W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2005

[whatwg] <a href="" ping="">

From: Jasper Bryant-Greene <jasper@album.co.nz>
Date: Wed, 26 Oct 2005 10:12:42 +1300
Message-ID: <1130274762.3807.15.camel@jasper.local>
On Tue, 2005-10-25 at 14:06 -0700, Charles Iliya Krempeaux wrote:
> Perhaps the best way of handling this is to use a totally new HTTP
> method (other than "GET" or "POST").  Maybe "PING".
> 
> That way you don't have to worry about people screwing things up or
> hacking due to POST'ing (of a URL like the flickr URL you gave).

That Flickr URL was a GET. It's a non-issue anyway -- using a POST does
not offer any additional ability to "screw things up" or "hack".

It's already possible to POST to arbitrary URLs just by putting any old
URL in the /action/ attribute of a <form> and submitting it with JS or
fooling the user into clicking the submit button.

A website like Flickr should require authentication of the user before
allowing photos to be deleted. I run a photo sharing service that is
very similar and would be quite happy for any idiot to POST to any URL
they like, as anything that causes a change on the server-side requires
authentication.

-- 
Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand
Received on Tuesday, 25 October 2005 14:12:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:43 UTC