privacy and security considerations

[plehegar]

Following the thread at
http://lists.w3.org/Archives/Public/public-web-perf/2014Jul/0109.html

It seems to me that the security and privacy considerations should say that Beacon doesn't add extra security and privacy considerations in addition to the ones associated with form submissions in HTML. It should point to http://www.w3.org/TR/html5/introduction.html#fingerprint .

[igrigorik]

/cc @mikewest for a sanity check

What are the security considerations of this document? Is there an origin-restriction on the POST URL? Should one be recommended?

No, as that would break the primary analytics use case. That said, you can limit this behavior via CSP connect-src.

Does making background POST requests to other origins including sending credentials provide an increased risk of CSRF attacks? (Maybe this risk is identical to the existing risk of submitting POST forms to other origins.) Are cross-origin POST requests with credentials necessary to satisfy the purpose of the Beacon specification?

Yes, many analytics use cases rely on cookies.

The CORS specification is listed in the References, but doesn't seem to be referred to in the text of the specification. Are user agents intended to follow the CORS cross-origin request model when making a beacon request to a different origin? If so, is preflight required because of the non-simple Beacon-Age header?

CSP connect-src covers sendBeacon: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-connect-src

The preflight due to Beacon-Age is a good catch. I'd be great to exempt it, if possible.

[jainarvind]

Added privacy section as requested. Please take a look.

[plehegar]

e554e94