Re: Proposed HTML ping attribute

On Tuesday 2008-01-15 17:09 -0500, wrote:
> 1) Based on his personal knowledge of the needs of the "user tracking" 
> community, Roy speculates that the proposed ping attribute will not be 
> widely used for its intended purpose, and thus is a bad idea.

The relevant questions are really:
 (1) how much tracking currently done using redirects and/or script
     would be converted to <a ping>? (an improvement)
 (2) how much additional tracking would be done? (worse?)
 (3) what are the relative magnitudes of the improvement of
     switching from redirects and/or script to <a ping> vs the
     worsening of doing more tracking?

> 2) He notes that while some particular resources may indeed interpret 
> empty body posts in the intended manner, others may not.  If we understand 
>  him correctly, Roy is suggesting that a malicious (or negligent) author 
> of  Web pages with ping attributes could "trick" a user into causing such 
> a  POST to be sent to a resource that would interpret it in ways that were 
>  destructive.

Does this introduce anything that form.submit() can't already do?

> 3) He suggests that if a ping attribute is to exist, user agents must 
> distinguish for users actions that will cause pings to be sent from 
> actions that won't.  I.e., an ordinary hyperlink access is "safe" in the 
> sense we discuss in Web architecture;  the ping is not safe and could have 
>  consequences, including unintended consequences as in (2) above, so "the 
> UI for a user action that is safe (a link) must be rendered differently 
> from all other actions that might be unsafe."

Considering that script can already do lots of things when a user
clicks a link (including send pings), having such user interface
already requires solving the halting problem.  While some
implementations may want to provide additional user interface, I
don't think the TAG has the necessary experience in user-interface

> Members of the TAG believe that the ping attribute as proposed in HTML5 
> may have a deep impact on the architecture of the Web itself. Accordingly, 

That seems rather dramatic for something that makes something that
adds a declarative markup mechanism for something that's already
quite common on the Web, thus making it a little easier to do and
giving it a slightly better user experience.

That said, the way privacy issues were dismissed rather than clearly
explained when there was first significant press around <a ping> may
mean it's DOA anyway, because the significant negative coverage it
already received may make implementors hesitant to touch it or turn
on support by default.


L. David Baron                       
Mozilla Corporation             

Received on Tuesday, 15 January 2008 22:39:01 UTC