Re: Automatic Entry and Forms

Joe English (jenglish@crl.com)
Mon, 26 Feb 1996 09:11:29 -0800


Message-Id: <199602261711.AA22300@mail.crl.com>
To: www-html@w3.org
Subject: Re: Automatic Entry and Forms
Date: Mon, 26 Feb 1996 09:11:29 -0800
From: Joe English <jenglish@crl.com>



Here's a scenario to consider:

Company A, a trustworthy and respectable publisher,
presents a subscription form prompting for personal
demographic information.  Since A is trustworthy and
promises not to use this information for evil, you
fill it out and send it.  For convenience, Company A's
form points to a template on their site, so your browser
records the values (unbeknownst to you until the next
time you visit their site).

Company B, a disreputable direct-marketing firm that you
would not trust with your e-mail address, puts up a form on
their own site that hijacks Company A's template.  The
fields containing the sensitive information are way down at
the bottom of the page in a cleverly-formatted table so
you don't even notice that your browser has automatically
filled them in.  You press the Submit button and a week
later you're getting junk mail from all over the planet.


--Joe English

  jenglish@crl.com