[whatwg] element "img" with HTTP POST method
Ian Hickson
ian at hixie.ch
Thu Apr 28 14:28:47 PDT 2011
On Thu, 9 Dec 2010, Martin Janecke wrote:
>
> What is your opinion on enabling the HTTP POST method for the img
> element?
This would unfortunately be somewhat impractical, due to the
idempotency-assuming nature of <img>: it's generally assumed to be safe
for images to be fetched an arbitrary number of times with no bad
side-effects.
> The motivation behind this is that there are services which generate
> images automatically based on parameters given -- nowadays provided as
> query string in a GET request -- for inclusion in web pages. I've listed
> examples below. However, these query strings can get really long and it
> seems to me that the HTTP POST method would be more appropriate than the
> GET method for such services.
The length of the data is not a relevant concern when picking GET vs POST.
GET and POST have different semantics:
> Not only because it would better match the intended use of these methods
> (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9)
It doesn't seem that it would. What situations did you have in mind where
a POST would be more semantically suitable?
> but also for practical reasons: URLs in GET requests are
> (inconsistently) limited in length by browsers and server software,
> which limits these services (inconsistently). And long URLs bloat server
> logs.
Nothing precludes an author from uploading the data first (using POST),
getting back a unique ID, and then using that ID with a GET for an image,
which would seem to resolve this.
In the meantime, one can do a POST for an image using XHR2 and the File
API; or by scripting a form that posts a request to an <iframe> or
<object> to render the resulting image. If we see a lot of that kind of
thing then it would be evidence that we should revisit this.
> === Example/Use Cases ===
>
> (1) MimeTeX and MathTeX are used to display mathematical formulae in web
> pages. This is often used in science forums. Info:
>
> http://www.forkosh.com/mathtex.html
> http://www.forkosh.com/mimetex.html
>
> Current use in web pages:
>
> <img src="http://www.forkosh.dreamhost.com/mathtex.cgi?\begin{align}%0D%0A\Gamma(z)%20%26%3D%20\lim_{n\to\infty}\frac{n!\;n^z}{z\;(z%2B1)\cdots(z%2Bn)}%20%3D%20\frac{1}{z}\prod_{n%3D1}^\infty\frac{\left(1%2B\frac{1}{n}\right)^z}{1%2B\frac{z}{n}}%20\\%0D%0A\Gamma(z)%20%26%3D%20\frac{e^{-\gamma%20z}}{z}\prod_{n%3D1}^\infty\left(1%2B\frac{z}{n}\right)^{-1}e^{z/n}%0D%0A\end{align}" alt="gamma function definition">
>
> Possible future use:
>
> <img src="http://www.forkosh.dreamhost.com/mathtex.cgi" post-data="\begin{align}%0D%0A\Gamma(z)%20%26%3D%20\lim_{n\to\infty}\frac{n!\;n^z}{z\;(z%2B1)\cdots(z%2Bn)}%20%3D%20\frac{1}{z}\prod_{n%3D1}^\infty\frac{\left(1%2B\frac{1}{n}\right)^z}{1%2B\frac{z}{n}}%20\\%0D%0A\Gamma(z)%20%26%3D%20\frac{e^{-\gamma%20z}}{z}\prod_{n%3D1}^\infty\left(1%2B\frac{z}{n}\right)^{-1}e^{z/n}%0D%0A\end{align}" alt="gamma function definition">
This seems very wrong. That's totally a GET semantic, not a POST semantic.
> (2) QR-Code generators encode texts or URLs in a way that can be easily
> read by devices such as cell phones with built-in cameras. Info and
> generator:
>
> http://qrcode.kaywa.com/
>
> Current use in web pages:
>
> <img src="http://qrcode.kaywa.com/img.php?s=8&d=Ah%2C%20distinctly%20I%20remember%20it%20was%20in%20the%20bleak%20December%2C%0D%0AAnd%20each%20separate%20dying%20ember%20wrought%20its%20ghost%20upon%20the%20floor." alt="qrcode">
>
> Possible future use:
>
> <img src="http://qrcode.kaywa.com/img.php" post-data="s=8&d=Ah%2C%20distinctly%20I%20remember%20it%20was%20in%20the%20bleak%20December%2C%0D%0AAnd%20each%20separate%20dying%20ember%20wrought%20its%20ghost%20upon%20the%20floor." alt="qrcode">
Again, this seems like a GET, not a POST.
On Thu, 9 Dec 2010, Adam Barth wrote:
>
> We've seen use cases for a similar feature for iframes and hyperlinks.
> For example:
>
> <a href="/logout" post-data>Logout</a>
>
> would be more semantically correct that just <a
> href="/logout">Logout</a> because it would generate a POST instead of a
> GET.
This is possible today:
<form action=/logout method=post>
<button type=submit>Logout</button>
</form>
Using an <a> for this would be inappropriate UI. (Hyperlinks should be
idempotent.)
On Thu, 9 Dec 2010, Philipp Serafin wrote:
>
> I like the general idea (this would also get rid of the problem that,
> right now, it's unnecessarily hard for authors to show idempotent and
> non-idempotent actions in a unified visual style), though this would
> also present serious security vulnerabilities, especially in forum
> pages.
IMHO, it's too _easy_ for authors to show idempotent and non-idempotent
actions in a unified style! Why would we want this to be more common?
On Thu, 9 Dec 2010, Tab Atkins Jr. wrote:
>
> I don't believe there are any declarative ways to trigger involuntary
> POSTs, are there?
test.html on this page has no script:
http://damowmow.com/playground/demos/http/002/
On Fri, 10 Dec 2010, Benjamin Hawkes-Lewis wrote:
>
> The most popular browser currently limits URLs to 2,083 characters.
>
> http://support.microsoft.com/kb/208427
>
> Your given examples fit comfortably within these limits; do you have a
> real-world example of an image URL that falls foul of this constraint?
>
> Apparently, Firefox/Safari/Opera already support much longer URLs:
>
> http://blogs.nitobi.com/alexei/?p=163
>
> I think at some point repeatedly GETing or POSTing large amounts of data
> to display an image becomes unrealistically wasteful of bandwidth,
> compared to generating the image once and reusing the created image URL.
Indeed.
On Fri, 10 Dec 2010, Martin Janecke wrote:
>
> That's a good idea. Can we define a minimum length in the spec that
> should/must be supported? As a point of reference for browser vendors
> and web page authors? I didn't find a reliable point of reference other
> than http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 ...
There's theoretically no limit; currently the limit is a matter of
practical hardware or platform limitations.
On Fri, 10 Dec 2010, Julian Reschke wrote:
>
> We can't change what RFC 2616 says, but we *did* already change this in
> the drafts for the next revision:
>
> "Various ad-hoc limitations on request-target length are found in
> practice. It is RECOMMENDED that all HTTP senders and recipients support
> request-target lengths of 8000 or more octets."
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-12.html#rfc.section.4.1.2.p.19>
This hopefully should handle the cases mentioned above.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list