- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 23 Feb 2010 20:08:38 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: "public-html@w3.org WG" <public-html@w3.org>
On Tue, Feb 23, 2010 at 7:48 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > On Feb 23, 2010, at 7:27 PM, Jonas Sicking wrote: > >> On Tue, Feb 23, 2010 at 6:38 PM, Maciej Stachowiak <mjs@apple.com> wrote: >>> >>> The original Change Proposal for these two issues proposed removing the >>> <a >>> ping> attribute and associated hyperlink auditing feature. Although we >>> had a >>> counter-proposal, we now seem to have consensus that it is ok to drop >>> this >>> feature from HTML5. Thus, we should adopt the Change Proposal to remove >>> the >>> feature. The feature could still be proposed again for a later issue of >>> HTML, or the issue could be re-raised if new information is provided >>> (such >>> as implementation experience or server-side deployment experience.) >>> >>> If there are no objections, these two issues will be closed on March 2, >>> 2010. >>> >>> http://dev.w3.org/html5/status/issue-status.html#ISSUE-001 >>> http://www.w3.org/html/wg/tracker/issues/1 >>> http://dev.w3.org/html5/status/issue-status.html#ISSUE-002 >>> http://www.w3.org/html/wg/tracker/issues/2 >> >> My understanding is that one of the objections to keeping @ping in the >> spec is that HTTP requires that POST requests are not made by the UA >> unless this has been made clear to the user that this is happening. >> I.e. that the HTTP spec requires some type of UI. And since @ping will >> use a UI very similar to "ping less" links, this would then be counter >> to the requirements in the HTTP spec. > > As far as I am aware, HTTP has no such UI requirement for initial requests, > only for redirects. It does have some non-normative advice on the > non-redirect case but no actual requirements for UAs. > >> Is this a correct understanding? The question is directed towards the >> people that have been arguing for @ping to be removed from HTML5. >> >> If a future version of HTTP, such as the in progress HTTPbis, was >> released and removed this UI requirement, would that remove that >> specific objection? > > I don't think that argument was ever grounded in what the HTTP spec actually > requires, but perhaps its proponents could clarify that position. Some quotes from the change proposal: ]] Also, as described in ISSUE-1, ping's use of POST causes an unsafe method to be used in response to a safe activation request, in violation of the method constraints that have been part of Web architecture since 1992. [[ ]] clicking on a link (or a spider wandering around) must be translated into a safe network action because to do otherwise would require every user to know the purpose of every resource before the GET. It follows, therefore, that the UI for a user action that is safe (a link) must be rendered differently from all other actions that might be unsafe [[ ]] In short, if the UI is being presented as a normal link, then the HTTP methods resulting from the user's selection must all be safe (GET/HEAD/OPTIONS/etc.) [[ (I hope I'm not quoting out of context somehow, everyone is encouraged to read the change proposal at http://lists.w3.org/Archives/Public/public-html/2009Dec/0183.html) / Jonas
Received on Wednesday, 24 February 2010 04:09:32 UTC