note
tinita
<blockquote><i>I'm sure I'm not the first to think of this and I think I even fell for it on someone else's home node long ago.
</i></blockquote>
And this was fixed a while ago, because if you can send a message (to a user or the chatterbox) just by a simple GET request this is open to [http://en.wikipedia.org/wiki/Cross-site_request_forgery|CSRF]. Actually before this was fixed you were able to put an image tag in your home node and its source was a link to sending a message, so it would have been automatically called when you visited the homenode.<br>
So it's good that this doesn't work anymore (although it's still not fully CSRF protected).<br>
<br>
<strike>Why the prefilled form requires to edit the fields I don't know; it might also be a kind of protection but makes the msg link kind of useless.</strike>
<br>
Update: The prefilled form requires to edit the text field only (not the recipient, like I first thought when looking at the HTML source), and this is probably meant as a protection, so that people really look at the prefilled text before sending it.
917661
917661