W3C home > Mailing lists > Public > public-html@w3.org > December 2009

CHANGE PROPOSAL: Remove ping and hyperlink auditing (ISSUE-1 and ISSUE-2)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sat, 5 Dec 2009 17:47:22 -0800
Message-Id: <A6134B77-8F1E-459E-B9A5-76F9D2EDD89A@gbiv.com>
To: "public-html@w3.org WG" <public-html@w3.org>
SUMMARY

Regarding ISSUE-1 (PINGPOST) and ISSUE-2 (PINGUI), this is a
formal change proposal to remove the ping attribute and all
mention of hyperlink auditing from the HTML5 specification.
The feature is half-baked, insufficiently implemented, and
therefore not yet suitable for standardization.

RATIONALE

Hyperlink auditing is important because advertising and
referral-based user tracking are two of the primary means of
generating revenue via Web sites.  However, by its very nature,
such tracking must be comprehensive, accurate, and unavoidable
by a typical user or it simply won't be relied upon by site
owners and advertisers.  The ping feature is incapable of
providing such accuracy.

The ping feature was added to HTML based on speculation that
an optional mechanism would be usable instead of the typical
redirect, javascript, or gateway-based tracking mechanisms.
However, it cannot be used reliably until all browsers have
implemented ping, are deployed, and do not configure it "off"
by default.  Sites would therefore either ignore the ping
feature until all of the browsers turn it on or use it only
for secondary counts, thus duplicating the traffic that already
handles this functionality.

Ping would never be capable of proving undercounts [the sole
apparent reason for this new feature] because there is no
guarantee that the two DNS requests will deliver equally
reachable servers for the ping and href, nor that the href
request will succeed before the ping succeeds, nor that the
href URL corresponds to the ping-per-referral URL.  It is for
all of those reasons that people use redirects, referer, 
javascript, and cookies today to do tracking and those will
never be solved by ping.

Also, as described in ISSUE-1, ping's use of POST causes an
unsafe method to be used in response to a safe activation request,
in violation of the method constraints that have been part of
Web architecture since 1992.

The actions generated by a user agent should be consistent
with the actions selected by the user.  That is why TimBL had an axiom
about GET being safe -- clicking on a link (or a spider wandering
around) must be translated into a safe network action because to do
otherwise would require every user to know the purpose of every
resource before the GET.  It follows, therefore, that the UI for a
user action that is safe (a link) must be rendered differently from
all other actions that might be unsafe.

In short, if the UI is being presented as a normal link, then the
HTTP methods resulting from the user's selection must all be safe
(GET/HEAD/OPTIONS/etc.).  While some user agents may already fail
to protect the user in that regard, that is not an excuse to add
another broken feature to the standard. Implementors are responsible
for their own implementations.  We are only responsible for the
standards by which those implementations are judged broken.

The discussion on ping assumes that the ping target is expecting
to receive a POST request with the content "PING" (i.e., that the
target has not been deliberately supplied to fool an unsuspecting
user into triggering an unsafe action when they select the link).
That is an invalid assumption -- the target of the ping could be
any URL, including those that do fun things like delete wiki pages
or print documents or send mail ... we've been through this all
before, and not all unsafe resources even read the body before
taking an action on behalf of the user.  That's why HTTP and HTML
both have requirements on use of safe methods.

If a decent solution to hyperlink auditing is ever found, then
it can be specified separately from HTML5 and implemented in
practice before it is standardized for the whole world.  That
would also solve ISSUE-2 (PINGUI), which the past two years have
demonstrated that implementing a preferences UI should at least
be figured out before it is demanded of all implementations.


DETAILS

Apply the patch enclosed, based on r13140 of webapps/source.
If the patch file gets eaten by the mail system, then try

http://gbiv.com/protocols/html/patch/diff-vs-13140-rm-ping.txt


IMPACT

None.  This feature was never defined sufficiently to be
implemented in practice.


Cheers,

Roy T. Fielding
Chief Scientist, Day Software (http://www.day.com/)


--- source	2009-12-04 21:43:25.000000000 -0800
+++ source-without-ping.txt	2009-12-05 13:47:38.000000000 -0800
@@ -4422,14 +4422,6 @@
     title="selector-visited">:visited</code> pseudo-classes might have
     been affected.</p>
 
-    <p>If the hyperlink has a <code
-    title="attr-hyperlink-ping">ping</code> attribute and its <span
-    title="absolute URL">absolute URL(s)</span> are being shown to the
-    user, then the <code title="attr-hyperlink-ping">ping</code>
-    attribute's tokens should be <span title="resolve a
-    url">re-resolved</span> relative to the element and the UI updated
-    appropriately.</p>
-
    </dd>
 
    <dt>If the element is a <code>q</code>, <code>blockquote</code>,
@@ -16536,7 +16528,6 @@
    <dd><span>Global attributes</span></dd>
    <dd><code title="attr-hyperlink-href">href</code></dd>
    <dd><code title="attr-hyperlink-target">target</code></dd>
-   <dd><code title="attr-hyperlink-ping">ping</code></dd>
    <dd><code title="attr-hyperlink-rel">rel</code></dd>
    <dd><code title="attr-hyperlink-media">media</code></dd>
    <dd><code title="attr-hyperlink-hreflang">hreflang</code></dd>
@@ -16546,7 +16537,6 @@
 <pre class="idl">interface <dfn>HTMLAnchorElement</dfn> : <span>HTMLElement</span> {
   stringifier attribute DOMString <span title="dom-a-href">href</span>;
            attribute DOMString <span title="dom-a-target">target</span>;
-           attribute DOMString <span title="dom-a-ping">ping</span>;
            attribute DOMString <span title="dom-a-rel">rel</span>;
   readonly attribute DOMTokenList <span title="dom-a-relList">relList</span>;
            attribute DOMString <span title="dom-a-media">media</span>;
@@ -16582,7 +16572,6 @@
   otherwise have been placed, if it had been relevant.</p>
 
   <p>The <code title="attr-hyperlink-target">target</code>, <code
-  title="attr-hyperlink-ping">ping</code>, <code
   title="attr-hyperlink-rel">rel</code>, <code
   title="attr-hyperlink-media">media</code>, <code
   title="attr-hyperlink-hreflang">hreflang</code>, and <code
@@ -16606,9 +16595,8 @@
 
   <div class="impl">
 
-  <p>The <code title="attr-hyperlink-href">href</code>, <code
-  title="attr-hyperlink-target">target</code> and <code
-  title="attr-hyperlink-ping">ping</code> attributes affect what
+  <p>The <code title="attr-hyperlink-href">href</code> and <code
+  title="attr-hyperlink-target">target</code> attributes affect what
   happens when users <span title="following hyperlinks">follow
   hyperlinks</span> created using the <code>a</code> element.  The
   <code title="attr-hyperlink-rel">rel</code>, <code
@@ -16680,7 +16668,6 @@
 
   <p>The IDL attributes <dfn
   title="dom-a-href"><code>href</code></dfn>, <dfn
-  title="dom-a-ping"><code>ping</code></dfn>, <dfn
   title="dom-a-target"><code>target</code></dfn>, <dfn
   title="dom-a-rel"><code>rel</code></dfn>, <dfn
   title="dom-a-media"><code>media</code></dfn>, <dfn
@@ -30312,7 +30299,6 @@
    <dd><code title="attr-area-shape">shape</code></dd>
    <dd><code title="attr-hyperlink-href">href</code></dd>
    <dd><code title="attr-hyperlink-target">target</code></dd>
-   <dd><code title="attr-hyperlink-ping">ping</code></dd>
    <dd><code title="attr-hyperlink-rel">rel</code></dd>
    <dd><code title="attr-hyperlink-media">media</code></dd>
    <dd><code title="attr-hyperlink-hreflang">hreflang</code></dd>
@@ -30325,7 +30311,6 @@
            attribute DOMString <span title="dom-area-shape">shape</span>;
   stringifier attribute DOMString <span title="dom-area-href">href</span>;
            attribute DOMString <span title="dom-area-target">target</span>;
-           attribute DOMString <span title="dom-area-ping">ping</span>;
            attribute DOMString <span title="dom-area-rel">rel</span>;
   readonly attribute DOMTokenList <span title="dom-area-relList">relList</span>;
            attribute DOMString <span title="dom-area-media">media</span>;
@@ -30469,9 +30454,8 @@
   <p>When user agents allow users to <span title="following
   hyperlinks">follow hyperlinks</span> created using the
   <code>area</code> element, as described in the next section, the
-  <code title="attr-hyperlink-href">href</code>,
-  <code title="attr-hyperlink-target">target</code> and <code
-  title="attr-hyperlink-ping">ping</code> attributes decide how the
+  <code title="attr-hyperlink-href">href</code> and
+  <code title="attr-hyperlink-target">target</code> attributes decide how the
   link is followed. The <code title="attr-hyperlink-rel">rel</code>,
   <code title="attr-hyperlink-media">media</code>, <code
   title="attr-hyperlink-hreflang">hreflang</code>, and <code
@@ -30482,7 +30466,6 @@
   </div>
 
   <p>The <code title="attr-hyperlink-target">target</code>, <code
-  title="attr-hyperlink-ping">ping</code>, <code
   title="attr-hyperlink-rel">rel</code>, <code
   title="attr-hyperlink-media">media</code>, <code
   title="attr-hyperlink-hreflang">hreflang</code>, and <code
@@ -30521,7 +30504,6 @@
   title="dom-area-coords"><code>coords</code></dfn>, <dfn
   title="dom-area-href"><code>href</code></dfn>, <dfn
   title="dom-area-target"><code>target</code></dfn>, <dfn
-  title="dom-area-ping"><code>ping</code></dfn>, <dfn
   title="dom-area-rel"><code>rel</code></dfn>, <dfn
   title="dom-area-media"><code>media</code></dfn>, <dfn
   title="dom-area-hreflang"><code>hreflang</code></dfn>, and <dfn
@@ -63907,15 +63889,6 @@
   context</span> that will be used. <span class="impl">User agents use
   this name when <span>following hyperlinks</span>.</span></p>
 
-  <p>The <dfn id="ping"
-  title="attr-hyperlink-ping"><code>ping</code></dfn> attribute, if
-  present, gives the URLs of the resources that are interested in
-  being notified if the user follows the hyperlink. The value must be
-  a <span>set of space-separated tokens</span>, each of which must be a
-  <span title="valid URL">valid URL</span>. <span class="impl">The
-  value is used by the user agent for <span>hyperlink
-  auditing</span>.</span></p>
-
   <p>For <code>a</code> and <code>area</code> elements that represent
   hyperlinks, the relationship between the document containing the
   hyperlink and the destination resource indicated by the hyperlink is
@@ -64023,147 +63996,6 @@
   <span>source browsing context</span>.</p>
 
 
-  <h5><dfn>Hyperlink auditing</dfn></h5>
-
-  <p>If an <code>a</code> or <code>area</code> hyperlink element has a
-  <code title="attr-hyperlink-ping">ping</code> attribute, and the
-  user follows the hyperlink, and the hyperlink's <span>URL</span> can
-  be <span title="resolve a url">resolved</span>, relative to the
-  hyperlink element, without failure, then the user agent must take
-  the <code title="attr-hyperlink-ping">ping</code> attribute's value,
-  <span title="split a string on spaces">split that string on
-  spaces</span>, <span title="resolve a url">resolve</span> each
-  resulting token relative to the hyperlink element, and then should
-  send a request (as described below) to each of the resulting <span
-  title="absolute URL">absolute URLs</span>. (Tokens that fail to
-  resolve are ignored.) This may be done in parallel with the primary
-  request, and is independent of the result of that request.</p>
-
-  <p>User agents should allow the user to adjust this behavior, for
-  example in conjunction with a setting that disables the sending of
-  HTTP <code title="http-referer">Referer</code> (sic) headers. Based
-  on the user's preferences, UAs may either <span>ignore</span> the
-  <code title="attr-hyperlink-ping">ping</code> attribute altogether,
-  or selectively ignore URLs in the list (e.g. ignoring any
-  third-party URLs).</p>
-
-  <p>For URLs that are HTTP URLs, the requests must be performed by
-  <span title="fetch">fetching</span> the specified URLs using the
-  POST method, with an entity body with the <span>MIME type</span>
-  <code>text/ping</code> consisting of the four-character string
-  "<code title="">PING</code>", from the <span>origin</span> of the
-  <code>Document</code> containing the <span>hyperlink</span>. <!--
-  not http-origin privacy sensitive --> All relevant cookie and HTTP
-  authentication headers must be included in the request. Which other
-  headers are required depends on the URLs involved.</p>
-
-  <dl class="switch">
-
-   <dt>If both the <span title="the document's address">address</span>
-   of the <code>Document</code> object containing the hyperlink being
-   audited and the ping URL have the <span>same origin</span></dt>
-
-   <dd>The request must include a <code
-   title="http-ping-from">Ping-From</code> HTTP header with, as its
-   value, the <span title="the document's address">address</span> of
-   the document containing the hyperlink, and a <code
-   title="http-ping-to">Ping-To</code> HTTP header with, as its value,
-   the address of the <span>absolute URL</span> of the target of the
-   hyperlink. The request must not include a <code
-   title="http-referer">Referer</code> (sic) HTTP header. <!-- because
-   otherwise it would look like a trustable same-origin POST --></dd>
-
-   <dt>Otherwise, if the origins are different, but the document
-   containing the hyperlink being audited was not retrieved over an
-   encrypted connection</dt>
-
-   <dd>The request must include a <code title="">Referer</code> (sic)
-   HTTP header [sic] with, as its value, the <span title="the
-   document's current address">current address</span> of the document
-   containing the hyperlink, a <code
-   title="http-ping-from">Ping-From</code> HTTP header with the same
-   value, and a <code title="http-ping-to">Ping-To</code> HTTP header
-   with, as its value, the address of the target of the
-   hyperlink.</dd>
-
-   <dt>Otherwise, the origins are different and the document
-   containing the hyperlink being audited was retrieved over an
-   encrypted connection</dt>
-
-   <dd>The request must include a <code
-   title="http-ping-to">Ping-To</code> HTTP header with, as its value,
-   the address of the target of the hyperlink. The request must
-   neither include a <code title="">Referer</code> (sic) HTTP header
-   nor include a <code title="http-ping-from">Ping-From</code> HTTP
-   header.</dd>
-
-  </dl>
-
-  <p class="note">To save bandwidth, implementors might also wish to
-  consider omitting optional headers such as <code>Accept</code> from
-  these requests.</p>
-
-  <p>User agents must, unless otherwise specified by the user, honor
-  the HTTP headers (including, in particular, redirects and HTTP
-  cookie headers), but must ignore any entity bodies returned in the
-  responses. User agents may close the connection prematurely once
-  they start receiving an entity body. <a
-  href="#refsCOOKIES">[COOKIES]</a></p>
-
-  <p>For URLs that are not HTTP URLs, the requests must be performed
-  by <span title="fetch">fetching</span> the specified URL normally,
-  and discarding the results.</p>
-
-  <p>When the <code title="attr-hyperlink-ping">ping</code> attribute is
-  present, user agents should clearly indicate to the user that
-  following the hyperlink will also cause secondary requests to be
-  sent in the background, possibly including listing the actual target
-  URLs.</p>
-
-  <p class="example">For example, a visual user agent could include
-  the hostnames of the target ping URLs along with the hyperlink's
-  actual URL in a status bar or tooltip.</p>
-
-  </div>
-
-  <div class="note">
-
-   <p>The <code title="attr-hyperlink-ping">ping</code> attribute is redundant
-   with pre-existing technologies like HTTP redirects and JavaScript
-   in allowing Web pages to track which off-site links are most
-   popular or allowing advertisers to track click-through rates.</p>
-
-   <p>However, the <code title="attr-hyperlink-ping">ping</code> attribute
-   provides these advantages to the user over those alternatives:</p>
-
-   <ul>
-
-    <li>It allows the user to see the final target URL
-    unobscured.</li>
-
-    <li>It allows the UA to inform the user about the out-of-band
-    notifications.</li>
-
-    <li>It allows the user to disable the notifications without losing
-    the underlying link functionality.</li>
-
-    <li>It allows the UA to optimize the use of available network
-    bandwidth so that the target page loads faster.</li>
-
-   </ul>
-
-   <p>Thus, while it is possible to track users without this feature,
-   authors are encouraged to use the <code
-   title="attr-hyperlink-ping">ping</code> attribute so that the user
-   agent can make the user experience more transparent.</p>
-
-  </div>
-
-  <!-- resolving ping urls happens at audit time, so base URL changes
-  affect the values of ping attributes -->
-
-
-
   <h4 id="linkTypes">Link types</h4>
 
   <p>The following table summarizes the link types that are defined by
@@ -90225,11 +90057,6 @@
   <span title="form">forms</span> before triggering their <span
   title="navigate">navigation</span>.</p>
 
-  <p>User agents are expected to inform the user of whether a
-  <span>hyperlink</span> includes <span>hyperlink auditing</span>, and
-  to let them know at a minimum which domains will be contacted as
-  part of such auditing.</p>
-
   <p>User agents are expected to allow users to <span>navigate</span>
   <span title="browsing context">browsing contexts</span> to the
   resources <span title="resolve a url">indicated</span> by the <code
@@ -92444,75 +92271,6 @@
   <code>text/cache-manifest</code> resources.</p>
 
 
-  <h3><dfn><code>text/ping</code></dfn></h3>
-
-  <p>This registration is for community review and will be submitted
-  to the IESG for review, approval, and registration with IANA.</p>
-
-  <!--
-   To: ietf-types@iana.org
-   Subject: Registration of media type text/ping
-  -->
-
-  <dl>
-   <dt>Type name:</dt>
-   <dd>text</dd>
-   <dt>Subtype name:</dt>
-   <dd>ping</dd>
-   <dt>Required parameters:</dt>
-   <dd>No parameters</dd>
-   <dt>Optional parameters:</dt>
-   <dd>No parameters</dd>
-   <dt>Encoding considerations:</dt>
-   <dd>Not applicable.</dd>
-   <dt>Security considerations:</dt>
-   <dd>
-    <p>If used exclusively in the fashion described in the context of
-    <span>hyperlink auditing</span>, this type introduces no new
-    security concerns.</p>
-   </dd>
-   <dt>Interoperability considerations:</dt>
-   <dd>
-    Rules applicable to this type are defined in this specification.
-   </dd>
-   <dt>Published specification:</dt>
-   <dd>
-    This document is the relevant specification.
-   </dd>
-   <dt>Applications that use this media type:</dt>
-   <dd>
-    Web browsers.
-   </dd>
-   <dt>Additional information:</dt>
-   <dd>
-    <dl>
-     <dt>Magic number(s):</dt>
-     <dd><code>text/ping</code> resources always consist of the four
-     bytes 0x50 0x49 0x4E 0x47 (ASCII 'PING').</dd>
-     <dt>File extension(s):</dt>
-     <dd>No specific file extension is recommended for this type.</dd>
-     <dt>Macintosh file type code(s):</dt>
-     <dd>No specific Macintosh file type codes are recommended for this type.</dd>
-    </dl>
-   </dd>
-   <dt>Person &amp; email address to contact for further information:</dt>
-   <dd>Ian Hickson &lt;ian@hixie.ch></dd>
-   <dt>Intended usage:</dt>
-   <dd>Common</dd>
-   <dt>Restrictions on usage:</dt>
-   <dd>Only intended for use with HTTP POST requests generated as part
-   of a Web browser's processing of the <code
-   title="attr-hyperlink-ping">ping</code> attribute.</dd>
-   <dt>Author:</dt>
-   <dd>Ian Hickson &lt;ian@hixie.ch></dd>
-   <dt>Change controller:</dt>
-   <dd>W3C and WHATWG</dd>
-  </dl>
-
-  <p>Fragment identifiers have no meaning with
-  <code>text/ping</code> resources.</p>
-
-
   <h3><dfn><code>application/microdata+json</code></dfn></h3>
 
   <p>This registration is for community review and will be submitted
@@ -92587,54 +92345,6 @@
   href="#refsJSON">[JSON]</a></p>
 
 
-  <h3><dfn title="http-ping-from"><code>Ping-From</code></dfn></h3>
-
-  <p>This section describes a header field for registration in the
-  Permanent Message Header Field Registry.  <a
-  href="#refsRFC3864">[RFC3864]</a></p>
-
-  <dl>
-   <dt>Header field name</dt>
-   <dd>Ping-From</dd>
-   <dt>Applicable protocol</dt>
-   <dd>http</dd>
-   <dt>Status</dt>
-   <dd>standard</dd>
-   <dt>Author/Change controller</dt>
-   <dd>W3C and WHATWG</dd>
-   <dt>Specification document(s)</dt>
-   <dd>
-    This document is the relevant specification.
-   </dd>
-   <dt>Related information</dt>
-   <dd>None.</dd>   
-  </dl>
-
-
-  <h3><dfn title="http-ping-to"><code>Ping-To</code></dfn></h3>
-
-  <p>This section describes a header field for registration in the
-  Permanent Message Header Field Registry.  <a
-  href="#refsRFC3864">[RFC3864]</a></p>
-
-  <dl>
-   <dt>Header field name</dt>
-   <dd>Ping-To</dd>
-   <dt>Applicable protocol</dt>
-   <dd>http</dd>
-   <dt>Status</dt>
-   <dd>standard</dd>
-   <dt>Author/Change controller</dt>
-   <dd>W3C and WHATWG</dd>
-   <dt>Specification document(s)</dt>
-   <dd>
-    This document is the relevant specification.
-   </dd>
-   <dt>Related information</dt>
-   <dd>None.</dd>   
-  </dl>
-
-
 
   <h2 id="index" class="no-num">Index</h2>
 
@@ -92672,7 +92382,6 @@
      <td><span title="global attributes">globals</span>;
          <code title="attr-hyperlink-href">href</code>;
          <code title="attr-hyperlink-target">target</code>;
-         <code title="attr-hyperlink-ping">ping</code>;
          <code title="attr-hyperlink-rel">rel</code>;
          <code title="attr-hyperlink-media">media</code>;
          <code title="attr-hyperlink-hreflang">hreflang</code>;
@@ -92715,7 +92424,6 @@
          <code title="attr-area-shape">shape</code>;
          <code title="attr-hyperlink-href">href</code>;
          <code title="attr-hyperlink-target">target</code>;
-         <code title="attr-hyperlink-ping">ping</code>;
          <code title="attr-hyperlink-rel">rel</code>;
          <code title="attr-hyperlink-media">media</code>;
          <code title="attr-hyperlink-hreflang">hreflang</code>;
@@ -94501,12 +94209,6 @@
      <td> Pattern to be matched by the form control's value
      <td> Regular expression matching the JavaScript <i title="">Pattern</i> production
     <tr>
-     <th> <code title="">ping</code>
-     <td> <code title="attr-hyperlink-ping">a</code>;
-          <code title="attr-hyperlink-ping">area</code>
-     <td> <span title="URL">URLs</span> to ping
-     <td> <span>Set of space-separated tokens</span> consisting of <span title="valid URL">valid URLs</span>
-    <tr>
      <th> <code title="">placeholder</code>
      <td> <code title="attr-input-placeholder">input</code>;
           <code title="attr-textarea-placeholder">textarea</code>

Received on Sunday, 6 December 2009 01:48:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:11 UTC