[whatwg] connecting usernames and passwords
jonas at sicking.cc
Wed Dec 15 17:49:58 PST 2004
Just a small idea i got skimming through the Web Forms draft (i'll try
to find time reading it more thoroughly).
Why not allow a 'for' attribute on password fields that allows the
webmaster to logically connect a password field with a username. The
attribute should point to another input field (which can be type=text,
type=email or type=uri). It could also point to an arbitary element that
contains a username (the text DOM property would be used). Some sites
(for example aimexpress.aim.com) will sometimes present you with just an
password field and print the username from your last login (probably
stored in a cookie).
The purpose would be for the UA to be able to provide the ability to
fill out a username/password pair that is stored in the UA from a
Most browsers already provide this functionality, but are forced to
guess which feilds make up a username/password pair.
The browser would be free to ignore this attribute, and it would not be
mapped to any DOM property. Changing the attribute would have no effect
on already filled in values, but is inadvisable since some UAs might not
read the attribute until some userinteraction happens (for example the
user rightclicking either field and selecting a 'prefill' item).
There are security concerns with letting the for-attribute pointing to a
input element with a prefilled username or an arbitary element. This
since that might allow a hacked site to 'probe' for usernames/passwords
of the users visiting the site. Though mozilla would already be
targetable for such an attack.
We could either give guidelines for how UAs should behave, or we could
simply disallow letting the 'for' attribute pointing at anything but
More information about the whatwg