`form`s are allowed by default?

[GrantGryczan]

I was wondering, why are form elements allowed by default? I would think they would be bad since they can send requests to arbitrary locations using arbitrary HTTP methods, possibly without the user's knowledge (and possibly containing sensitive information in an input field). It's not personally a concern for my own use case, but I'm wondering why it's not a concern by default. Should it not be?

<form method="post" action="https://example.com/malicious-endpoint">
    <p>A totally legitimate unknown error occurred.</p>
    <button type="submit">Retry</button>
</form>

[cure53]

As per our Security Goals, we deem forms and anchors and everything alike to be okay.

But, they are easy to deactivate via config if needs be :)

[GrantGryczan]

Hm, then I would think the same applies to autofocus, no? I would think that forms are much more dangerous than autofocus, especially since an element with autofocus wouldn't even be able to do much without a form to submit it through or a script reading the data (which obviously would be sanitized out and not be an issue).

[cure53]

Nope, autofocus is able to redirect key strokes into invisible areas without the user realizing that unless they really pay good attention. Using clever setups of frames, it might not even be necessary to inject both forms and autofocus to do damage. Think for example autofocus being used in editable websites or alike.

Generally, we see autofocus as an attribute that has script-like capabilities and can be used to enable several different attacks. Forms on the own are just a HTTP leak if at all.

[GrantGryczan]

Sorry, I don't understand. I can't think of any case that would allow a malicious user to utilize autofocus without using a form, script, or anything alike to capture the data.

Also, just wanna say thanks for consistently replying so quickly and being very helpful to me in general, both as a developer of this library and as a learning resource on web security :)

[cure53]

Most welcome :)

And yes, ultimately, the attacker needs something to catch the stolen keystrokes and send them somewhere. But, what if that part is already there in some other area of the page - an iframe or alike, which then works together with the sanitized markup?

The point is still, autofocus enables attacks, so we nuke it by default.

Forms however don't enable attacks and - in the worst case - can only be used to exfiltrate data after the attack has been carried out. So, we decide to block what enables the attack rather than what might be part of the attack but is otherwise usually innocent.

[GrantGryczan]

Although I'm not sure that I entirely agree (i.e. that I would make the same decision were I in your position), I now understand your point and see where you're coming from, so I'll go ahead and close this on the basis that you probably are a better judge of this than I am considering your experience.

[GrantGryczan]

(Not that it's a big deal anyway since anyone can easily change the config. I was mostly just curious as to your own reasoning, and that curiosity has been satisfied.)

[cure53]

Oki :) Thanks.