- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Wed, 30 Jul 2014 10:26:14 -0400
- To: public-web-perf@w3.org
Jonas Sicking wrote: >> Omitting credentials would seem to lessen the concern of using >> Beacon for CSRF attacks. (I admit that the presence of the Origin >> and Beacon-Age headers should also help with that.) > > Again, Beacon as well as CORS only sends requests that <form> has > done since before HTML4. So I don't see what the concern is. If you > still have concerns it would help if you could specify them more in > detail. Doesn't form submission require user intervention -- so the end-user can choose not to submit a form or to examine the source if concerned about what or to whom he's submitting? I share Nick's concerns that the spec should have a mention of privacy considerations. Are we really at the point where a user browsing the Web should assume that any information about his environment is up for grabs by the origin he visits or any other site to which that site points? If so, we need to do a much better job advertising the non-expectation of privacy. --Wendy -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Wednesday, 30 July 2014 14:26:15 UTC