE setted some times by some apps (CUPS used it, as well > as Motorola's SURFBoard).. I think we loose nothing by forbidding > them (wont break existing apps) and we provide security for the ones > that do use it.. > > Anyway, if we block all inputs for me it's fine :) > > Regarding the why links: > <a href="?action=deleteAccount&sesc=1i19471gdh17">Delete this > account</a> > > I dont propose forbiding all links, just instruct the devs to start > using rel=nofollow on sensitive ones or something like that. I can potentially think of some use cases for styling links based on the contents of the href value: 1) Distinctive style to links with specific schemes (https: or ftp: for example). 2) Distinctive style for links to a particular server (onsite vs offsite). 3) Distinctive style for links to a particular content type, guessed based on file extension (put PDF icon next to likely PDFs for instance). Limiting the restriction to <a rel=nofollow> links would probably not overly interfere with these use cases. But do sites do that currently for action links containing a secret token of some kind in the URL? Regards, Maciej
Received on Tuesday, 8 December 2009 16:11:34 UTC