early notes on Beacon API Last Call from Nicholas Doty on 2014-07-13 (public-privacy@w3.org from July to September 2014)

From: Nicholas Doty <npdoty@w3.org>
Date: Sat, 12 Jul 2014 22:01:42 -0700
To: W3C mailing list <public-privacy@w3.org>
Message-Id: <B5101E7B-34B8-4DBB-A2A2-EDD521F9C989@w3.org>

Hi public-privacy,

I mentioned on the last teleconference that I had started to read over the Beacon document, which is currently at Last Call status in the Web Performance Working Group, and might have relevant privacy/security questions for us to comment on. The notes below are very rough and early notes, so please forgive my ignorance and brevity. Nonetheless, I would certainly welcome your thoughts; expertise with CSRF attacks or the CORS specifications would be most useful in analyzing the security implications.

Thanks,
Nick

In brief, I believe Beacon is a tool to enable sites to request that the browser asynchronously POST some analytics data collected while on the site after the page has unloaded. (Alternatively, sites now sometimes delay unloading the page in order to send back click information and the like.)

## must honor headers?

> User agents MUST honor the HTTP headers (including, in particular, redirects and HTTP cookie headers),

This seems to be new in this version of the spec and I don't understand the reasoning behind it. Why MUST user agents honor all response headers? If (as I believe most user agents do) a user agent typically ignores Set-Cookie headers from different origins, is that user agent non-conformant with Beacon?

## security considerations and CORS

What are the security considerations of this document? Does making background POST requests to other origins including sending credentials provide an increased risk of CSRF attacks? (Maybe this risk is identical to the existing risk of submitting POST forms to other origins.) Are cross-origin POST requests with credentials necessary to satisfy the purpose of the Beacon specification? If not, why add the attack surface?

The CORS specification is listed in the References, but doesn't seem to be referred to in the text of the specification. Are user agents intended to follow the CORS cross-origin request model when making a beacon request to a different origin? If so, is preflight required because of the non-simple Beacon-Age header?

## editorial comments

Some requirements are placed on "the User Agent" and others on "user agents"; consistency would be better.

Sections 1 and 4.1 (both Introductions) seem duplicative. In both cases, this sentence is first:
> The Beacon specification defines an interface that web developers can use to asynchronously transfer small HTTP data from the User Agent to a web server.

Nothing in the specification limits the size of the data sent. In fact, analytics data aggregated over an entire session (since unloading seems like the primary use case) might be quite large.

I think it would be more correct to refer to transferring data via HTTP rather than "HTTP data".

Web developers already have interfaces for asynchronously transferrring data via HTTP. For example, XMLHttpRequest, as you note. Perhaps a better summary would be: "This specification defines an interface that web developers can use to asynchronously transfer data from the user agent to a web server during or after the unloading of a page."

Received on Sunday, 13 July 2014 05:01:55 UTC