- From: S. Mike Dierken <mike@dierken.com>
- Date: Tue, 25 Oct 2005 20:55:59 -0700
> It's already possible to POST to arbitrary URLs just by > putting any old URL in the /action/ attribute of a <form> and > submitting it with JS or fooling the user into clicking the > submit button. True. One interesting aspect of keeping the number of methods small is that utilities can be built that operate on any number of sites and understand how to avoid 'unsafe' operations. In the case of Flickr, if I used a pre-fetching tool or client side spider/indexer, those images would be toast without my knowing about it. Traversing a URI should be 'safe' - this opens up new application possibilities. > > A website like Flickr should require authentication of the > user before allowing photos to be deleted. Yes, and they shouldn't use GET to modify data.
Received on Tuesday, 25 October 2005 20:55:59 UTC