[whatwg] connecting usernames and passwords

Jonas Sicking jonas at sicking.cc
Wed Dec 15 17:49:58 PST 2004


Just a small idea i got skimming through the Web Forms draft (i'll try 
to find time reading it more thoroughly).

Why not allow a 'for' attribute on password fields that allows the 
webmaster to logically connect a password field with a username. The 
attribute should point to another input field (which can be type=text, 
type=email or type=uri). It could also point to an arbitary element that 
contains a username (the text DOM property would be used). Some sites 
(for example aimexpress.aim.com) will sometimes present you with just an 
password field and print the username from your last login (probably 
stored in a cookie).

The purpose would be for the UA to be able to provide the ability to 
fill out a username/password pair that is stored in the UA from a 
previous login.

Most browsers already provide this functionality, but are forced to 
guess which feilds make up a username/password pair.

The browser would be free to ignore this attribute, and it would not be 
mapped to any DOM property. Changing the attribute would have no effect 
on already filled in values, but is inadvisable since some UAs might not 
read the attribute until some userinteraction happens (for example the 
user rightclicking either field and selecting a 'prefill' item).

There are security concerns with letting the for-attribute pointing to a 
input element with a prefilled username or an arbitary element. This 
since that might allow a hacked site to 'probe' for usernames/passwords 
of the users visiting the site. Though mozilla would already be 
targetable for such an attack.
We could either give guidelines for how UAs should behave, or we could 
simply disallow letting the 'for' attribute pointing at anything but 
input elements.

/ Sicking

More information about the whatwg mailing list