Re: [Tools-implementation] Requiring Javascript for anything that needs login on the datatracker.
Russ Housley <housley@vigilsec.com> Thu, 22 October 2020 18:32 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tools-implementation@ietfa.amsl.com
Delivered-To: tools-implementation@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670C33A0A96 for <tools-implementation@ietfa.amsl.com>; Thu, 22 Oct 2020 11:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMjXk42pyfml for <tools-implementation@ietfa.amsl.com>; Thu, 22 Oct 2020 11:32:24 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C8F03A0A62 for <tools-implementation@ietf.org>; Thu, 22 Oct 2020 11:32:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D6623300B31 for <tools-implementation@ietf.org>; Thu, 22 Oct 2020 14:32:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YAVTXa8oPi2i for <tools-implementation@ietf.org>; Thu, 22 Oct 2020 14:32:20 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 2DEA83005DB; Thu, 22 Oct 2020 14:32:20 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <311060fe-463e-33ae-1dfd-3ebc951f8edf@nostrum.com>
Date: Thu, 22 Oct 2020 14:32:21 -0400
Cc: "tools-implementation@ietf.org" <tools-implementation@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D3E5CAF2-487B-46EA-958D-D30807A78264@vigilsec.com>
References: <311060fe-463e-33ae-1dfd-3ebc951f8edf@nostrum.com>
To: Robert Sparks <rjsparks@nostrum.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-implementation/yOY_pp8ROqPFBG5gzqZHTMqOkKY>
Subject: Re: [Tools-implementation] Requiring Javascript for anything that needs login on the datatracker.
X-BeenThere: tools-implementation@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Tools Implementation <tools-implementation.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-implementation>, <mailto:tools-implementation-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-implementation/>
List-Post: <mailto:tools-implementation@ietf.org>
List-Help: <mailto:tools-implementation-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-implementation>, <mailto:tools-implementation-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 18:32:26 -0000
This has been a comunity discussion point in the past. I think the IESG needs to make the call, perhaps after further discussion. Russ > On Oct 22, 2020, at 2:27 PM, Robert Sparks <rjsparks@nostrum.com> wrote: > > I believe we are at a point that we need to lift (or at least significantly change) the requirement that most of our pages work without javascript. > > We already have many pages that have crossed that line - people who are doing anything really significant with the datatracker now need to allow javascript for things to function. > > As we start to try to further improve the speed of the datatracker one of the things we will want to look at is taking advantage of front-end frameworks like React (or at least following some of the same patterns for how they work). > > So I think we should start setting the expectation that for anything that requires you to login to the datatracker, you should expect to be running javascript. That moves the line for keeping pages functional without it to those things that you can do without logging in. > > A concrete example of where this will make a difference: > > Right now, it isn't immediately straightforward to cache results from the datatracker because we have a section on the page that is highly personalized to the logged in person (look at the menu under the logged in name). To blindly cache a page would cache things based on whoever was logged in as the cache was written. Someone else getting such a cached response would see a page with the wrong login (and other details in that menu). We can work around that, with some effort, by caching _parts_ of the page, mostly using template caching, but we have to be careful in that case to ensure that the parts that are cached are logged-in-user invariant, and be very careful with where the database reads happen. See https://trac.tools.ietf.org/tools/ietfdb/changeset/18625/trunk for a short example of the kind of care that has to be exercised. > > One path we could take that would let us more easily cache pages in a general fashion would be to move the rendering of the logged-in-user specific information into javascript, so that what pages return are login-invariant. The browser could then fetch and render the logged-in-user specific things. But that would require javascript, and would push the boundary of where javascript is required to "all pages where a user is logged in". > > RjS
- [Tools-implementation] Requiring Javascript for a… Robert Sparks
- Re: [Tools-implementation] Requiring Javascript f… Russ Housley