Entries classified under web

There's been a lot of good discussion around Udell's End HTTP abuse article. We need to get this figured out because it's almost embarrassing to be an advocate of standard approaches to building web applications when something as fundamental as the correct use of HTTP GET is butchered so often. Unfortunately, misuse of HTTP GET is just the tip of the iceberg. There's a whole slew of HTTP abuse going on out there (often in the form of neglect) that can be laid at the footstep of two parties: frameworks and evangelists. The frameworks suck and the evangelists aren't trying hard enough (I consider myself in both camps, btw).

The small community that is coalescing around REST/HTTP should prioritize the following objectives above anything else at this point:

1. Raise awareness of what HTTP is capable of.
2. Fix the tools.

HTTP Kicks Ass

We need to raise awareness of what HTTP is really about. If you're reading and understanding this, then you've likely had the Ah-ha moment based on the realization that HTTP isn't just a beat up old protocol for transferring files from a web server to browsers (if you haven't, read this); but this understanding is not common. The large majority of smart technical people believe that HTTP is legacy technology: an old protocol, maybe a step above gopher, that has somehow hung around through the years. Something to be dealt with, not taken advantage of. We need to show how limiting this mind-set is.

Many of us were first introduced to the true capabilities of HTTP via the REST architectural style. If you were like me, Mark or Paul (or both at the same time) forcefully induced the REST epiphany on you against your will and then you went and re-read RFC 2616 while slapping yourself on the forehead repeatedly. The correlation between the architectural concepts described in Roy's thesis and the implementation semantics described in the RFC were clear as a bell. HTTP was no longer a simple mechanism for exposing a directory of files and executable processes to a browser, it was the essence of web architecture.

Here's the thing though: most people don't read RFC's! They hate RFCs. Reading RFCs ranks close to doing taxes for most people. The only thing worse than reading RFCs is reading PhD thesis'.

The evangelist needs to reach these people somehow and I really don't think it's going to be through describing the architectural concepts of REST so much as it will be through describing the here's-what-you-can-do-right-now-in-the-real-world benefits of HTTP. It's a fine line, I know, but I think it's important.

How do we give people the Ah-ha! without requiring that they read a thesis and an RFC?

A Three Legged Dog

I look at what Zeldman, Meyer, and others are accomplishing with the Designing with Web Standards movement and it seems a good model. They emphasis the correct use of standard CSS, (X)HTML, and DOM scripting (the three legged stool) to achieve enormous benefits over proprietary web design techniques. They have books and a cluster of weblogs that show designers how to reap the rewards of this system. It's been a smashing success and is only gaining traction.

Can we take a page from their book? In my opinion, we're just as entitled to the phrase Designing with Web Standards as they are. We have a three legged stool too: HTTP, URIs, and XML. Except our stool is more like a three legged dog - you can get around but it is not quite optimal. Why is this?

My feeling is that we haven't done a good enough job of showing examples of what the correct use of HTTP, URIs, and XML looks like in the real world. Joe Gregorio's excellent column aside, there just is not a lot of here's-how-you-get-shit-done-with-http type content available on the web, led alone books or magazine articles. We're amazingly talented at pointing out when something is being done wrong (e.g. WS-*, non-safe/idempotent GET, incorrect charset, etc.) but we suck at showing how to do it right in the first place.

(Here's some more pictures of three legged dogs because three legged dogs are the shit.)

To Hell With Bad Web Frameworks

Why are we having such a hard time showing correct use of HTTP and URIs? Because our tools suck. How are we suppose to show how to use HTTP and URIs properly when the tools and frameworks actively discourage practicing standards? Our incessant ranting on correct use of web technology is filed by many into the not living in the real world drawer. We're assholes.

In many ways this is the same battle that the Designing with Web Standards crowd has been fighting with their tools - the browsers. How can you preach standard use of (X)HTML, DOM, and CSS when the browsers have such poor support for them? Those guys drew a line and said To Hell With Bad Browsers and it's paying off. I think we need to take on a similar attitude and start expecting more from our web frameworks.

Every web framework I've ever worked with (Apache, CGI, Java Servlets, Quixote, Webware, Ruby on Rails, PHP, ASP.NET, CherryPy) were extremely limited in their support for the full set of capabilities provided by HTTP.

For instance, which frameworks ...

• ... help implement content negotiation properly?

• ... provide facilities for implementing a smart caching strategy for dynamic content? (proper use of If-Modified-Since, Expires, Cache-Control, etc.)

• ... make dealing with media types easy?

• ... make dealing with character encodings easy?

• ... encourage the use of standard HTTP authentication schemes?

• ... have a sane mechanism for attaching different behavior to different verbs for a single resource?

• ... help ensure that URIs stay cool?

• ... make dealing with transfer encodings (gzip, compress, etc.) easy?

• ... help you use response status codes properly? (e.g. Nearly all dynamic content returns either a 200 or 500).

Sure, some frameworks have tricks for portions of the list but there should be documented, well-thought-out mechanisms for implementing these facets of HTTP. Let's face it, if you want to do something outside of exposing well-known static representation types from disk for GET, or process application/x-www-urlencoded data via POST, you're off the radar for most web frameworks. I'm not saying that other things aren't possible, I'm saying they aren't supported well.

Shutting this one down

I've rambled for to long already. I have more to say on this but I'll try to keep it to short and focused posts over the next week or so.

To sum up, we need a good implementation of HTTP/1.1 that provides a real framework for building standards based web applications. We then need to advocate and illustrate the correct use of HTTP/URIs/XML as a killer technology that has been hiding right under our noses by showing the benefits of using the system correctly. Until we get this stuff straightened out, expecting people to use GET properly is unrealistic.

...

Sidebar: I just noticed that Leigh Dodds beat me to it:

[Udell] then continues by exploring the ease of using GET versus POST on the client-side. I think the fault actually lies on the server-side. Specifically, with existing web applications frameworks.

Word.

... I was running through the archives and found an interesting entry that could have been written about the Google Auto-Link fiasco. The title was, Who Owns Your Browser? and it is about per-site user style sheets. I had forgotten that Simon Willison, Adrian Holovaty, myself and many others hashed through a lot of this stuff almost a year and a half before Google's auto-link even hit the street and the issues are pretty much the same.

The discussion came out just as fractured then as it has this time around with the A-listers. Adrian's friends thought people using per-site user stylesheets to modify content would be a serious issue and that content providers would eventually sue, Simon was open to the idea that there might be some questions around ethics but didn't want to hurt innovation, and I said screw the content producers it's my goddam browser and I'll do whatever I please, thank you. :)

Maybe next holloween we can dress up like Winer, Scoble, and Doctorow and yell a lot? :)

Patrick Logan wonders what I'm referring to when I use the word success in this paragraph from What WS-* Got Wrong:

From the beginning, WS-* has been approached incorrectly. The approach that we're advocating is to first embrace and understand existing web architecture and then to gradually enhance (constrain) it to meet the needs of new requirements. We advocate this not because we think it's a better way to be successful, we think it's the only way to be successful.

That's some claim! Is "success" even defined in this case? -Patrick

Success is the widespread adoption of some form of interoperable communications between coordinated and uncoordinated machine agents over large network bodies.

What I was trying to say here is that my beef with WS-* has less to do with architectural and technical issues and more to do with pragmatism and practicality. I'm fully aware that these technologies could be adopted and would work more or less as specified. My problem is that WS-* won't be adopted in any significant way because it does not exhibit the traits necessary for a technology to be adopted on a large scale.

If someone personally coordinated 200 people in various organizations, I'm sure they could implement solutions on top of WS-* given a long enough time-frame. If 200 people are working separately, and are left to their own devices, in a more organic, web-like environment, WS-* has much less chance of being used successfully.

I see REST vs WS-* as a simple case of worse is better (except in many ways I think REST is the more technically correct so bonus points there). It does exhibit the traits required for technology to be widely adopted and what's more, it already has been widely adopted.

Mark Baker brings up an important aspect of the WS-* vs. REST situation that I've been hoping to speak about myself:

Yes, absolutey, we'll need the capabilities that the WS-* stack provides (for the most part). But do we need the WS-* stack itself to provide those capabilities? I'm certainly all for trying to reuse existing specs where that makes sense. The issue though, is that with most of them, they explicitly or implicitly require disregarding a key constraints of REST, disrespecting Web architecture, or both. WSDL's probably the poster child for this, as its raison d'etre is primarily to encourage rejection of REST's uniform interface.

Right. The problem with WS-* isn't that its trying to solve the wrong problems or that nothing valuable has been produced. The problem is the general disregard for existing web architecture. WS-* tried to take a revolutionary approach to something that required only incremental improvement. HTTP and URIs were treated as legacy technology that would provide a quick and dirty mechanism for bootstrapping this special next generation of web technology.

The REST advocates' criticism of WS-* generally comes off as an attack on technology or architecture but what really pisses the REST people off is the WS-* approach. From the beginning, WS-* has been approached incorrectly. The approach that we're advocating is to first embrace and understand existing web architecture and then to gradually enhance (constrain) it to meet the needs of new requirements. We advocate this not because we think it's a better way to be successful, we think it's the only way to be successful.

An example of the approach we're advocating is Bill de hÓra's recent proposal for reliable messaging over HTTP, (HTTPLR). The difference between the HTTPLR approach and the WS-ReliableMessaging approach is that Bill's proposal builds on simple proven web architecture without requiring additional apparatus.

Anyway, what we need to learn from this is that most successful technologies aren't successful on accident. HTTP and URIs were generally understood only at a very technical / bits-on-the-wire level -- the RFCs existed but Roy Fielding's architectural description came much later and I think it hurt us. We didn't understand how HTTP and URIs formed an overall architecture and how vital that architecture was to the success of the web. If the larger technical community had had an architectural understanding of the web, we might not be in such a mess.

What many of us are now wondering (and have been wondering for some time) is how much longer WS-* is going to continue down a path of incompatibility with web architecture and whether the work that's in progress or that has been completed by WS-* can be reconciled to work under the constraints of web architecture. The feeling I get is that a lot of the REST advocates feel so spited from years of being ignored that they would rather sit back and watch the WS-Building burn to the ground and build from scratch, which is unfortunate for everyone really.