The WHATWG Blog

Please leave your sense of logic at the door, thanks!

This Week in HTML 5 – Episode 14

by Mark Pilgrim, Google in Weekly Review

Welcome back to "This Week in HTML 5," where I'll try to summarize the major activity in the ongoing standards process in the WHATWG and W3C HTML Working Group.

The big news this week is a radical proposal for integrating HTTP authentication with HTML forms. r2432 defines a new token for the WWW-Authenticate header: "HTML".

A common use for forms is user authentication. To indicate that an HTTP URL requires authentication through such a form before use, the HTTP 401 response code with a WWW-Authenticate challenge "HTML" may be used.

For this authentication scheme, the framework defined in RFC2617 is used as follows. [RFC2617]

challenge = "HTML" [ form ]
form      = "form" "=" form-name 
form-name = quoted-string

The form parameter, if present, indicates that the first form element in the entity body whose name is the specified string, in tree order, if any, is the login form. If the parameter is omitted, then the first form element in the entity body, in tree order, if any, is the login form.

There is no credentials production for this scheme because the login information is to be sent as a normal form submission and not using the Authorization HTTP header.

This idea has been kicked around for more than a decade. Microsoft wrote User Agent Authentication Forms in 1999. Mark Nottingham asked the WHATWG to investigate the idea in 2004. Better late than never, Ian Hickson summarizes the feedback to date. No doubt this new proposal will generate further discussion. No browsers currently support this proposal.

Other interesting tidbits this week:

Tune in next week for another exciting episode of "This Week in HTML 5."

7 Responses to “This Week in HTML 5 – Episode 14”

  1. Should the Location header not be used in this instance? I would argue that if a client requests a resource X and instead receives a resource Y consisting of a login form, that this authentication method isn’t properly returning the requested data. I’m not completely sure on this, but it doesn’t sound RESTful. Shouldn’t the Location header be used (in conjunction with the WWW-Authenticate header: “HTML“) to provide the URL of the authentication form with which to authenticate?

  2. Jason, it is “RESTful” as it integrates with the way HTTP envisions authentication to work. The only difference is that the Web page provides the authentication form rather than the browser.

    Having said that, the feature is currently dropped again from HTML due to some issues. It might come to life again in a separate document.