- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 30 Jul 2014 10:29:44 -0700
- To: Wendy Seltzer <wseltzer@w3.org>
- Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <wseltzer@w3.org> wrote: >>> Omitting credentials would seem to lessen the concern of using >>> Beacon for CSRF attacks. (I admit that the presence of the Origin >>> and Beacon-Age headers should also help with that.) >> >> Again, Beacon as well as CORS only sends requests that <form> has >> done since before HTML4. So I don't see what the concern is. If you >> still have concerns it would help if you could specify them more in >> detail. > > Doesn't form submission require user intervention -- so the end-user can > choose not to submit a form or to examine the source if concerned about > what or to whom he's submitting? That hasn't been the case for well over a decade. There are several ways to avoid that. * You can call the HTMLFormElement.submit() function from javascript. * You can use <input type=image> and create an image which looks like a link, but when clicked submits the form. * You can use CSS to style a <button type=submit> to look like a link. * You can use CSS to position content on top of a <button type=submit> while leaving holes which when clicked cause the <button type=submit> to be clicked. * You can use CSS to position content on top of a <button type=submit> and use the CSS property pointer-events to make all clicks go through to the underlying <button type=submit>. There are probably more ways. / Jonas
Received on Wednesday, 30 July 2014 17:30:41 UTC