On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <[email protected]> wrote: >>> Omitting credentials would seem to lessen the concern of using >>> Beacon for CSRF attacks. (I admit that the presence of the Origin >>> and Beacon-Age headers should also help with that.) >> >> Again, Beacon as well as CORS only sends requests that <form> has >> done since before HTML4. So I don't see what the concern is. If you >> still have concerns it would help if you could specify them more in >> detail. > > Doesn't form submission require user intervention -- so the end-user can > choose not to submit a form or to examine the source if concerned about > what or to whom he's submitting?
That hasn't been the case for well over a decade. There are several ways to avoid that. * You can call the HTMLFormElement.submit() function from javascript. * You can use <input type=image> and create an image which looks like a link, but when clicked submits the form. * You can use CSS to style a <button type=submit> to look like a link. * You can use CSS to position content on top of a <button type=submit> while leaving holes which when clicked cause the <button type=submit> to be clicked. * You can use CSS to position content on top of a <button type=submit> and use the CSS property pointer-events to make all clicks go through to the underlying <button type=submit>. There are probably more ways. / Jonas
