Comments (3)
/cc @mikewest for a sanity check
What are the security considerations of this document? Is there an origin-restriction on the POST URL? Should one be recommended?
No, as that would break the primary analytics use case. That said, you can limit this behavior via CSP connect-src.
Does making background POST requests to other origins including sending credentials provide an increased risk of CSRF attacks? (Maybe this risk is identical to the existing risk of submitting POST forms to other origins.) Are cross-origin POST requests with credentials necessary to satisfy the purpose of the Beacon specification?
Yes, many analytics use cases rely on cookies.
The CORS specification is listed in the References, but doesn't seem to be referred to in the text of the specification. Are user agents intended to follow the CORS cross-origin request model when making a beacon request to a different origin? If so, is preflight required because of the non-simple Beacon-Age header?
CSP connect-src
covers sendBeacon: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-connect-src
The preflight due to Beacon-Age is a good catch. I'd be great to exempt it, if possible.
from beacon.
Added privacy section as requested. Please take a look.
from beacon.
from beacon.
Related Issues (20)
- How important is it for sendBeacon() to follow redirects? HOT 12
- Remove referrer source definition + HTML5.2 dep HOT 2
- corsMode calculation in the "Processing Model" section is broken HOT 1
- Typo in Introduction note
- Typo in Processing Model - fetch step HOT 1
- Typo in Privacy and Security HOT 1
- Resource Timing + beacon test HOT 2
- beacon-navigate is broken HOT 1
- Firefox, Chrome and Edge all fail http referrer test HOT 5
- Typo in Example 1 code HOT 5
- navegator.sendBeacon cookie visibility question. HOT 4
- When can Beacon support the GET method? HOT 2
- Drop dependencies section HOT 1
- Integrate with Resource Timing
- Option to request beacon be compressed HOT 9
- Account for fetch algorithm rename
- Setup auto publishing HOT 9
- References terms from Page Visibility, which is a discontinued draft HOT 2
- Is "entry setings object" correct? HOT 1
- Duplicate, vague, and monkeypatching normative requirements
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from beacon.