Re: [Beacon] Last Call comments re: privacy and editorial suggestions

 Jonas Sicking wrote:

>> Omitting credentials would seem to lessen the concern of using
>> Beacon for CSRF attacks. (I admit that the presence of the Origin
>> and Beacon-Age headers should also help with that.)
> Again, Beacon as well as CORS only sends requests that <form> has
> done since before HTML4. So I don't see what the concern is. If you
> still have concerns it would help if you could specify them more in
> detail.

Doesn't form submission require user intervention -- so the end-user can
choose not to submit a form or to examine the source if concerned about
what or to whom he's submitting?

I share Nick's concerns that the spec should have a mention of privacy
considerations. Are we really at the point where a user browsing the Web
should assume that any information about his environment is up for grabs
by the origin he visits or any other site to which that site points? If
so, we need to do a much better job advertising the non-expectation of


Wendy Seltzer -- +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)        +1.617.863.0613 (mobile)

Received on Wednesday, 30 July 2014 14:26:15 UTC