- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 20 Apr 2006 22:08:21 +0200
- To: "Mark Nottingham" <mnot@mnot.net>
- Cc: www-dom@w3.org
On Thu, 20 Apr 2006 17:10:20 +0200, Mark Nottingham <mnot@mnot.net> wrote: > I would suggest that the remedy is to add a note or security > considerations section, to the effect that unsafe requests (e.g., POST) > generated from HtmlFormElement.submit() MUST be authorised by the user. I hope you mean this only for cross-domain stuff otherwise it doesn't make much sense. You could do the same with XMLHttpRequest for example and you really wouldn't want such requests to be authorised by the user. (I also wonder what the value of having it controlled by the user is, it's just another dialog they will quickly learn to ignore.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 20 April 2006 20:08:32 UTC