[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Elliotte Harold elharo at metalab.unc.edu
Fri Mar 2 15:33:46 GMT 2007

Peter Westwood wrote:

> Yes but if I can convince you to click on a link that takes you to your 
> blogs admin then I can just as likely convince you to click on a form 
> post button that does the same.

The difference is you don't need to convince me to click on a link. You 
can force my browser to follow a link in several ways without any human 
intervention. That isn't the case with POST, I brought up the JavaScript 
because it had been suggested that could be used to force a POST without 
  human intervention. I'm not sure that's true but it's worth investigating.

