[whatwg] <a href="" ping=""> from Charles Iliya Krempeaux on 2005-10-25 (public-whatwg-archive@w3.org from October 2005)

From: Charles Iliya Krempeaux <supercanadian@gmail.com>
Date: Tue, 25 Oct 2005 14:24:25 -0700
Message-ID: <84ce626f0510251424h5bcf912am36aec31f4677e90f@mail.gmail.com>

Hello,

On 10/21/05, Jasper Bryant-Greene <jasper at album.co.nz> wrote:

[...]

> > > If you can come up with a reason why it's not safe, I'd like to hear it.
> > My initial reaction was to be concerned about a malicious link that
> > triggered a POST for a resource that becomes modified or deleted - like
> > href="http://www.flickr.com/photos/dierken/?delete=39177102&magic_cookie=528
> > 479cac210fc6z837c0ac708334fe6"
>
> I would certainly hope that Flickr requires authentication before an URL
> like that had any effect, in which case the developer of the website
> would only be able to delete their own photos, or photos of those whom
> they had stolen the authentication details for. This is not exactly a
> new problem.

Even with that, this kind of social hacking that can become at the
least "annoying"... or in some cases could be a critical problem!  It
could used to send SPAM (when POST'ing somehow causes e-mail to be
sent).

With web browsers, there are only 2 ways of doing a POST.  (At least
only 2 ways I can think up right now :-)  )

#1 is though an HTML form.  When a user submits an HTML form, they are
fully aware of it.  And the browser has a chance to tell the user they
are POST'ing to another domain.  (Which could be a social hack
attempt.)

#2 is with XmlHttpRequest.  But XmlHttpRequest isn't able to access
other sites AFAIK... so this kind of thing isn't an issue with it.

> > (Those freaking blockheads at Flickr just
> > deleted my picture when I pasted that URI into the browser window. Losers -
> > when will they realize that an anchor is not a UI widget. Thank goodness
> > that I don't have a pre-fetch utility running or I'd lose all my vacation
> > photos.)
> >
> > But of course anybody that can cause that extra attribute to appear on an
> > anchor, likely has enough control to do some damage anyway.
>
> Exactly. If Flickr wanted to delete your photos, I don't think they'd
> bother to try to fool you into clicking on a link. They'd just delete
> them.

It's not about Flickr doing it.  But other's causing you to do stuff
(like deleting your own photos, or sending e-mail, or making a splog
post, etc) when you don't actually want to.

Conceptually (at least from my point-of-view) POST'ing is suppose to
require a user's approval.  (XmlHttpRequest kind of gets around that
requirement, but you are NOT allowed cross-domain access via
XmlHttpRequest, so it is actually not a problem.)  Developers should
feel safe in the assumption that mutable operations on their site will
not happen without the user knowing about it (due to their browser
telling them).

To get around this whole issue we could just use a totally new HTTP
method (other than "GET" or "POST").  Maybe "PING".

See ya

--
     Charles Iliya Krempeaux, B.Sc.

     charles @ reptile.ca
     supercanadian @ gmail.com

     developer weblog: http://ChangeLog.ca/
___________________________________________________________________________
 Never forget where you came from

Received on Tuesday, 25 October 2005 14:24:25 UTC