I wanted to follow up on the credentials mode question. Jonas, Nicholas, could you help me with it?
Arvind On Sun, Aug 17, 2014 at 6:53 PM, Arvind Jain <[email protected]> wrote: > I've made the changes suggested on this thread: > > 1) Improved language around "MUST honor the HTTP headers". Since Fetch > covers this, I removed this. > > 2) Removed reference to CORS spec. > > Latest draft at > https://w3c.github.io/web-performance/specs/Beacon/Overview.html > > Re. the "credentials mode" parameter in the Fetch request, currently > we have it set to "omit". What should it be instead of that? > > Arvind > > On Wed, Jul 30, 2014 at 10:29 AM, Jonas Sicking <[email protected]> wrote: >> On Wed, Jul 30, 2014 at 7:26 AM, Wendy Seltzer <[email protected]> wrote: >>>>> Omitting credentials would seem to lessen the concern of using >>>>> Beacon for CSRF attacks. (I admit that the presence of the Origin >>>>> and Beacon-Age headers should also help with that.) >>>> >>>> Again, Beacon as well as CORS only sends requests that <form> has >>>> done since before HTML4. So I don't see what the concern is. If you >>>> still have concerns it would help if you could specify them more in >>>> detail. >>> >>> Doesn't form submission require user intervention -- so the end-user can >>> choose not to submit a form or to examine the source if concerned about >>> what or to whom he's submitting? >> >> That hasn't been the case for well over a decade. There are several >> ways to avoid that. >> >> * You can call the HTMLFormElement.submit() function from javascript. >> * You can use <input type=image> and create an image which looks like >> a link, but when clicked submits the form. >> * You can use CSS to style a <button type=submit> to look like a link. >> * You can use CSS to position content on top of a <button type=submit> >> while leaving holes which when clicked cause the <button type=submit> >> to be clicked. >> * You can use CSS to position content on top of a <button type=submit> >> and use the CSS property pointer-events to make all clicks go through >> to the underlying <button type=submit>. >> >> There are probably more ways. >> >> / Jonas >>
