- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 08 Jun 2006 17:18:12 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- CC: Charles McCathieNevile <chaals@opera.com>, Public Web API <public-webapi@w3.org>
Boris Zbarsky schrieb: > > Charles McCathieNevile wrote: >>> ... it exposes users to a potential security risk, and there's >>> nothing the user can do about it except disabling scripting. I think >>> that is a problem. >> >> SURE. That doesn't make it a bug per se. It also exposes the user to a >> bunch of functionality that they might appreciate. I thnk it's a >> decision to implement or not that way, and to use a user agent that >> does that or not. I would be surprised if desktop browsers for general >> release were so permissive. > > All major desktop browsers allow form.submit() to happen with no user > confirmation. And form.submit() is _very_ commonly used. Well, what I'm concerned with is form.submit() and XHR/PUT/DELETE in things like onload events. Just because this works today doesn't mean it's ok from a systematic point of view. Best regards, Julian
Received on Thursday, 8 June 2006 15:18:20 UTC