[whatwg] Declarative unload data

On 5/7/12 11:53 AM, Tab Atkins Jr. wrote:
> Yes, definitely (unless you set .withCredentials on it or something,
> like the XHR attribute).

Hold on.  If you _do_ set withCredentials, you should be required to 
pass the credentials in or something.  Under no circumstances would 
prompting for credentials for a request associated with an 
already-unloaded page be OK from my point of view....

>> A bigger question is whether browsers really want to make it easier to do
>> this or work on getting rid of the ability to phone home at/after unload
>> altogether.  My gut reaction every time I see pages doing it is that they're
>> up to no good, and code inspection usually indicates that I'm right: the #1
>> use of this is for persistent user tracking.
>
> That might be, but we won't be *stopping* anything then.

Even if true, we wouldn't be _encouraging_ anything either.

> They can instead, say, switch to just sending requests every 20s or something -
> if they were measuring session duration you still get good accuracy,
> but the total number of requests doesn't go up too much.

True.

And to be clear, I'm not worried about session duration measurements. 
Most of the uses I saw of this were either not measuring session 
duration, or somehow felt compelled to communicate all sorts of info 
about the user and the user's computer to measure session duration.

> The legitimate use-case of doing a final info-squirt at the server to
> save state is reasonable, though

What fraction of the current uses are the legitimate use-case?

e.g. the legitimate use-case for popup windows is also reasonable, yet 
browsers have popup blockers.

I suppose browsers can also block this thing by default unless users opt 
in...

-Boris

Received on Monday, 7 May 2012 08:59:58 UTC