[whatwg] <a href="" ping="">

> It's already possible to POST to arbitrary URLs just by 
> putting any old URL in the /action/ attribute of a <form> and 
> submitting it with JS or fooling the user into clicking the 
> submit button.
True. One interesting aspect of keeping the number of methods small is that
utilities can be built that operate on any number of sites and understand
how to avoid 'unsafe' operations. In the case of Flickr, if I used a
pre-fetching tool or client side spider/indexer, those images would be toast
without my knowing about it. Traversing a URI should be 'safe' - this opens
up new application possibilities.

> 
> A website like Flickr should require authentication of the 
> user before allowing photos to be deleted.
Yes, and they shouldn't use GET to modify data.

Received on Tuesday, 25 October 2005 20:55:59 UTC