W3C home > Mailing lists > Public > public-html@w3.org > December 2009

Re: CHANGE PROPOSAL: Remove ping and hyperlink auditing (ISSUE-1 and ISSUE-2)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 08 Dec 2009 11:37:28 -0800
Cc: "public-html@w3.org WG" <public-html@w3.org>
Message-id: <1C139247-7525-4D02-B8BA-DC9AB4796611@apple.com>
To: "Roy T. Fielding" <fielding@gbiv.com>

Thanks for providing a Change Proposal for these issues! The chairs  
are reviewing Change Proposals to ensure that they meet the required  
structure. Here is our feedback on this Change Proposal:

(1) This Change Proposal meets all of the formal requirements.


On Dec 5, 2009, at 5:47 PM, Roy T. Fielding wrote:

> Regarding ISSUE-1 (PINGPOST) and ISSUE-2 (PINGUI), this is a
> formal change proposal to remove the ping attribute and all
> mention of hyperlink auditing from the HTML5 specification.
> The feature is half-baked, insufficiently implemented, and
> therefore not yet suitable for standardization.
> Hyperlink auditing is important because advertising and
> referral-based user tracking are two of the primary means of
> generating revenue via Web sites.  However, by its very nature,
> such tracking must be comprehensive, accurate, and unavoidable
> by a typical user or it simply won't be relied upon by site
> owners and advertisers.  The ping feature is incapable of
> providing such accuracy.
> The ping feature was added to HTML based on speculation that
> an optional mechanism would be usable instead of the typical
> redirect, javascript, or gateway-based tracking mechanisms.
> However, it cannot be used reliably until all browsers have
> implemented ping, are deployed, and do not configure it "off"
> by default.  Sites would therefore either ignore the ping
> feature until all of the browsers turn it on or use it only
> for secondary counts, thus duplicating the traffic that already
> handles this functionality.
> Ping would never be capable of proving undercounts [the sole
> apparent reason for this new feature] because there is no
> guarantee that the two DNS requests will deliver equally
> reachable servers for the ping and href, nor that the href
> request will succeed before the ping succeeds, nor that the
> href URL corresponds to the ping-per-referral URL.  It is for
> all of those reasons that people use redirects, referer,
> javascript, and cookies today to do tracking and those will
> never be solved by ping.
> Also, as described in ISSUE-1, ping's use of POST causes an
> unsafe method to be used in response to a safe activation request,
> in violation of the method constraints that have been part of
> Web architecture since 1992.
> The actions generated by a user agent should be consistent
> with the actions selected by the user.  That is why TimBL had an axiom
> about GET being safe -- clicking on a link (or a spider wandering
> around) must be translated into a safe network action because to do
> otherwise would require every user to know the purpose of every
> resource before the GET.  It follows, therefore, that the UI for a
> user action that is safe (a link) must be rendered differently from
> all other actions that might be unsafe.
> In short, if the UI is being presented as a normal link, then the
> HTTP methods resulting from the user's selection must all be safe
> (GET/HEAD/OPTIONS/etc.).  While some user agents may already fail
> to protect the user in that regard, that is not an excuse to add
> another broken feature to the standard. Implementors are responsible
> for their own implementations.  We are only responsible for the
> standards by which those implementations are judged broken.
> The discussion on ping assumes that the ping target is expecting
> to receive a POST request with the content "PING" (i.e., that the
> target has not been deliberately supplied to fool an unsuspecting
> user into triggering an unsafe action when they select the link).
> That is an invalid assumption -- the target of the ping could be
> any URL, including those that do fun things like delete wiki pages
> or print documents or send mail ... we've been through this all
> before, and not all unsafe resources even read the body before
> taking an action on behalf of the user.  That's why HTTP and HTML
> both have requirements on use of safe methods.
> If a decent solution to hyperlink auditing is ever found, then
> it can be specified separately from HTML5 and implemented in
> practice before it is standardized for the whole world.  That
> would also solve ISSUE-2 (PINGUI), which the past two years have
> demonstrated that implementing a preferences UI should at least
> be figured out before it is demanded of all implementations.
> Apply the patch enclosed, based on r13140 of webapps/source.
> If the patch file gets eaten by the mail system, then try
> http://gbiv.com/protocols/html/patch/diff-vs-13140-rm-ping.txt
> None.  This feature was never defined sufficiently to be
> implemented in practice.
> Cheers,
> Roy T. Fielding
> Chief Scientist, Day Software (http://www.day.com/)
> <diff-vs-13140-rm-ping.txt>
Received on Tuesday, 8 December 2009 19:38:03 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:04 UTC