- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Wed, 21 Nov 2007 16:37:59 +0100
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Hello all,
Background:
Javascript and other scripting languages have the capability to trigger
submission of user-entered data to a site through several mechanisms,
primarily forms and XMLHttpRequest (AJAX), others methods also exist.
These actions can be triggered manually by the user, when clicking on a
submit button cause Javascript to process the submitted information (e.g
to check validity) and use APIs in the DOM to submit the form after
sucessful processing of the data. The submit action can also be
automatically performed by Javascript, which is often used to
automatically change a page to a selected version.
Problems arise when such actions are performed on sensitive data provided
by the user, such as login credentials or credit card information, in
particular if they are submitted without the informed consent of the user.
Suggestion for authoring best practices:
Websites MUST NOT send sensitive data, like login information and
credit card information,
using automatic Javascript actions, unless the action is triggered by a
positive indication
from the user that the transmission of the data for the indicated
purpose is acceptable.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve@opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 24 16 42 60 Fax: +47 24 16 40 01
********************************************************************
Received on Wednesday, 21 November 2007 15:39:19 UTC