- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 20 Apr 2006 13:15:21 -0700
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: www-dom@w3.org
As I said, one way the user could give permission is to configure the browser to allow same-site POSTs to be automatically submitted -- but that should be the users' decision. XmlHttpRequest isn't (yet) a W3C Recommendation; it's just an interface that a lot of people like. Part of the process of standardising it is to rationalise it with the Web architecture as well as good security practice -- as the Web API WG's charter requires. Cheers, On 2006/04/20, at 1:08 PM, Anne van Kesteren wrote: > On Thu, 20 Apr 2006 17:10:20 +0200, Mark Nottingham <mnot@mnot.net> > wrote: >> I would suggest that the remedy is to add a note or security >> considerations section, to the effect that unsafe requests (e.g., >> POST) generated from HtmlFormElement.submit() MUST be authorised >> by the user. > > I hope you mean this only for cross-domain stuff otherwise it > doesn't make much sense. You could do the same with XMLHttpRequest > for example and you really wouldn't want such requests to be > authorised by the user. > > (I also wonder what the value of having it controlled by the user > is, it's just another dialog they will quickly learn to ignore.) > > > -- > Anne van Kesteren > <http://annevankesteren.nl/> > <http://www.opera.com/> > > -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 20 April 2006 20:15:29 UTC