ISSUE-110

POST triggered via JavaScript

State:
CLOSED
Product:
wsc-xit
Raised by:
Thomas Roessler
Opened on:
2007-10-02
Description:
JavaScript can trigger unsafe HTTP methods (POST, ...). This practice has legitimate usage (e.g., SAML).

Should there be any recommendations on that?
Related Actions Items:
Related emails:
  1. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from tlr@w3.org on 2008-04-29)
  2. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from egelman@cs.cmu.edu on 2008-04-29)
  3. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from maritzaj@cs.columbia.edu on 2008-04-29)
  4. Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-04-29)
  5. RE: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-02 (from dan.schutzer@fstc.org on 2008-04-01)
  6. Agenda: WSC WG distributed meeting, Wednesday, 2008-04-02 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-04-01)
  7. ISSUE-110 POST triggered via JavaScript (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-03-28)
  8. Fwd: Agenda: WSC WG distributed meeting, Wednesday, 2007-11-28 (from johnath@mozilla.com on 2007-11-27)
  9. Agenda: WSC WG distributed meeting, Wednesday, 2007-11-28 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-11-27)
  10. Meeting record: WSC WG f2f 2007-11-06 (from tlr@w3.org on 2007-11-21)
  11. ACTION-339 Proposal for authoring best practice for ISSUE-110 (from yngve@opera.com on 2007-11-21)
  12. Draft minutes: WSC WG 2007-11-06 (from tlr@w3.org on 2007-11-17)
  13. WSC Open Action Items (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-11-16)
  14. WSC Open Action Items (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-11-09)
  15. Meeting record: WSC WG f2f 2007-10-02 (from tlr@w3.org on 2007-10-25)
  16. Re: Draft Minutes: WSC WG face-to-face 2007-10-02 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-10-10)
  17. Draft Minutes: WSC WG face-to-face 2007-10-02 (from tlr@w3.org on 2007-10-10)
  18. Re: ISSUE-110: POST triggered via JavaScript [Techniques] (from yngve@opera.com on 2007-10-02)
  19. ISSUE-110: POST triggered via JavaScript [Techniques] (from sysbot+tracker@w3.org on 2007-10-02)

Related notes:

Related issue: XHR used to "leak" data that is entered by the user before user actually hits "submit" on a form. Note this is same-origin, whereas form submission can be cross-domain.

Thomas Roessler, 3 Oct 2007, 00:00:00

Added to Section 9: Authoring Best Practices as open issue.

Anil Saldhana, 21 Jan 2008, 21:10:25

Display change log ATOM feed


Mary Ellen Zurko <mzurko@us.ibm.com>, Chair, Thomas Roessler <tlr@w3.org>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 110.html,v 1.1 2010/10/11 09:35:04 dom Exp $