An oddiment with Web clients

Paul Hoffman (ietf-lists@proper.com)
Sun, 19 Mar 1995 16:39:20 -0700

A bit of a security issue just popped up. I'm not sure whether or not this
can be addressed in HTML 3, or if it's strictly up to Web client writers.

When you select a TYPE=SUBMIT button in a form, you have no idea *where*
your data is being sent to. In all the browsers I tried (even Lynx), waving
my cursor over any parts of the form or getting information about a form
element never showed the destination specfied in the ACTION= field. A user
who is carefully watching the information bar of his/her browser to avoid
"bad" sites has no idea when submitting a form published from a "good" site
whether or not the data from the form will go to a "bad" site. Without
looking at the source HTML of the form, there's no way to know.

I'm not proposing a solution here. Of course, client software can just pay
attention to this and put the contents of the ACTION= field in the status
bar when the user is waving over any part of the form instead of only
displaying this information for links. On the other hand, if we add greater
security protections in HTML 3, we should keep this area in mind.