http-extensions icon indicating copy to clipboard operation
http-extensions copied to clipboard

Published 20 hours ago verified publisher icon httpwg

QUERY in HTML forms

Open martinthomson opened this issue 3 years ago • 1 comments

I wonder if it is worth exploring whether HTML might add QUERY to GET and POST for form submission. It could use application/x-www-wossname and so might be a drop-in replacement for POST in effect, without the unsafe connotations.

I don't know how extensive the GET/POST assumption is, which would be the main reason not to. But maybe we could at least ask. At which point, close this issue; I don't think that any change is needed in the IETF document in response to this.

martinthomson avatar Aug 05 '22 03:08 martinthomson

Yes, we could ask, but I'm pessimistic.

reschke avatar Aug 05 '22 06:08 reschke

@annevk? Seems like it's something that could be polyfilled...

mnot avatar Oct 13 '22 00:10 mnot

without the unsafe connotations

Could this be explained more, or is there a link to something that would?

(In case it’s useful: where method and formmethod are defined.)

bathos avatar Oct 13 '22 03:10 bathos

It would be a further extension to the same-origin policy, especially if we don't require CORS (and if we do want CORS, that will be a pain since this is a navigation and not an ordinary fetch). As such, it would be either risky or not worth the effort.

https://github.com/whatwg/html/issues/3577 has some past discussion on this regarding DELETE and PUT methods where I'm mostly beating the same drum.

(You also make a good point that navigation and session history make some assumptions around POST being the only other method in existence, but there is an effort underway at getting those concepts better standardized and made interoperable between browsers which would in theory make it easier to make changes there.)

annevk avatar Oct 13 '22 09:10 annevk

Thanks, @annevk. Will close this as indicated.

mnot avatar Oct 13 '22 22:10 mnot

While I understand the risk involved with adding support for unsafe methods like DELETE, PUT and PATCH, I don't understand what risk would be involved with allowing QUERY. It's just GET with a request body.

there is an effort underway at getting those concepts better standardized and made interoperable between browsers which would in theory make it easier to make changes there

Where can I follow or read up on this effort, @annevk?

asbjornu avatar Aug 31 '23 08:08 asbjornu

It has landed in the HTML Standard so you could read about navigation there. I haven't checked myself yet though if all of form submission got refactored as well.

Also, my comment above might seem more hopeful than the reality, which is that changes to form submission will be hard. And almost definitely any new kind of cross-origin method would require some kind of opt-in as the safety we care about is not that of the method definition of safety, but that of end users.

annevk avatar Aug 31 '23 10:08 annevk