Re: [Beacon] Last Call comments re: privacy and editorial suggestions from Arvind Jain on 2014-08-23 (public-web-perf@w3.org from August 2014)

From: Arvind Jain <arvind@google.com>
Date: Sat, 23 Aug 2014 07:05:44 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: Wendy Seltzer <wseltzer@w3.org>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CAOYaDdPMZo1Y+fBHY7ok4URAr8W+gsfXaJz7sGHMTiXfEj6r4A@mail.gmail.com>

I wanted to follow up on the credentials mode question. Jonas,
Nicholas, could you help me with it?

Arvind

On Sun, Aug 17, 2014 at 6:53 PM, Arvind Jain <arvind@google.com> wrote:
> I've made the changes suggested on this thread:
>
> 1) Improved language around "MUST honor the HTTP headers". Since Fetch
> covers this, I removed this.
>
> 2) Removed reference to CORS spec.
>
> Latest draft at https://w3c.github.io/web-performance/specs/Beacon/Overview.html
>
> Re. the "credentials mode" parameter in the Fetch request, currently
> we have it set to "omit". What should it be instead of that?
>
> Arvind
>
> On Wed, Jul 30, 2014 at 10:29 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <wseltzer@w3.org> wrote:
>>>>> Omitting credentials would seem to lessen the concern of using
>>>>> Beacon for CSRF attacks. (I admit that the presence of the Origin
>>>>> and Beacon-Age headers should also help with that.)
>>>>
>>>> Again, Beacon as well as CORS only sends requests that <form> has
>>>> done since before HTML4. So I don't see what the concern is. If you
>>>> still have concerns it would help if you could specify them more in
>>>> detail.
>>>
>>> Doesn't form submission require user intervention -- so the end-user can
>>> choose not to submit a form or to examine the source if concerned about
>>> what or to whom he's submitting?
>>
>> That hasn't been the case for well over a decade. There are several
>> ways to avoid that.
>>
>> * You can call the HTMLFormElement.submit() function from javascript.
>> * You can use <input type=image> and create an image which looks like
>> a link, but when clicked submits the form.
>> * You can use CSS to style a <button type=submit> to look like a link.
>> * You can use CSS to position content on top of a <button type=submit>
>> while leaving holes which when clicked cause the <button type=submit>
>> to be clicked.
>> * You can use CSS to position content on top of a <button type=submit>
>> and use the CSS property pointer-events to make all clicks go through
>> to the underlying <button type=submit>.
>>
>> There are probably more ways.
>>
>> / Jonas
>>

Received on Saturday, 23 August 2014 14:06:12 UTC