- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 26 Oct 2005 18:40:47 +0000 (UTC)
On Tue, 25 Oct 2005, Charles Iliya Krempeaux wrote: > > With web browsers, there are only 2 ways of doing a POST. (At least > only 2 ways I can think up right now :-) ) > > #1 is though an HTML form. When a user submits an HTML form, they are > fully aware of it. And the browser has a chance to tell the user they > are POST'ing to another domain. (Which could be a social hack attempt.) > > #2 is with XmlHttpRequest. But XmlHttpRequest isn't able to access > other sites AFAIK... so this kind of thing isn't an issue with it. #3 -- combine #1 with script, so the user isn't aware of it. > Conceptually (at least from my point-of-view) POST'ing is suppose to > require a user's approval. (XmlHttpRequest kind of gets around that > requirement, but you are NOT allowed cross-domain access via > XmlHttpRequest, so it is actually not a problem.) Developers should > feel safe in the assumption that mutable operations on their site will > not happen without the user knowing about it (due to their browser > telling them). That might be a good ideal, but in practice it is not the case. Also, bear in mind that the POST done from a ping="" is content-free. There are no POST arguments or anything, so you can't send arbitrary data to have something happen (unless the server side has a bug and treats the GET arguments as POST arguments, I guess). > To get around this whole issue we could just use a totally new HTTP > method (other than "GET" or "POST"). Maybe "PING". I think we'll draw the line at extending HTTP. We're in hot enough water extending HTML and the DOM... -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 October 2005 11:40:47 UTC