- From: Jasper Bryant-Greene <jasper@album.co.nz>
- Date: Wed, 26 Oct 2005 10:12:42 +1300
On Tue, 2005-10-25 at 14:06 -0700, Charles Iliya Krempeaux wrote: > Perhaps the best way of handling this is to use a totally new HTTP > method (other than "GET" or "POST"). Maybe "PING". > > That way you don't have to worry about people screwing things up or > hacking due to POST'ing (of a URL like the flickr URL you gave). That Flickr URL was a GET. It's a non-issue anyway -- using a POST does not offer any additional ability to "screw things up" or "hack". It's already possible to POST to arbitrary URLs just by putting any old URL in the /action/ attribute of a <form> and submitting it with JS or fooling the user into clicking the submit button. A website like Flickr should require authentication of the user before allowing photos to be deleted. I run a photo sharing service that is very similar and would be quite happy for any idiot to POST to any URL they like, as anything that causes a change on the server-side requires authentication. -- Jasper Bryant-Greene General Manager Album Limited e: jasper at album.co.nz w: http://www.album.co.nz/ p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303 a: PO Box 579, Christchurch 8015, New Zealand
Received on Tuesday, 25 October 2005 14:12:42 UTC