Re: Feedback on the ping="" attribute (ISSUE-1) from Jon Barnett on 2007-11-13 (public-html@w3.org from November 2007)

From: Jon Barnett <jonbarnett@gmail.com>
Date: Mon, 12 Nov 2007 21:43:17 -0600
To: "Daniel Glazman" <daniel.glazman@disruptive-innovations.com>
Cc: "Boris Zbarsky" <bzbarsky@mit.edu>, "Mark Baker" <distobj@acm.org>, "public-html@w3.org" <public-html@w3.org>
Message-ID: <bde87dd20711121943x40b7ee5auf1bcc38af08d533c@mail.gmail.com>

On Nov 12, 2007 11:57 AM, Daniel Glazman
<daniel.glazman@disruptive-innovations.com> wrote:
> Jon Barnett wrote:
>
> > Users do indeed know the difference between a GET and a POST after the
> > fact - when they press the refresh button or the back button.
>
> BWAHAHAHAHA !!!!! That must be a joke. Not only they don't know the
> difference, but they don't even know what's a GET.
> Normal people don't even make the difference between the Web and the
> Internet, come on !
> ...
> </Daniel>
>
Thanks for the rude response.

The point I made was that the browser prompts prompts the user before
letting them repeat an unsafe request.  That's the difference between
GET and POST that's explicitly shown to a user - how they understand
it is up to the browser to communite.  How that warning is worded is
irrelevant "The page you are trying to view contains POSTDATA" or
"Refreshing this page may perform such actions as double-charging a
credit card." or "This page has expired" - the wording is irrelevant,
but the point is that after the fact, when attempting to refresh the
page or clicking the back button, the user sees a difference between a
POST and a GET in the warning that lets them know that repeating a
POST request may do something unwanted.  Again, the technicality of
the warning is irrelevant as long as the repercussions are clear (and
if they're not that's the browser's fault.)

And the only reason for making that point is to show why POST is
appropriate for @ping - it performs an action that shouldn't be
repeated by accident.  In the case of @ping, the user doesn't need to
see a warning because the final destination was a GET request, but the
browser knows not to repeat the POST request without explicit action
from the user (actually clicking the link that causes the ping).

This is the only distinction between "safe" and "unsafe" that matters
here - not whether the user understands the difference between POST
and GET before clicking something, but whether the action should be
repeated without the user doing something.

I hope this clarifies the point in a way you won't need to quote out
of context and rudely respond to.

-- 
Jon Barnett

Received on Tuesday, 13 November 2007 03:43:29 UTC