Re: [Beacon] Last Call comments re: privacy and editorial suggestions from Jonas Sicking on 2014-07-30 (public-web-perf@w3.org from July 2014)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 29 Jul 2014 17:22:20 -0700
To: Nicholas Doty <npdoty@w3.org>
Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CA+c2ei_0CziaG+HLOPRLN+y-K+EAjp5BpH7mQoQ3YCc4JCNDGQ@mail.gmail.com>

On Tue, Jul 29, 2014 at 5:04 PM, Nicholas Doty <npdoty@w3.org> wrote:
> A couple follow-up questions as your helpful replies have lead me to read
> more mailing list discussions.
>
> On July 29, 2014, at 4:11 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>
> The CORS specification is listed in the References, but doesn't seem to be
> referred to in the text of the specification. Are user agents intended to
> follow the CORS cross-origin request model when making a beacon request to a
> different origin? If so, is preflight required because of the non-simple
> Beacon-Age header?
>
>
> I think CORS is indirectly used by invoking the fetch spec. I guess
> that means that we could remove the reference to the CORS spec
> entirely. I don't feel strongly.
>
>
> This email suggests you settled on "yes, let's always send credentials"
> http://lists.w3.org/Archives/Public/public-web-perf/2014Feb/0025.html
> but the spec suggests that the credentials mode is always "omit". Which was
> intended here?

"omit" sounds wrong indeed.

> Omitting credentials would seem to lessen the concern of using Beacon for
> CSRF attacks. (I admit that the presence of the Origin and Beacon-Age
> headers should also help with that.)

Again, Beacon as well as CORS only sends requests that <form> has done
since before HTML4. So I don't see what the concern is. If you still
have concerns it would help if you could specify them more in detail.

> Also, Doug seems to have asked a similar question to what I had about
> whether preflight is required. As I read it now, it seems like preflight is
> always required (because Beacon-Age is not on the simple headers list). But
> your response suggests that preflight would only be required on certain MIME
> types. Could you clarify?

My understanding is that preflights are only caused by *page* provided
headers. Headers added by implementation never cause preflights.

For example neither "Host" nor "If-modified-since" are simple headers,
but despite being sent very frequently, they don't cause preflight.

/ Jonas

Received on Wednesday, 30 July 2014 00:23:17 UTC