Charles McCathieNevile wrote:
... it exposes users to a potential security risk, and there's nothing
the user can do about it except disabling scripting. I think that is a
problem.
SURE. That doesn't make it a bug per se. It also exposes the user to a
bunch of functionality that they might appreciate. I thnk it's a
decision to implement or not that way, and to use a user agent that does
that or not. I would be surprised if desktop browsers for general
release were so permissive.
All major desktop browsers allow form.submit() to happen with no user
confirmation. And form.submit() is _very_ commonly used.
-Boris
