Boris Zbarsky schrieb:
Charles McCathieNevile wrote:
... it exposes users to a potential security risk, and there's
nothing the user can do about it except disabling scripting. I think
that is a problem.
SURE. That doesn't make it a bug per se. It also exposes the user to a
bunch of functionality that they might appreciate. I thnk it's a
decision to implement or not that way, and to use a user agent that
does that or not. I would be surprised if desktop browsers for general
release were so permissive.
All major desktop browsers allow form.submit() to happen with no user
confirmation. And form.submit() is _very_ commonly used.
Well, what I'm concerned with is form.submit() and XHR/PUT/DELETE in
things like onload events. Just because this works today doesn't mean
it's ok from a systematic point of view.
Best regards, Julian
