On 5/7/12 11:53 AM, Tab Atkins Jr. wrote:
Yes, definitely (unless you set .withCredentials on it or something,
like the XHR attribute).
Hold on. If you _do_ set withCredentials, you should be required to
pass the credentials in or something. Under no circumstances would
prompting for credentials for a request associated with an
already-unloaded page be OK from my point of view....
A bigger question is whether browsers really want to make it easier to do
this or work on getting rid of the ability to phone home at/after unload
altogether. My gut reaction every time I see pages doing it is that they're
up to no good, and code inspection usually indicates that I'm right: the #1
use of this is for persistent user tracking.
That might be, but we won't be *stopping* anything then.
Even if true, we wouldn't be _encouraging_ anything either.
They can instead, say, switch to just sending requests every 20s or something -
if they were measuring session duration you still get good accuracy,
but the total number of requests doesn't go up too much.
True.
And to be clear, I'm not worried about session duration measurements.
Most of the uses I saw of this were either not measuring session
duration, or somehow felt compelled to communicate all sorts of info
about the user and the user's computer to measure session duration.
The legitimate use-case of doing a final info-squirt at the server to
save state is reasonable, though
What fraction of the current uses are the legitimate use-case?
e.g. the legitimate use-case for popup windows is also reasonable, yet
browsers have popup blockers.
I suppose browsers can also block this thing by default unless users opt
in...
-Boris
