Welcome back to "This Week in HTML 5," where I'll try to summarize the major activity in the ongoing standards process in the WHATWG and W3C HTML Working Group.
The big news this week is the disintegration of HTTP authentication from HTML forms (which was last week's big news). As I predicted, the proposal generated a healthy discussion, but a combination of security concerns and concerns about tight coupling ultimately did in the proposal.
HTTP 401 responses that do not include a challenge recognised by the user agent must be processed as if they had no challenge, e.g. rendering the entity body as if the response had been 200 OK.
User agents may show the entity body of an HTTP 401 response even when the response do include a recognised challenge, with the option to login being included in a non-modal fashion, to enable the information provided by the server to be used by the user before authenticating. Similarly, user agents should allow the user to authenticate (in a non-modal fashion) against authentication challenges included in other responses such as HTTP 200 OK responses, effectively allowing resources to present HTTP login forms without requiring their use.
Continuing with the web forms work, the
<input> element has gained a new type: a color picker, marked up as
<input type=color>. Browser vendors are encouraged to integrate this field with platform-native color pickers, as appropriate. As with all new input types, browsers that do not explicitly recognize the new type will default to a simple text field.
<video> API continues to churn rapidly. Implementors should probably ignore it altogether until it's been stable for two consecutive weeks. To wit: r2493 removes the
pixelratio attribute, originally proposed to allow authors to override the display of videos known to be encoded with incorrect an aspect ratio. r2498 adds the
playing event, fired when playback as started. r2489 drops the
readyState. I will try to write up a comprehensive summary of this API once its stabilizes.
Other interesting tidbits this week:
<input placeholder>attribute that I discussed in episode 13 has three new conformance requirements: it must not contain newlines, browsers must strip newlines if present, and it may be empty.
- r2468 defines the concept of a document's address, and r2469 defines the behavior of
document.open()in terms of the document address.
- r2476 adds a new section for conformance checkers (e.g. the W3C validator) that lists common conformance errors that aren't actually that important. Examples:
- r2478 and r2479 give guidance for WYSIWYG editors on how to fill in the
<image alt>attribute if the user refuses to provide meaningful alternate text.
- r2486 restores the HTML 4 behavior of the
<q>element, which is that browsers should insert quotation marks around the quoted phrase. [summary of massive
- r2525 mandates that browsers add an
Origin:header to all non-GET requests, including the much-maligned
pingattribute. [Origin discussion]
Tune in next week for another exciting episode of "This Week in HTML 5."