Re: [Beacon] Last Call comments re: privacy and editorial suggestions

I've made the changes suggested on this thread:

1) Improved language around "MUST honor the HTTP headers". Since Fetch
covers this, I removed this.

2) Removed reference to CORS spec.

Latest draft at

Re. the "credentials mode" parameter in the Fetch request, currently
we have it set to "omit". What should it be instead of that?


On Wed, Jul 30, 2014 at 10:29 AM, Jonas Sicking <> wrote:
> On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <> wrote:
>>>> Omitting credentials would seem to lessen the concern of using
>>>> Beacon for CSRF attacks. (I admit that the presence of the Origin
>>>> and Beacon-Age headers should also help with that.)
>>> Again, Beacon as well as CORS only sends requests that <form> has
>>> done since before HTML4. So I don't see what the concern is. If you
>>> still have concerns it would help if you could specify them more in
>>> detail.
>> Doesn't form submission require user intervention -- so the end-user can
>> choose not to submit a form or to examine the source if concerned about
>> what or to whom he's submitting?
> That hasn't been the case for well over a decade. There are several
> ways to avoid that.
> * You can call the HTMLFormElement.submit() function from javascript.
> * You can use <input type=image> and create an image which looks like
> a link, but when clicked submits the form.
> * You can use CSS to style a <button type=submit> to look like a link.
> * You can use CSS to position content on top of a <button type=submit>
> while leaving holes which when clicked cause the <button type=submit>
> to be clicked.
> * You can use CSS to position content on top of a <button type=submit>
> and use the CSS property pointer-events to make all clicks go through
> to the underlying <button type=submit>.
> There are probably more ways.
> / Jonas

Received on Monday, 18 August 2014 01:53:48 UTC