Re: [Beacon] Last Call comments re: privacy and editorial suggestions

On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <> wrote:
>>> Omitting credentials would seem to lessen the concern of using
>>> Beacon for CSRF attacks. (I admit that the presence of the Origin
>>> and Beacon-Age headers should also help with that.)
>> Again, Beacon as well as CORS only sends requests that <form> has
>> done since before HTML4. So I don't see what the concern is. If you
>> still have concerns it would help if you could specify them more in
>> detail.
> Doesn't form submission require user intervention -- so the end-user can
> choose not to submit a form or to examine the source if concerned about
> what or to whom he's submitting?

That hasn't been the case for well over a decade. There are several
ways to avoid that.

* You can call the HTMLFormElement.submit() function from javascript.
* You can use <input type=image> and create an image which looks like
a link, but when clicked submits the form.
* You can use CSS to style a <button type=submit> to look like a link.
* You can use CSS to position content on top of a <button type=submit>
while leaving holes which when clicked cause the <button type=submit>
to be clicked.
* You can use CSS to position content on top of a <button type=submit>
and use the CSS property pointer-events to make all clicks go through
to the underlying <button type=submit>.

There are probably more ways.

/ Jonas

Received on Wednesday, 30 July 2014 17:30:41 UTC