W3C home > Mailing lists > Public > www-tag@w3.org > January 2008

Re: Proposed HTML ping attribute

From: Mark Baker <distobj@acm.org>
Date: Tue, 15 Jan 2008 22:37:33 -0500
Message-ID: <e9dffd640801151937q212f9b2ev7f6966e45d45b1fd@mail.gmail.com>
To: www-tag@w3.org

Hi David,

On 1/15/08, L. David Baron <dbaron@dbaron.org> wrote:
> > 2) He notes that while some particular resources may indeed interpret
> > empty body posts in the intended manner, others may not.  If we understand
> >  him correctly, Roy is suggesting that a malicious (or negligent) author
> > of  Web pages with ping attributes could "trick" a user into causing such
> > a  POST to be sent to a resource that would interpret it in ways that were
> >  destructive.
> Does this introduce anything that form.submit() can't already do?

No, but it makes that bad practice (invoking form.submit() as the
direct result of a link click) more accessible to more developers.
That's not good.

BTW, I'm not against <a ping>, I'm just against the use of POST on the
ping URI - GET would be fine.

Mark Baker.  Ottawa, Ontario, CANADA.         http://www.markbaker.ca
Coactus; Web-inspired integration strategies  http://www.coactus.com
Received on Wednesday, 16 January 2008 03:37:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:55 UTC