[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mailing form

Olaf Walkowiak wrote:

> Hi,
> anx.scan wrote:
> > 
> > huh? what security risks? so, what other ways are there to do this
> > then?  i dont have unix, cgi stuff, nor do i care to.
> The same with me!
> > it makes no sense to me... what can a hacker do to a form thats
> > emailed to me that he cant do to me through regular email?
> He could set up a page which automatically "Mailbombs" someone. But
> there must be another way to fix the Problem. Maybe the Browser
> should send a copy of the mailed form to himself, with the URL of
> the related page in it, or something like that. The URL of the
> "form-page" could also be added to every form-post, so a Mailbombed
> User would see where it cames from.
> I think, there are lots of other ways to handle it, each of it
> better than disabling e-mailing a form.
> Once again: I would REALLY miss it.

So would I. My entire error reporting page uses mailto:. Are they
talking about removing the feature entirely or just non-user initiated

It seems to me that they have overlooked a viable alternative to
removing features like mailto, and the ability to harvest various user
info. Why don't they just treat it like unsecure transmissions?
Display a dialog box on the screen whenever such data is accessed and
give the user the choice of accepting or rejecting it. This would allow them 
to retain what many feel are valuable features. Let the user decide 
on an instance by instance basis whether they want to allow access to
THEIR data.

For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/