This Week in HTML 5 – Episode 14
Welcome back to "This Week in HTML 5," where I'll try to summarize the major activity in the ongoing standards process in the WHATWG and W3C HTML Working Group.
The big news this week is a radical proposal for integrating HTTP authentication with HTML forms. r2432 defines a new token for the WWW-Authenticate
header: "HTML
".
A common use for forms is user authentication. To indicate that an HTTP URL requires authentication through such a form before use, the HTTP 401 response code with a
WWW-Authenticate
challenge "HTML
" may be used.For this authentication scheme, the framework defined in RFC2617 is used as follows. [RFC2617]
challenge = "HTML
" [ form ] form = "form
" "=
" form-name form-name = quoted-stringThe form parameter, if present, indicates that the first
form
element in the entity body whose name is the specified string, in tree order, if any, is the login form. If the parameter is omitted, then the firstform
element in the entity body, in tree order, if any, is the login form.There is no
credentials
production for this scheme because the login information is to be sent as a normal form submission and not using theAuthorization
HTTP header.
This idea has been kicked around for more than a decade. Microsoft wrote User Agent Authentication Forms in 1999. Mark Nottingham asked the WHATWG to investigate the idea in 2004. Better late than never, Ian Hickson summarizes the feedback to date. No doubt this new proposal will generate further discussion. No browsers currently support this proposal.
Other interesting tidbits this week:
- r2429 adds the
<input type=search>
form field. [<input type=search>
discussion] - r2440 allows the
multiple
attribute to appear on<input type=email>
and<input type=file>
. [<input type=email multiple>
discussion] - r2423 specifies how
<object>
elements are submitted in forms. Unbeknownst to me, this feature was present in HTML 4 and is supported across multiple browsers. If a plugin exposes a value getter, thename
of the<object>
element is submitted with the value exposed by the plugin. [<object>
form submission example, Mozilla bug 188938] - r2434 seriously revamps the concept of "vaguer moments in time." r2433 notes, correctly, that there is no year zero in the Gregorian calendar. r2437 further refines the calculation of dates before 1582. [date and time discussion]
- r2426 clarifies the fallback behavior of the
<object>
element. - r2427 documents existing browser behavior in sending all attributes and attribute values to a plugin invoked from an
<object>
element. Previously, HTML 5 has specified that only specific parameters were sent, but browsers consistently send all attributes, so there it is. - r2424 explains the intended audience of the HTML 5 specification itself.
Tune in next week for another exciting episode of "This Week in HTML 5."
Should the
Location
header not be used in this instance? I would argue that if a client requests a resource X and instead receives a resource Y consisting of a login form, that this authentication method isn’t properly returning the requested data. I’m not completely sure on this, but it doesn’t sound RESTful. Shouldn’t theLocation
header be used (in conjunction with theWWW-Authenticate
header: “HTML“) to provide the URL of the authentication form with which to authenticate?[…] Mark Pilgrim: The big news this week is a radical proposal for integrating HTTP authentication with HTML forms. […]
Jason, it is “RESTful” as it integrates with the way HTTP envisions authentication to work. The only difference is that the Web page provides the authentication form rather than the browser.
Having said that, the feature is currently dropped again from HTML due to some issues. It might come to life again in a separate document.
[…] Pilgrim has a new This Week in HTML 5 that features a bit new proposal for integrating HTTP authentication with HTML […]
[…] Pilgrim has a new This Week in HTML 5 that features a bit new proposal for integrating HTTP authentication with HTML […]
[…] The good news this week that there is a new “radical proposal for integrating HTTP authentication with HTML forms.” […]
[…] The WHATWG Blog Please leave your sense of logic at the door, thanks! « This Week in HTML 5 – Episode 14 […]