- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 9 Dec 2010 18:26:14 -0800
On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote: > On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth <w3c at adambarth.com> wrote: >> We've seen use cases for a similar feature for iframes and hyperlinks. >> ?For example: >> >> <a href="/logout" post-data>Logout</a> >> >> would be more semantically correct that just <a >> href="/logout">Logout</a> because it would generate a POST instead of >> a GET. > > Why wouldn't <form method=post > action=/logout><button>Logout</button></form> work, with some CSS to > make it look like a link if you wanted that? It's too much work. :) > On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <phil127 at gmail.com> wrote: >> There are quite a number of older web forums that sanitize their HTML using black lists and would not strip new attributes like "post-data". For malicious users, it would be very easy to include e.g. <img src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam URL)"> in their signature and have users doing involuntary posts by simply viewing a thread. > > Indeed. ?You shouldn't be able to trigger POSTs from involuntary > actions. ?They should always require some sort of user input, because > there is simply *far* too much naive code out there that is vulnerable > to CSRF. Unfortunately, the attacker can already trigger POSTs with involuntary actions. That code is already vulnerable attack, sadly. Adam
Received on Thursday, 9 December 2010 18:26:14 UTC