ISSUE-1

PINGPOST

hyperlink auditing requires use of unsafe HTTP method

State:
OPEN
Product:
HTML 5 spec
Raised by:
Julian Reschke
Opened on:
2007-11-02
Description:
"4.12.2.1. Hyperlink auditing" states:

"For URIs that are HTTP URIs, the requests must be performed using the POST method (with an empty entity body in the request)."
-- http://www.w3.org/html/wg/html5/#hyperlink0

This seems to be the wrong approach, as POST is an unsafe method, about which RFC2616 (HTTP/1.1) states:

"9.1.1 Safe Methods


   Implementors should be aware that the software represents the user in
   their interactions over the Internet, and should be careful to allow
   the user to be aware of any actions they might take which may have an
   unexpected significance to themselves or others.

   In particular, the convention has been established that the GET and
   HEAD methods SHOULD NOT have the significance of taking an action
   other than retrieval. These methods ought to be considered "safe".
   This allows user agents to represent other methods, such as POST, PUT
   and DELETE, in a special way, so that the user is made aware of the
   fact that a possibly unsafe action is being requested.

   Naturally, it is not possible to ensure that the server does not
   generate side-effects as a result of performing a GET request; in
   fact, some dynamic resources consider that a feature. The important
   distinction here is that the user did not request the side-effects,
   so therefore cannot be held accountable for them."

-- http://tools.ietf.org/html/rfc2616#section-9.1.1

Emphasis on: "The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them."

A user who follows a link clearly does not request any side-effects, so using POST here seems to be in conflict with RCF2616.

Proposal: use GET or HEAD instead.
Related Actions Items:
No related actions
Related emails:
  1. {minutes} HTML WG issue-tracking telcon 2008-06-19 (from mike@w3.org on 2008-06-25)
  2. ping attribute (ISSUE-1, ISSUE-2) (from julian.reschke@gmx.de on 2008-02-04)
  3. Re: Re[2]: Feedback on the ping='' attribute (ISSUE-1) (from soypunk@gmail.com on 2007-11-14)
  4. Re[2]: Feedback on the ping='' attribute (ISSUE-1) (from html60@narod.ru on 2007-11-14)
  5. Re: Feedback on the ping='' attribute (ISSUE-1) (from adam.vandenhoven@gmail.com on 2007-11-13)
  6. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-13)
  7. Re: Feedback on the ping='' attribute (ISSUE-1) (from jonbarnett@gmail.com on 2007-11-13)
  8. Re: Feedback on the ping='' attribute (ISSUE-1) (from daniel.glazman@disruptive-innovations.com on 2007-11-13)
  9. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-13)
  10. Re: Feedback on the ping='' attribute (ISSUE-1) (from jonbarnett@gmail.com on 2007-11-12)
  11. Re: Feedback on the ping='' attribute (ISSUE-1) (from t.broyer@gmail.com on 2007-11-12)
  12. Re: Feedback on the ping='' attribute (ISSUE-1) (from foolistbar@googlemail.com on 2007-11-12)
  13. Re: Feedback on the ping='' attribute (ISSUE-1) (from P.Taylor@Rhul.Ac.Uk on 2007-11-12)
  14. Re: Feedback on the ping='' attribute (ISSUE-1) (from daniel.glazman@disruptive-innovations.com on 2007-11-12)
  15. Re: Feedback on the ping='' attribute (ISSUE-1) (from P.Taylor@Rhul.Ac.Uk on 2007-11-12)
  16. Re: Feedback on the ping='' attribute (ISSUE-1) (from jonbarnett@gmail.com on 2007-11-12)
  17. protocol [was: Re[2]: Feedback on the ping='' attribute (ISSUE-1) ] (from html60@narod.ru on 2007-11-11)
  18. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-10)
  19. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-09)
  20. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-09)
  21. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-09)
  22. Re[2]: Feedback on the ping='' attribute (ISSUE-1) (from html60@narod.ru on 2007-11-09)
  23. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-09)
  24. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-09)
  25. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-09)
  26. Re[2]: Feedback on the ping='' attribute (ISSUE-1) (from html60@narod.ru on 2007-11-09)
  27. Re: Feedback on the ping='' attribute (ISSUE-1) (from t.broyer@gmail.com on 2007-11-09)
  28. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  29. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  30. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-08)
  31. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-08)
  32. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  33. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-08)
  34. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  35. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  36. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  37. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-08)
  38. Re: Feedback on the ping='' attribute (ISSUE-1) (from adam.vandenhoven@gmail.com on 2007-11-08)
  39. Re: Feedback on the ping='' attribute (ISSUE-1) (from adam.vandenhoven@gmail.com on 2007-11-08)
  40. Re: Feedback on the ping='' attribute (ISSUE-1) (from dimitri.glazkov@gmail.com on 2007-11-08)
  41. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-08)
  42. Re: Feedback on the ping='' attribute (ISSUE-1) (from raman@google.com on 2007-11-08)
  43. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-08)
  44. Re: Feedback on the ping='' attribute (ISSUE-1) (from t.broyer@gmail.com on 2007-11-08)
  45. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-08)
  46. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-08)
  47. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-08)
  48. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-07)
  49. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-07)
  50. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-07)
  51. Re: Feedback on the ping='' attribute (ISSUE-1) (from adam.vandenhoven@gmail.com on 2007-11-07)
  52. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-07)
  53. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-07)
  54. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-07)
  55. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-07)
  56. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-07)
  57. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-06)
  58. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-06)
  59. Re: Feedback on the ping='' attribute (ISSUE-1) (from fielding@gbiv.com on 2007-11-06)
  60. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-06)
  61. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-06)
  62. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-06)
  63. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-06)
  64. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-05)
  65. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-04)
  66. Re: Feedback on the ping='' attribute (ISSUE-1) (from distobj@acm.org on 2007-11-04)
  67. Re: Feedback on the ping='' attribute (ISSUE-1) (from connolly@w3.org on 2007-11-04)
  68. Re: [whatwg] Feedback on the ping='' attribute (ISSUE-1) (from giecrilj@stegny.2a.pl on 2007-11-03)
  69. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-03)
  70. Re: [whatwg] Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-03)
  71. Re: Feedback on the ping='' attribute (ISSUE-1) (from hsivonen@iki.fi on 2007-11-03)
  72. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-03)
  73. Re: Feedback on the ping='' attribute (ISSUE-1) (from lachlan.hunt@lachy.id.au on 2007-11-03)
  74. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-03)
  75. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-03)
  76. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-03)
  77. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-03)
  78. Re: Feedback on the ping='' attribute (ISSUE-1) (from hsivonen@iki.fi on 2007-11-03)
  79. Re: Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-03)
  80. Re: Feedback on the ping='' attribute (ISSUE-1) (from julian.reschke@gmx.de on 2007-11-03)
  81. Re: Feedback on the ping='' attribute (ISSUE-1) (from bzbarsky@MIT.EDU on 2007-11-02)
  82. Feedback on the ping='' attribute (ISSUE-1) (from ian@hixie.ch on 2007-11-02)
  83. ISSUE-1 (PINGPOST): hyperlink auditing requires use of unsafe HTTP method (from sysbot+tracker@w3.org on 2007-11-02)

Related notes:

2007-11-02 15:25:01: Related mailing list thread starts with <http://lists.w3.org/Archives/Public/public-html/2007Oct/0337.html>.
[Julian Reschke]

2007-11-02 15:32:43: According to <http://lists.w3.org/Archives/Public/public-html/2007Oct/0344.html>, the rational for using POST actually was that following the link is considered an unsafe operation, because it may result in money being exchanged -- for instance because the link being followed was an advertisement. [Julian Reschke]

2008-06-19 16:57:17: Julian says we have made no new progress on this. [Michael(tm) Smith]

2008-06-19 17:01:54: MikeSmith to take this to group for resolution [Michael(tm) Smith]

Display change log.

Dan Connolly <connolly@w3.org>, Chris Wilson <cwilso@microsoft.com>, Chairs, Michael(tm) Smith <mike@w3.org >, Staff Contact
Tracker, originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.181 2008/07/24 08:03:39 dom Exp $