The WHATWG Blog

Welcome back to "This Week in HTML 5," where I'll try to summarize the major activity in the ongoing standards process in the WHATWG and W3C HTML Working Group.

The big news this week is a radical proposal for integrating HTTP authentication with HTML forms. r2432 defines a new token for the WWW-Authenticate header: "HTML".

A common use for forms is user authentication. To indicate that an HTTP URL requires authentication through such a form before use, the HTTP 401 response code with a WWW-Authenticate challenge "HTML" may be used.

For this authentication scheme, the framework defined in RFC2617 is used as follows. [RFC2617]

challenge = "HTML" [ form ]
form      = "form" "=" form-name 
form-name = quoted-string

The form parameter, if present, indicates that the first form element in the entity body whose name is the specified string, in tree order, if any, is the login form. If the parameter is omitted, then the first form element in the entity body, in tree order, if any, is the login form.

There is no credentials production for this scheme because the login information is to be sent as a normal form submission and not using the Authorization HTTP header.

This idea has been kicked around for more than a decade. Microsoft wrote User Agent Authentication Forms in 1999. Mark Nottingham asked the WHATWG to investigate the idea in 2004. Better late than never, Ian Hickson summarizes the feedback to date. No doubt this new proposal will generate further discussion. No browsers currently support this proposal.

Other interesting tidbits this week:

• r2429 adds the <input type=search> form field. [<input type=search> discussion]
• r2440 allows the multiple attribute to appear on <input type=email> and <input type=file>. [<input type=email multiple> discussion]
• r2423 specifies how <object> elements are submitted in forms. Unbeknownst to me, this feature was present in HTML 4 and is supported across multiple browsers. If a plugin exposes a value getter, the name of the <object> element is submitted with the value exposed by the plugin. [<object> form submission example, Mozilla bug 188938]
• r2434 seriously revamps the concept of "vaguer moments in time." r2433 notes, correctly, that there is no year zero in the Gregorian calendar. r2437 further refines the calculation of dates before 1582. [date and time discussion]
• r2426 clarifies the fallback behavior of the <object> element.
• r2427 documents existing browser behavior in sending all attributes and attribute values to a plugin invoked from an <object> element. Previously, HTML 5 has specified that only specific parameters were sent, but browsers consistently send all attributes, so there it is.
• r2424 explains the intended audience of the HTML 5 specification itself.

Tune in next week for another exciting episode of "This Week in HTML 5."

This entry was posted on Tuesday, November 25th, 2008 at 21:38 and is filed under Weekly Review. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.