63
John Doe Doesn't Need to see the
HTML Form
•The previous slide shows AirlineInc creating a Response,
encrypting it, putting it into an
HTML form, and sending it back to John Doe.
John Doe then must click
on the Submit button.
•From John Doe's perspective, he clicked on a link and
the next thing he sees is an
HTML form that is filled with a bunch of encryted stuff. And
then he supposed to click on the Submit button. Not a very attractive scenario, right?
•It is not necessary for John Doe to be exposed to the
HTML form. AirlineInc can embed one line of JavaScript in the HTML,
which will cause John Doe's
browser to automatically forward the HTML form to CarRentalInc.
Here is the JavaScript:
window.onload
= function() { document.forms[0].submit(); }
Note:
if John Doe has disabled JavaScript in his browser then indeed he will have to press the Submit button.