- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Thu, 08 Jun 2006 10:10:12 -0500
- To: Charles McCathieNevile <chaals@opera.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, Public Web API <public-webapi@w3.org>
Charles McCathieNevile wrote: >> ... it exposes users to a potential security risk, and there's nothing >> the user can do about it except disabling scripting. I think that is a >> problem. > > SURE. That doesn't make it a bug per se. It also exposes the user to a > bunch of functionality that they might appreciate. I thnk it's a > decision to implement or not that way, and to use a user agent that does > that or not. I would be surprised if desktop browsers for general > release were so permissive. All major desktop browsers allow form.submit() to happen with no user confirmation. And form.submit() is _very_ commonly used. -Boris
Received on Thursday, 8 June 2006 15:10:25 UTC