[whatwg] Solving the login/logout problem in HTML
ian at hixie.ch
Wed Nov 26 02:49:13 PST 2008
On Wed, 26 Nov 2008, Julian Reschke wrote:
> > I'm not sure what you mean by "fatal" error. The spec precisely
> > defines which form should be used in the case of multiple forms with
> > the same name. Could you describe the attack scenario you are
> > considering?
> If everybody UA is going to run an HTML5 parser as specified, then a
> problem is unlikely. I just don't believe this is going to happen. In
> *that* case, ambiguous login information is a problem, and a simple ans
> safe way to avoid this issue is to tell clients to abort when they
> detect the problem.
Detecting the case of there being two identically named forms is far more
complex than just using the first form with the given name. It is in fact
a superset of the functionality -- you have to look for the first form,
then look for a second. Whereas the current spec text just says to look
for the first form and stop.
So as far as I can tell what you are proposing is in fact more
complicated, whether you use an HTML5-compliant parser or some other ad
hoc HTML parser.
> > Even in the asynchronous way mpt suggested? I think it would go a long
> > way towards addressing the limitations of HTTP authentication. One of
> > the great benefits of HTML authentication forms is that they can be
> > made available in the equivalent of a 200 OK situation as opposed to
> > only in the equivalent of a 401 situation.
> You can already handle the case of content that's available
> unauthenticated, but would potentially differ in case of being
> authenticated by adding
> Vary: Authorization
> to a response.
Ah yes, I forgot that the Vary header would need to be present.
But you still need to include the challenge. So that doesn't actually
change the original point.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg