Re: Feedback on the ping="" attribute (ISSUE-1)

Thomas Broyer wrote:
> ...
> But there's a huge difference here. When your Web server receives a
> GET request, I suppose the message intent is to retrieve a resource
> (idempotent), the server is free to log the request and/or update
> other resources, etc. as long as there is no direct incidence on the
> retrieved resource.
> With ping="", the "log" is differentiated from the retrieval (it'll
> generally belong to a third server). When the user follows the link,
> there are two messages sent: one to retrieve the resource (idempotent)
> and one to "track the click", whatever the user's intent. This second
> message is by definition non-idempotent.
> 
> The problem enlighten in this thread is generally-speaking a UI one:

Sort of.

> if a non-safe (non-idempotent) action has to be taken, it should be
> somehow "approved" by the end-user. Take a look at what browsers are
> doing: when you first use a <form method=POST> the browser tells you
> you're about to send information to a server and asks you whether
> you're OK to continue. The dialog-box contains a check-box allowing
> you to configure the browser to not prompt you next time you use a
> <form method=POST>.
> So AFAIUI, browsers are correctly implementing the HTTP spec, contrary
> to what has been said in this thread.

The difference here is that for POST (as-in-HTML-without-scripting), you 
still can *see* the difference before invoking the action (link vs button).

> So, why couldn't it be the same with ping-enabled links? The first
> time the user clicks such a link, the browser tells her she's about to
> tell a tier she's following this link, that this could be used to
> remunerate one or both the parties involved, make statistics, etc. and
> asks her whether she's OK to do the ping; with an option (check-box)
> to configure the browser not to prompt her the next time she clicks a
> ping-enabled link.

This was discussed by the Mozilla developers, and as far as I understand 
was rejected because exactly this kind of UI is seen as a bad idea in 
the first place. Non-geek users just have no idea what it means and 
click OK just to be able to continue.

In this case things are even worse because you're following something 
that looks like a link, but behaves differently. Just stating that once 
and then never again IMHO doesn't mean the UA has the user's consent to 
do so.

> In brief: I'm fine with using POST for pings and I don't think it
> violates any HTTP principle (as long as the user first give her
> assent).

As long as you can really be sure the user is OK with that. I don't 
think the UI you mentioned would be sufficient.

BR, Julian

Received on Thursday, 8 November 2007 09:41:26 UTC