[whatwg] Declarative unload data

On Mon, May 7, 2012 at 8:59 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 5/7/12 11:53 AM, Tab Atkins Jr. wrote:
>>
>> Yes, definitely (unless you set .withCredentials on it or something,
>> like the XHR attribute).
>
> Hold on. ?If you _do_ set withCredentials, you should be required to pass
> the credentials in or something. ?Under no circumstances would prompting for
> credentials for a request associated with an already-unloaded page be OK
> from my point of view....

There seems to be some confusion here regarding how withCredentials
works. First of all withCredentials is a CORS thing. CORS requests
*never* pop up an authentication dialog. (There is also the question
of if we want to support CORS here, I suspect we do).

But I totally agree with Boris that we can't ever pop up security
dialogs for a site that the user has left.

>>> A bigger question is whether browsers really want to make it easier to do
>>> this or work on getting rid of the ability to phone home at/after unload
>>> altogether. ?My gut reaction every time I see pages doing it is that
>>> they're
>>> up to no good, and code inspection usually indicates that I'm right: the
>>> #1
>>> use of this is for persistent user tracking.
>>
>> That might be, but we won't be *stopping* anything then.
>
> Even if true, we wouldn't be _encouraging_ anything either.

I don't think it matters much if we encourage or not. People are going
to do it either way.

As far as resource usage goes, it doesn't seem like a bid deal to send
off a request at some point when the network seems quiet.

>> They can instead, say, switch to just sending requests every 20s or
>> something -
>> if they were measuring session duration you still get good accuracy,
>> but the total number of requests doesn't go up too much.
>
> True.
>
> And to be clear, I'm not worried about session duration measurements. Most
> of the uses I saw of this were either not measuring session duration, or
> somehow felt compelled to communicate all sorts of info about the user and
> the user's computer to measure session duration.

But are they going to do this any less if we tighten what we allow
during onunload? It seems like this is simply the type of thing that
is possible when we give people a runtime as powerful as the web is.

/ Jonas

Received on Monday, 7 May 2012 12:05:42 UTC