Re: Feedback on the ping="" attribute (ISSUE-1)

On Sat, 3 Nov 2007, Julian Reschke wrote:
> > >
> > > But then, why don't you use a safe method in the first place?
> > 
> > Because the "safe" methods are idempotent, and the semantic we are 
> > trying to convey here has one goal and one goal only, and that goal is 
> > specifically _not_ idempotent.
> 
> Safe method are idempotent. I'm saying, that the action of following a 
> link MUST be safe from the user's point of view (unless, well, it get's 
> a different UI).

We don't have to use an explicitly "safe" method because a ping="" is 
intrinsically safe in the HTTP sense.

We do have to use a non-idempotent method because a ping="" is 
non-idempotent by definition.

The two concepts are orthogonal.

I don't know how to make this any clearer, and I don't see anything in 
what you are saying that contradicts this other than your assertions that 
it isn't true.


> That concern could be addressed by making sure that accessing the same 
> ping URI again could be detected, for example by adding a sequence or 
> random number to it.

The whole point here is to make things simpler, and not require such 
hacks and complications.


> > one of "idempotent" vs "non-idempotent". The problems with using a 
> > non-idempotent request are that idempotent methods aren't supposed to 
> > have side-effects, whereas the whole _point_ of this request is a 
> > side-effect;
> 
> ...a side effect the user shouldn't be made accountable for...

POST doesn't mean the user is accountable.


> > POST doesn't mean the user is accountable.
> 
> Oh yes, it does in general.
> 
> "Implementors should be aware that the software represents the user in 
> their interactions over the Internet, and should be careful to allow the 
> user to be aware of any actions they might take which may have an 
> unexpected significance to themselves or others." -- 
> <http://tools.ietf.org/html/rfc2616#section-9.1.1>

This quote doesn't say that POST means the user is accountable.


> A server that receives a POST request has no way to decide how that 
> method invocation was initiated; the fact that a/@ping caused it is not 
> visible in the request.

We could add an HTTP header to make it obvious, if that would help. 
However, it's rather moot, since you can already cause a Web page to 
POST to a site without ping="" and without the user's knowledge.


> Whether a specific invocation of POST is safe or not does not depend on 
> the HTML5 spec, but on the server that implements that resource.
> 
> If a commercial site exposes a resource that, when being POSTed to (with 
> an empty body), finishes a shopping transaction that will certainly not 
> be "safe".

There is no security risk because this is only exposing a subset of 
already-available capabilities (even with scripting disabled!).


> Side note: I'm not sure what the point is to post to two mailing lists, 
> but to only want responses on one of them.

I cross-post when I reply to multiple e-mails sent to mulitple mailing 
lists (since otherwise I'd be replying to a different list than the mail 
was sent to). Please only reply to one, so as to prevent issues with 
people who are not subscribed to both.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 3 November 2007 10:16:37 UTC