[whatwg] <a href="" ping="">

On Tue, 2005-10-25 at 14:06 -0700, Charles Iliya Krempeaux wrote:
> Perhaps the best way of handling this is to use a totally new HTTP
> method (other than "GET" or "POST").  Maybe "PING".
> 
> That way you don't have to worry about people screwing things up or
> hacking due to POST'ing (of a URL like the flickr URL you gave).

That Flickr URL was a GET. It's a non-issue anyway -- using a POST does
not offer any additional ability to "screw things up" or "hack".

It's already possible to POST to arbitrary URLs just by putting any old
URL in the /action/ attribute of a <form> and submitting it with JS or
fooling the user into clicking the submit button.

A website like Flickr should require authentication of the user before
allowing photos to be deleted. I run a photo sharing service that is
very similar and would be quite happy for any idiot to POST to any URL
they like, as anything that causes a change on the server-side requires
authentication.

-- 
Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand

Received on Tuesday, 25 October 2005 14:12:42 UTC