W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

ACTION-339 Proposal for authoring best practice for ISSUE-110

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Wed, 21 Nov 2007 16:37:59 +0100
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <op.t15e1locvqd7e2@killashandra-ii.oslo.opera.com>

Hello all,


Javascript and other scripting languages have the capability to trigger  
submission of user-entered data to a site through several mechanisms,  
primarily forms and XMLHttpRequest (AJAX), others methods also exist.

These actions can be triggered manually by the user, when clicking on a  
submit button cause Javascript to process the submitted information (e.g  
to check validity) and use APIs in the DOM to submit the form after  
sucessful processing of the data. The submit action can also be  
automatically performed by Javascript, which is often used to  
automatically change a page to a selected version.

Problems arise when such actions are performed on sensitive data provided  
by the user, such as login credentials or credit card information, in  
particular if they are submitted without the informed consent of the user.

Suggestion for authoring best practices:

    Websites MUST NOT send sensitive data, like login information and  
credit card information,
    using automatic Javascript actions, unless the action is triggered by a  
positive indication
    from the user that the transmission of the data for the indicated  
purpose is acceptable.

Yngve N. Pettersen
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
Received on Wednesday, 21 November 2007 15:39:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:19 UTC