This document discusses various standards and best practices related to web development. It covers topics like HTTP standards including HTTP/1.1, HTTP/2.0, and Do Not Track. It also discusses software architecture principles like REST and ways to approach versioning APIs. Other topics covered include evolvability in software, tracking user data across contexts, and potential solutions to privacy concerns through feature flags.

1. 1
Scrambled Eggs
• Roy T. Fielding, Ph.D. | Senior Principal Scientist, Adobe

2. IT’S A MYSTERY
2

3. IT’S A MYSTERY
Open Source
Apache
2

4. IT’S A MYSTERY
Open Source
Apache
Standards
HTTPbis + HTTP/2
Do Not Track
2

5. IT’S A MYSTERY
Open Source
Apache
Standards
HTTPbis + HTTP/2
Do Not Track
So!ware
Architecture
REST
2

6. IT’S A MYSTERY
Open Source
Apache
Standards
HTTPbis + HTTP/2
Do Not Track
So!ware
Architecture
REST
2

7. IT’S A MYSTERY
Open Source
Apache
Standards
HTTPbis + HTTP/2
Do Not Track
So!ware
Architecture
REST
Wouldn’t it be nice if
CQ supported …
2

8. STANDARDS: HTTP
HTTP/1.1
Almost done, really
IESG last call next week or so
HTTP/2.0
Standardization of Google’s SPDY
Session-layer Tunnel for HTTP with Compression (?)
• Should have been called TCP++, or TLS++
Improvement for session-heavy, authenticated sites
• http://trac.tools.ietf.org/wg/httpbis/trac/wiki
3

9. STANDARDS: DO NOT TRACK
Tracking is pervasive
because it feeds personalization and UX
4

10. 5
profile data
Green arrows represent the flow of consumer data.
Blue arrows represent the flow of 3rd party information & offerings.
This diagram represents a typical flow of information related to some online behavioral advertising.
Not all online behavioral advertising operates exactly like this diagram.
.
.
Browser on Personal Computer
Ad Network
BUY ONE,
GET ONE!
SPECIAL
OFFER!
Web Analytics Provider
News Website
Other Websites
Merchant
Secondary Ad Networks
Profiling Service
AGE
INCOME
LEVEL
HOBBIES
statistics &
consumer behavior
contextual &
tailored ads
contextual &
tailored ads
demographics &
online activity
demographic
data
(from registration)
demographics,
past purchases
aggregate
analytics data
* depending on contract limitations
webpage
interest
segments
BUY ONE,
GET ONE!
SPECIAL
OFFER!
URL +
analytics
cookie
URL +
ad cookie1
URL +
pre-existing
cookie
redirect URL
Online Behavioral Advertising
URL +
ad cookie2
URL +
news site
cookie

11. STANDARDS: DO NOT TRACK
Tracking is pervasive
because it feeds personalization and UX
Data collection across unrelated contexts
is a privacy concern
6

12. 7
Doctor
Medical Prescriptions
Green arrows represent the flow of consumer data.
Blue arrows represent the flow of 3rd party information & offerings.
This diagram represents a typical flow of information related to some medical and pharmaceutical companies.
Not all medical and pharmaceutical companies operate exactly like this diagram.
Patient
Pharmaceutical Company
Health Insurance
Pharmacy Public Health Agency
(disease tracking)
prescription
billing
marketing
prescription
refill reminders
Pharmacy Analytics
Company
marketing
prescription
data
aggregate
prescription
statistics
aggregate
prescription
statistics
aggregate
prescription
statistics
personal
profile data
[FTC]

13. 7
Doctor
Medical Prescriptions
Green arrows represent the flow of consumer data.
Blue arrows represent the flow of 3rd party information & offerings.
This diagram represents a typical flow of information related to some medical and pharmaceutical companies.
Not all medical and pharmaceutical companies operate exactly like this diagram.
Patient
Pharmaceutical Company
Health Insurance
Pharmacy Public Health Agency
(disease tracking)
prescription
billing
marketing
prescription
refill reminders
Pharmacy Analytics
Company
marketing
prescription
data
aggregate
prescription
statistics
aggregate
prescription
statistics
aggregate
prescription
statistics
personal
profile data
[FTC]
profile data
Other Websites
Profiling Service
AGE
INCOME
LEVEL
HOBBIES
demographics &
online activity

14. STANDARDS: DO NOT TRACK
Tracking is pervasive
because it feeds personalization and UX
Data collection across unrelated contexts
is a privacy concern
Governments want to stop it,
but they don’t know how
Privacy advocates incite fear and doubt
Poor business data practices justify them!
This should be
an easy problem to fix
8

15. 9
Online Advertising
Industry
US FTC European Commission
Privacy Advocates
BUT ONLY IF WE WORK TOGETHER
… and now state governments are getting involved too …

16. SOFTWARE ARCHITECTURE
What is
the best practice for
versioning
a REST API?
10

17. SERIOUSLY, WHICH IS BETTER?
Should I include a version number in the URL hierarchy?
• http://example.com/v1/users
Should I include a version number on the resource name?
• http://example.com/users.v1
Should I include a version number as a query parameter?
• http://example.com/users?api=v1
Should I include a version number in the media type?
• Content-Type: application/vnd.myname.v1+json
11

18. REST
REST
is so!ware engineering on the scale of
DECADES
12

19. REST
REST
is designed primarily to improve
EVOLVABILITY
13

20. 14
EVOLVABILITY
Evolvability is the ability to change over time,
in response to changing user needs
or a changing environment,
without starting over

21. 15
Degree of Evolvability
ArchitecturalScale
So!ware
Evolution
Independent
Evolution
Self-Modifying
So!ware

22. 15
Degree of Evolvability
ArchitecturalScale
So!ware
Evolution
Independent
Evolution
Self-Modifying
So!ware

23. 15
Degree of Evolvability
ArchitecturalScale
So!ware
Evolution
Independent
Evolution
Self-Modifying
So!ware

24. REST
Hypertext as the Engine of Application State
16
S0 S2S1 S3
R o y
*
*

25. REST
Follow Your Nose
17
S0 S2S1 S3
R o y
*
*

26. REST
Follow Your Nose
18
S0 S2S1 S3
R o y
*
*

27. REST
Follow Your Nose
19
S0 S2S1 S3
R o y
*
*

28. REST
Follow Your Nose
20
S0 S2S1 S3
R o y
*
*

29. REST
Hypertext as the Engine of Application State
each state can be dynamic
each transition can be redirected
21
S0 S2S1 S3
R o y
*
*

30. REST
What is
the best practice for
versioning
a REST API?
22

31. REST
What is
the best practice for
versioning
a REST API?
22
DON’T
Versioning an interface
is just a “polite” way
to kill deployed applications

32. SERIOUSLY?
23

33. SERIOUSLY?
When was the last time you saw
a version number on a website?
23

34. SERIOUSLY?
When was the last time you saw
a version number on a website?
a REST API is just a website
for users with a limited vocabulary
(machine to machine interaction)
23

35. BREAKING COMPATIBILITY IS BAD
Websites are supposed to retain
backwards compatibility
(avoid broken links)
If you want to break with the past,
use a different hostname,
with new branding!
24

36. 25
ALWAYS SHIP TRUNK
why web applications are different …
problems that none of the
revision control systems solve …
how you can solve some of them yourself
[Paul Hammond (Typekit)] http://www.paulhammond.org/2010/06/trunk/
based on real deployment experience at Flickr, Etsy, Typekit, ...

37. 26
ALWAYS SHIP TRUNK

38. 26
ALWAYS SHIP TRUNK
What would a revision control system built for
supporting deployed web applications be like?

39. 26
ALWAYS SHIP TRUNK
What would a revision control system built for
supporting deployed web applications be like?
right?

40. 26
ALWAYS SHIP TRUNK
What would a revision control system built for
supporting deployed web applications be like?
right?
Wouldn’t it be nice if CQ supported …

41. FRAGS
Feature Flags
for conditional activation
of content fragments during
continuous deployment
27

42. GLOBAL CONFIGURATION SETTINGS
28
if (frags(“saml_auth”)) {
credentials = saml.authenticate(user);
}
else {
credentials = httpAuth.check(user);
}
• testable for conditional content (i.e., everything)
• readable via all development interfaces
• writable with ops authority

43. FLIP SWITCHES VIA CONSOLE
29
• easy UI for (proportional) enabling or disabling of frags
• activation by frag, recorded with timestamps
• activation by AB testing, recorded for comparative analytics
[Ross Harmes, http://www.flickr.com/photos/rossharmes/4153769740/]

44. ACTIVATION-AWARE MONITORING
30
• dashboard interfaces for time-series graphs with activation markers
• AB comparisons based on automated percentile activation
• data available as more resources, for reuse by enterprise monitoring

45. FRAGS
Are you a CQ/AEM customer/prospect?
Do you want a feature like Frags?
Do you need more than what I described?
Ask for it!
(we prioritize features by customer demand)
31

46. 32