- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 19 Dec 2005 22:40:21 +0000 (UTC)
On Mon, 12 Dec 2005, Maciej Stachowiak wrote: > > > > > > > > > > http: - "put" and "delete" are little-used methods on the web. > > > > > > > > Well, yeah, since there's basically no way to use them. This is > > > > partly intended to address this. > > > > > > In theory you could use them through XMLHttpRequest, if that were > > > specified as allowed I think it would be more useful than allowing > > > them as form submission methods. > > > > That's specified as allowed already. > > So you think they should be left in? It wouldn't be an unreasonable > burden to implement these so I'm willing to withdraw my objection if no > one else thinks it is a problem. I think it would be useful (especially PUT, and especially in conjunction with the file-upload thing). As you say, it shouldn't be that hard to implement -- in fact, for PUT it's exactly the same behaviour as for POST, just with a different method name, and for DELETE you totally ignore the form data set. > > Fair enough for the other protocols, but in the case of data:, it > > would actually be really useful from a debugging persective to be able > > to get ahold of the form submission data. Given how easy the > > definition for data: is to implement, do you still object to it? > > No strong objection, although the usefulness of this behavior seems > limited and it would have to be a special case in the code. Yes, and yes. The usefulness is mostly limited to debugging, but the implementation burden should be small. > > > "Untrusted content" is unclear. It implies the existence of > > > something that isn't "untrusted content", i.e. "trusted content". > > > Where is that defined? I do not believe it is defined anywhere, in > > > which case specifying its behavior seems non-useful. > > > > I have rephrased this sentence. > > I think this section is still somewhat problematic because a reasonable > behavior is to allow "get" posts to "file:" URLs from a local file > document that is not marked trusted in any special way, as such a > document can already do normal "file:" URL loads anyway through other > mechanisms. Um, they shouldn't be able to. Or at least, in many UAs they can't. > And this is much less risky than allowing execution of prgrams or > writing/deleting of files. Depends on what file you allow access to (/dev/mouse?) > However, ignoring the method in this case would put UAs in conflict with > this non-normative section, so at minimum it seems they would have to > change to disallow "post", "put" and "delete" entirely or be in conflict > with this section. I'm not even sure if considering some content only > "trusted" enough for one of the four columns would satisfy this section. > > But this does not seem like a very serious problem, now that the section > is non-normative. Right -- the entire section is non-normative so you can't be in conflict with it. > > > Well, submission behavior is also unspecified for "gopher:", "sip:", > > > "nfs:", and so forth. I do not think it is the spec's job to list > > > every URI scheme. > > > > No, but it's the spec's job to answer questions from implementors as > > to exactly what they are supposed to do when the user submits a form > > to a protocol they support. The protocols listed were those most > > likely to be encountered. > > Agreed, but this is difficult when the URI scheme is not properly > defined yet. sms: and smsto: are gone. > > http://whatwg.org/specs/web-forms/current-work/#methodAndEnctypes > > I like most of the changes. I will review the revised file upload > behavior and comment on that. I would also like to review the "data:" > behavior in more detail to see if it seems appropriate. Other than that, > I feel my concerns have been addressed, and I'll get back to you on the > two points above. Great, thanks. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 19 December 2005 14:40:21 UTC