- From: Scott Shattuck <idearat@mindspring.com>
- Date: Mon, 6 Apr 2009 16:21:43 -0600
- To: Webapps WG <public-webapps@w3.org>
> Using a variation on the example in the spec...
>
> var password = ... // global variable holds user's password
>
> function deleteItem(itemURL, updateUI) {
> var client = new XMLHttpRequest()
> client.open("DELETE", itemURL)
> client.onload = updateUI
> client.onerror = updateUI
> client.onabort = updateUI
> client.send("password=" + password)
> }
Well, if a script can rely on someone being as foolish as to store
their username and password as globals then why bother working that
hard...just ping a url with them. I can't see how this is relevant to
the spec in terms of a specific vulnerability.
ss
Received on Monday, 6 April 2009 22:22:26 UTC