Re: Feedback on the ping="" attribute (ISSUE-1)

2007/11/8, Mark Baker:
>
> Consider that when my Web server receives GET requests, it logs
> (appends) a record of that in a log file.  Does that make the message
> non-idempotent and non-safe?  No, of course not, because GET messages
> are safe by *definition*.  It does make the implementation both those
> things though.

But there's a huge difference here. When your Web server receives a
GET request, I suppose the message intent is to retrieve a resource
(idempotent), the server is free to log the request and/or update
other resources, etc. as long as there is no direct incidence on the
retrieved resource.
With ping="", the "log" is differentiated from the retrieval (it'll
generally belong to a third server). When the user follows the link,
there are two messages sent: one to retrieve the resource (idempotent)
and one to "track the click", whatever the user's intent. This second
message is by definition non-idempotent.

The problem enlighten in this thread is generally-speaking a UI one:
if a non-safe (non-idempotent) action has to be taken, it should be
somehow "approved" by the end-user. Take a look at what browsers are
doing: when you first use a <form method=POST> the browser tells you
you're about to send information to a server and asks you whether
you're OK to continue. The dialog-box contains a check-box allowing
you to configure the browser to not prompt you next time you use a
<form method=POST>.
So AFAIUI, browsers are correctly implementing the HTTP spec, contrary
to what has been said in this thread.

So, why couldn't it be the same with ping-enabled links? The first
time the user clicks such a link, the browser tells her she's about to
tell a tier she's following this link, that this could be used to
remunerate one or both the parties involved, make statistics, etc. and
asks her whether she's OK to do the ping; with an option (check-box)
to configure the browser not to prompt her the next time she clicks a
ping-enabled link.


In brief: I'm fine with using POST for pings and I don't think it
violates any HTTP principle (as long as the user first give her
assent).

-- 
Thomas Broyer

Received on Thursday, 8 November 2007 08:08:39 UTC