[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Robert Deaton false.hopes at gmail.com
Fri Mar 2 05:53:20 GMT 2007


On 3/1/07, Jeremy Visser <jeremy.visser at gmail.com> wrote:
> Mark Jaquith wrote:
> > On Feb 27, 2007, at 11:47 AM, howard chen wrote:
> >> can WP allow detete/update action thru HTTP Get?
> >
> > We protect HTTP GET deletes with nonces
>
> I've always disliked doing any dangerous action with GET, regardless of
> whether the links are protected with nonces.
>
> Can't we have some sort of JavaScript action that will load the
> comment/post ID into a POST form and submit it automagically?

No, it doesn't peacefully degrade for user agents without JS or with
JS disabled.

-- 
--Robert Deaton
http://lushlab.com


More information about the wp-hackers mailing list