Brian Lloyd wrote:

...

[proposal of dissallowing GETs for management methods] The win would be that disabling javascipt would make a client save from this form of attack, AFAIK, OTOH I can't think of anything which would break ATM.

While I don't necessarily disagree about making GETs idempotent, this still doesn't make you "safe", even with JS turned off.

Ahh, idempotent, that word escaped me ;-).

A quick example: images can be used as form submit buttons. If I can get you to visit a page and click on my innocent looking image... you're done :)

Ok, I wasn't clear enough. What I proposed would at least give the browser implementors a chance to remedy the problem (e.g. ask before form submission etc.). Compare your scenario to that where one just needs to write <img href="http://victimserver/evilmethod">

This is hard, hard, problem. While some good ideas have been proposed, there is not really a quick fix that doesn't have some downside that some group somewhere considers a showstopper :(

I consider what I wrote really not the most sophisticated idea around, more something in the line of disabling unneeded servers on a unix machine. But I also don't see how it could be a showstopper for any scenario. No pain (barring modification of methods, which could be done step by step), some gain ... sounds good to me. cheers, oliver