HTTP constraints on UI for unsafe methods (Re: CfC: Adopt ISSUE-1 PINGUI / ISSUE-2 PINGPOST Change Proposal to remove @ping from HTML5) from Maciej Stachowiak on 2010-02-24 (public-html@w3.org from February 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 23 Feb 2010 20:20:49 -0800
To: Jonas Sicking <jonas@sicking.cc>
Cc: "public-html@w3.org WG" <public-html@w3.org>
Message-id: <3DC6754A-A387-4916-97DB-EB2CAFD5B599@apple.com>

On Feb 23, 2010, at 8:08 PM, Jonas Sicking wrote:

> On Tue, Feb 23, 2010 at 7:48 PM, Maciej Stachowiak <mjs@apple.com>  
> wrote:
>>
>>> Is this a correct understanding? The question is directed towards  
>>> the
>>> people that have been arguing for @ping to be removed from HTML5.
>>>
>>> If a future version of HTTP, such as the in progress HTTPbis, was
>>> released and removed this UI requirement, would that remove that
>>> specific objection?
>>
>> I don't think that argument was ever grounded in what the HTTP spec  
>> actually
>> requires, but perhaps its proponents could clarify that position.
>
> Some quotes from the change proposal:
>
> ]] Also, as described in ISSUE-1, ping's use of POST causes an
> unsafe method to be used in response to a safe activation request,
> in violation of the method constraints that have been part of
> Web architecture since 1992. [[
>
> ]] clicking on a link (or a spider wandering
> around) must be translated into a safe network action because to do
> otherwise would require every user to know the purpose of every
> resource before the GET.  It follows, therefore, that the UI for a
> user action that is safe (a link) must be rendered differently from
> all other actions that might be unsafe [[
>
> ]] In short, if the UI is being presented as a normal link, then the
> HTTP methods resulting from the user's selection must all be safe
> (GET/HEAD/OPTIONS/etc.) [[
>
> (I hope I'm not quoting out of context somehow, everyone is encouraged
> to read the change proposal at
> http://lists.w3.org/Archives/Public/public-html/2009Dec/0183.html)

I've read over HTTP, the HTTPbis drafts, HTML4.01 and the HTML5 draft,  
and I could not find any normative requirements matching the above  
statements in those specs. The only normative UI requirements relating  
to safe methods I could find are listed in this message:
http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html

In this message, Julian noted some advice on how methods should be  
used that does not include any normative requirements on UAs:
http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0171.html

I also invite doubters to examine the test case found here:
http://damowmow.com/playground/demos/http/002/

In a UA fully conforming to the relevant specifications, the test case  
will result in a POST without any indication to the user.

Perhaps there is some other specification defining these constraints,  
that I missed. Or perhaps the author of the Change Proposal was using  
"must" in a non-normative sense, or was referring to an abstract  
conception of the Web architecture, or was simply mistaken about the  
normative requirements in this area.

Regards,
Maciej

P.S. If you agree with my point that protocol specs should not contain  
UI requirements, it would be helpful if you could chime in on the ietf- 
http-wg list.

Received on Wednesday, 24 February 2010 04:21:22 UTC