- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 07 May 2012 11:59:58 -0400
On 5/7/12 11:53 AM, Tab Atkins Jr. wrote: > Yes, definitely (unless you set .withCredentials on it or something, > like the XHR attribute). Hold on. If you _do_ set withCredentials, you should be required to pass the credentials in or something. Under no circumstances would prompting for credentials for a request associated with an already-unloaded page be OK from my point of view.... >> A bigger question is whether browsers really want to make it easier to do >> this or work on getting rid of the ability to phone home at/after unload >> altogether. My gut reaction every time I see pages doing it is that they're >> up to no good, and code inspection usually indicates that I'm right: the #1 >> use of this is for persistent user tracking. > > That might be, but we won't be *stopping* anything then. Even if true, we wouldn't be _encouraging_ anything either. > They can instead, say, switch to just sending requests every 20s or something - > if they were measuring session duration you still get good accuracy, > but the total number of requests doesn't go up too much. True. And to be clear, I'm not worried about session duration measurements. Most of the uses I saw of this were either not measuring session duration, or somehow felt compelled to communicate all sorts of info about the user and the user's computer to measure session duration. > The legitimate use-case of doing a final info-squirt at the server to > save state is reasonable, though What fraction of the current uses are the legitimate use-case? e.g. the legitimate use-case for popup windows is also reasonable, yet browsers have popup blockers. I suppose browsers can also block this thing by default unless users opt in... -Boris
Received on Monday, 7 May 2012 08:59:58 UTC