On 11/24/09 3:16 AM, Bil Corry wrote: > Some time ago on the HTML5 list[1], I brought up the problem that there > wasn't a straightforward way for a server to determine when the user had > closed all windows/tabs. We eventually came up with the idea of using a > "rel" extension[2] to specify a "logout" feature[3]; the browser pings > the server when all related windows/tabs are closed. > > I am soliciting feedback on the idea: is this something that Mozilla > would consider adding to Firefox?
Was it accepted by the HTML5 specification? It doesn't sound like a particularly useful feature to me, considering that this seems to be mostly a solved problem. > Currently, the only way that I'm aware of to determine when a user has > closed all related windows/tabs is by having the browser poll the server > at a regular interval, and once the polling stops, the server knows the > user is no longer actively using the site. Why exactly do you need to know when the user has closed all related windows/tabs? How is this better than just timing out the user's session if they haven't made a request in 30 minutes, and doing an occasional poll if the user is in a long-running task such as editing a document? The spec says same-origin, but doesn't define whether that means eTLD+1 or actual specific origin. What kinds of loads would "prevent logout"? Would images loaded as <img>? Images loaded as documents? Frames loaded in another site's toplevel window? PDFs, videos, or other non-HTML documents loaded in a browser window (i.e. via the Acrobat plugin)? Must the logout URL be same-origin with the site? My initial reaction is that we would not implement this feature, but let sites solve this problem, if it must be solved, using existing technologies. --BDS _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
