On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth <[email protected]> wrote: > We've seen use cases for a similar feature for iframes and hyperlinks. > For example: > > <a href="/logout" post-data>Logout</a> > > would be more semantically correct that just <a > href="/logout">Logout</a> because it would generate a POST instead of > a GET.
Why wouldn't <form method=post action=/logout><button>Logout</button></form> work, with some CSS to make it look like a link if you wanted that? On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <[email protected]> wrote: > There are quite a number of older web forums that sanitize their HTML using > black lists and would not strip new attributes like "post-data". For > malicious users, it would be very easy to include e.g. <img > src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam > URL)"> in their signature and have users doing involuntary posts by simply > viewing a thread. Indeed. You shouldn't be able to trigger POSTs from involuntary actions. They should always require some sort of user input, because there is simply *far* too much naive code out there that is vulnerable to CSRF. ~TJ
