W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2005

[whatwg] <a href="" ping="">

From: Jasper Bryant-Greene <jasper@album.co.nz>
Date: Wed, 26 Oct 2005 10:36:15 +1300
Message-ID: <1130276175.3807.21.camel@jasper.local>
On Tue, 2005-10-25 at 14:24 -0700, Charles Iliya Krempeaux wrote:
> With web browsers, there are only 2 ways of doing a POST.  (At least
> only 2 ways I can think up right now :-)  )
> 
> #1 is though an HTML form.  When a user submits an HTML form, they are
> fully aware of it.  And the browser has a chance to tell the user they
> are POST'ing to another domain.  (Which could be a social hack
> attempt.)

Yes, but look:

<form action="http://example.com/delete" method="post" id="deleteForm">
	<input type="hidden" name="photoID" id="93872">
	<input type="hidden" name="sid" id="oihsd8f9u238f3feswfsdf">
</form>

<script type="text/javascript">
	window.onload = function() {
		document.getElementById('deleteForm').submit();
	}
</script>

No current browser I tested displays a warning. Most display it once,
the first time a POST is actioned after the browser is installed, but
default to never displaying it again.

It would only be an issue if the website sending the above code could
somehow find out the user's session ID (sid) on example.com. Which, if
everything works as it should, it can't.

-- 
Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand
Received on Tuesday, 25 October 2005 14:36:15 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:43 UTC