- From: Ian Hickson <ian@hixie.ch>
- Date: Sat, 3 Nov 2007 10:16:25 +0000 (UTC)
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTML WG List <public-html@w3.org>
On Sat, 3 Nov 2007, Julian Reschke wrote: > > > > > > But then, why don't you use a safe method in the first place? > > > > Because the "safe" methods are idempotent, and the semantic we are > > trying to convey here has one goal and one goal only, and that goal is > > specifically _not_ idempotent. > > Safe method are idempotent. I'm saying, that the action of following a > link MUST be safe from the user's point of view (unless, well, it get's > a different UI). We don't have to use an explicitly "safe" method because a ping="" is intrinsically safe in the HTTP sense. We do have to use a non-idempotent method because a ping="" is non-idempotent by definition. The two concepts are orthogonal. I don't know how to make this any clearer, and I don't see anything in what you are saying that contradicts this other than your assertions that it isn't true. > That concern could be addressed by making sure that accessing the same > ping URI again could be detected, for example by adding a sequence or > random number to it. The whole point here is to make things simpler, and not require such hacks and complications. > > one of "idempotent" vs "non-idempotent". The problems with using a > > non-idempotent request are that idempotent methods aren't supposed to > > have side-effects, whereas the whole _point_ of this request is a > > side-effect; > > ...a side effect the user shouldn't be made accountable for... POST doesn't mean the user is accountable. > > POST doesn't mean the user is accountable. > > Oh yes, it does in general. > > "Implementors should be aware that the software represents the user in > their interactions over the Internet, and should be careful to allow the > user to be aware of any actions they might take which may have an > unexpected significance to themselves or others." -- > <http://tools.ietf.org/html/rfc2616#section-9.1.1> This quote doesn't say that POST means the user is accountable. > A server that receives a POST request has no way to decide how that > method invocation was initiated; the fact that a/@ping caused it is not > visible in the request. We could add an HTTP header to make it obvious, if that would help. However, it's rather moot, since you can already cause a Web page to POST to a site without ping="" and without the user's knowledge. > Whether a specific invocation of POST is safe or not does not depend on > the HTML5 spec, but on the server that implements that resource. > > If a commercial site exposes a resource that, when being POSTed to (with > an empty body), finishes a shopping transaction that will certainly not > be "safe". There is no security risk because this is only exposing a subset of already-available capabilities (even with scripting disabled!). > Side note: I'm not sure what the point is to post to two mailing lists, > but to only want responses on one of them. I cross-post when I reply to multiple e-mails sent to mulitple mailing lists (since otherwise I'd be replying to a different list than the mail was sent to). Please only reply to one, so as to prevent issues with people who are not subscribed to both. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 3 November 2007 10:16:37 UTC