- From: Mark Baker <distobj@acm.org>
- Date: Tue, 15 Jan 2008 22:37:33 -0500
- To: www-tag@w3.org
Hi David, On 1/15/08, L. David Baron <dbaron@dbaron.org> wrote: > > 2) He notes that while some particular resources may indeed interpret > > empty body posts in the intended manner, others may not. If we understand > > him correctly, Roy is suggesting that a malicious (or negligent) author > > of Web pages with ping attributes could "trick" a user into causing such > > a POST to be sent to a resource that would interpret it in ways that were > > destructive. > > Does this introduce anything that form.submit() can't already do? No, but it makes that bad practice (invoking form.submit() as the direct result of a link click) more accessible to more developers. That's not good. BTW, I'm not against <a ping>, I'm just against the use of POST on the ping URI - GET would be fine. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Wednesday, 16 January 2008 03:37:38 UTC