> A bit of a security issue just popped up. I'm not sure whether or not
> this can be addressed in HTML 3, or if it's strictly up to Web client
> writers.
This issue seems more a web-client-author thing, but we should probably
say something in the documentation that its recommended behaviour.
> When you select a TYPE=SUBMIT button in a form, you have no idea *where*
> your data is being sent to. In all the browsers I tried (even Lynx),
> waving my cursor over any parts of the form or getting information about
> a form element never showed the destination specfied in the ACTION=
> field. A user who is carefully watching the information bar of his/her
> browser to avoid "bad" sites has no idea when submitting a form published
> from a "good" site whether or not the data from the form will go to a
> "bad" site. Without looking at the source HTML of the form, there's no
> way to know.
Secure NCSA-Mosaic from Terisa already does this (and I believe the
upcoming SHTTP version of AIR Mosaic does as well, if not I'll try to make
it before we ship). I also just updated Emacs-w3 to do this.
-Bill P.