W3C home > Mailing lists > Public > public-html@w3.org > December 2009

Re: CHANGE PROPOSAL: Remove ping and hyperlink auditing (ISSUE-1 and ISSUE-2)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 08 Dec 2009 11:13:50 +0100
Message-ID: <4B1E26DE.9090301@gmx.de>
To: Kornel Lesinski <kornel@geekhood.net>
CC: "Roy T. Fielding" <fielding@gbiv.com>, "public-html@w3.org" <public-html@w3.org>
Kornel Lesinski wrote:
> ...
> It was thoroughly discussed, had experimental implementation and has 
> been redesigned in response to feedback. That's about the same as most 
> HTML 5 features.
> ...

Firefox 3.0 almost shipped with an experimental implementation that did 
the protocol part, but ignored the UI requirement (which used to be 
stronger than in the current spec).

So yes, there was an experimental implementation, but it failed to 
follow normative requirements in the spec.

> ...
>> Also, as described in ISSUE-1, ping's use of POST causes an
>> unsafe method to be used in response to a safe activation request,
>> in violation of the method constraints that have been part of
>> Web architecture since 1992.
> 
> Is current widespread practice of using GET specifically for triggering 
> side-effects better? If so, then ping can be made to use that too.

That proposal has been made many times, and has been rejected by the editor.

> ...
>> In short, if the UI is being presented as a normal link, then the
>> HTTP methods resulting from the user's selection must all be safe
>> (GET/HEAD/OPTIONS/etc.).  While some user agents may already fail
>> to protect the user in that regard, that is not an excuse to add
>> another broken feature to the standard.
> 
> I think it is. There's no point worrying about weak link in a chain that 
> is already broken in few places (form.submit() or submit button with 
> CSS/type=image are far more dangerous). Today servers/applications 
> without CSRF protection cannot be considered safe.
> 
> Switching to "safe" method may make very little difference in practice. 
> Web applications that don't need body of POST at all are very likely to 
> be exploitable via GET requests as well (e.g. PHP using register_globals 
> misfeature).
> ...

If it does make little difference in practice, why not do the switch 
then? At least the new feature wouldn't abuse HTTP the way it does now.

> ...
> There are already nastier tracking methods in widespread use that lack 
> UI. To compete with them ping probably even _shouldn't_ have UI. Anyway, 
> it gives browsers full control and tracking URLs, so browsers have a lot 
> of freedom with UI implementation, if any is ever needed.

Currently the spec states: "When the ping attribute is present, user 
agents should clearly indicate to the user that following the hyperlink 
will also cause secondary requests to be sent in the background, 
possibly including listing the actual target URLs."

So far I haven't seen an implementation of that. It appears you say this 
requirement isn't needed, in which case you probably should open a bug 
requesting to remove that part.

Best regards, Julian
Received on Tuesday, 8 December 2009 10:14:59 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:54 UTC