A hidden form that automatically sends POST requests to some other site without user
intervention? Do you have an example? I'm just surprised that this is allowed by
Of course I agree strongly with the grandparent; don't use GET requests for stateful
operations. That is just asking for trouble. I once worked in a web development shop where
the policy was that clickable links were somehow cooler than form submit buttons, so the user
management page had a 'delete' link for each user. A customer was using a web accelerator
program that prefetches links (a perfectly allowable thing to do, provided it just GETs) and
deleted all users from the site.