On Thu, 9 Dec 2010, Martin Janecke wrote:
What is your opinion on enabling the HTTP POST method for the img
element?
This would unfortunately be somewhat impractical, due to the
idempotency-assuming nature of img: it's generally assumed to be safe
for images to be fetched an arbitrary
On Thu, Apr 28, 2011 at 2:28 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 9 Dec 2010, Tab Atkins Jr. wrote:
I don't believe there are any declarative ways to trigger involuntary
POSTs, are there?
test.html on this page has no script:
http://damowmow.com/playground/demos/http/002/
That's
Am 10.12.2010 um 18:06 schrieb Julian Reschke:
If the URI length is a problem because of browsers, fix the browsers to
extend the limits, instead of adding a completely new feature.
That's a good idea. Can we define a minimum length in the spec that
should/must be supported? As a point
On 12/9/10, Philipp Serafin phil...@gmail.com wrote:
... on second thought, maybe it would be an even better idea to just
define a new submit like input type that would submit the form as soon
as it's fully loaded and display the POST result as an image. This would
work better with the form
On 10.12.2010 01:46, Tab Atkins Jr. wrote:
...
Indeed. You shouldn't be able to trigger POSTs from involuntary
actions. They should always require some sort of user input, because
there is simply *far* too much naive code out there that is vulnerable
to CSRF.
...
Thanks, Tab.
It's sad that
On Thu, Dec 9, 2010 at 6:59 PM, Martin Janecke whatwg@kaor.in wrote:
What is your opinion on enabling the HTTP POST method for the img
element? The motivation behind this is that there are services which
generate images automatically based on parameters given -- nowadays
provided as query
On Fri, 10 Dec 2010 03:26:14 +0100, Adam Barth w...@adambarth.com wrote:
On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. jackalm...@gmail.com
wrote:
Why wouldn't form method=post
action=/logoutbuttonLogout/button/form work, with some CSS to
make it look like a link if you wanted that?
It's
Am 09.12.2010 um 20:04 schrieb Ashley Sheridan:
[...] If
images are called with POST data, then that would prevent them being
cached, which can be done with GET as GET isn't meant to change any
state on the server, meaning potentially a lot more traffic [...]
As I understand
Am 09.12.2010 um 20:41 schrieb Philipp Serafin:
[...] though this would
also present serious security vulnerabilities, especially in forum pages.
There are quite a number of older web forums that sanitize their HTML
using black lists and would not strip new attributes like post-data.
For
Martin Janecke whatwg@kaor.in schrieb am Thu, 9 Dec 2010 19:59:02
+0100:
What is your opinion on enabling the HTTP POST method for the img
element? The motivation behind this is that there are services which
generate images automatically based on parameters given -- nowadays
provided as
Hi all,
What is your opinion on enabling the HTTP POST method for the img element? The
motivation behind this is that there are services which generate images
automatically based on parameters given -- nowadays provided as query string in
a GET request -- for inclusion in web pages. I've
We've seen use cases for a similar feature for iframes and hyperlinks.
For example:
a href=/logout post-dataLogout/a
would be more semantically correct that just a
href=/logoutLogout/a because it would generate a POST instead of
a GET.
Adam
On Thu, Dec 9, 2010 at 10:59 AM, Martin Janecke
I like the general idea (this would also get rid of the problem that,
right now, it's unnecessarily hard for authors to show idempotent and
non-idempotent actions in a unified visual style), though this would
also present serious security vulnerabilities, especially in forum pages.
There are
... on second thought, maybe it would be an even better idea to just
define a new submit like input type that would submit the form as soon
as it's fully loaded and display the POST result as an image. This would
work better with the form metaphor and would present less security
risks, since only
On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth w...@adambarth.com wrote:
We've seen use cases for a similar feature for iframes and hyperlinks.
For example:
a href=/logout post-dataLogout/a
would be more semantically correct that just a
href=/logoutLogout/a because it would generate a POST
On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:
On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth w...@adambarth.com wrote:
We've seen use cases for a similar feature for iframes and hyperlinks.
For example:
a href=/logout post-dataLogout/a
would be more semantically
On Thu, Dec 9, 2010 at 6:26 PM, Adam Barth w...@adambarth.com wrote:
On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:
On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth w...@adambarth.com wrote:
We've seen use cases for a similar feature for iframes and hyperlinks.
For
On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin phil...@gmail.com wrote:
There are quite a number of older web forums that sanitize their HTML
using black lists and would not strip new attributes like post-data. For
malicious users, it would be very easy to include e.g. img
On Thu, Dec 9, 2010 at 7:15 PM, Adam Barth w...@adambarth.com wrote:
On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin phil...@gmail.com wrote:
There are quite a number of older web forums that sanitize their HTML
using black lists and would not strip new attributes like post-data.
For
19 matches
Mail list logo
