Sam Stephenson
Jon Lunman@sstephenson My only reservation about this is that older browsers that don't yet support these additional form methods will default to a GET request, causing the form fields to be sent via the query string. This could leak sensitive information to server/proxy logs, browser history, referrer header, etc.
@sstephenson The safest way I can think of to introduce this capability is by introducing a new element to be used *instead of* the form element, but that can (optionally) wrap a <form> to provide a safe fallback for older browsers.
Something like this:
@sstephenson Admittedly, my (hasty) suggestion may raise more problems than it solves, now that I think of all the form-related attributes and DOM properties, and how those would behave with the introduction of a new element...
Still, the information leakage risk concerns me. There needs to be some way for the form to fallback to POST when the other methods aren't supported.