https://issues.apache.org/bugzilla/show_bug.cgi?id=51147
--- Comment #6 from Konstantin Kolinko <knst.koli...@gmail.com> 2011-05-04 12:29:17 UTC --- (In reply to comment #5) > The problem is that when a form is use with GET and the action URL contains > request parameters user agents may (FF4 does) overwrite the parameters already > in the URL with those in the form rather than combine them. Switching to POST > avoids this issue. That is how form submission is defined in HTML5. 4.10.22 Form submission [1] -> 4.10.22.3 Form submission algorithm -> Table in Step 17 -> "http" + GET method gives "Mutate action URL" -> Mutate action URL is "Let destination be a new URL that is equal to the action except that its <query> component is replaced by query (adding a U+003F QUESTION MARK character (?) if appropriate)." [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#form-submission So it is a natural limitation on the use of CsrfPreventionFilter in such forms. But I am OK with the change to the form, because I do not see a reason to use GET method here. The action is not repeatable, nor it is bookmarkable, because of the nonce. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
