Browse files

[] (0) Remove the WWW-Authenticate 'HTML' scheme and replace it with …

…requirements on browsers to ignore unknown schemes.

git-svn-id: http://svn.whatwg.org/webapps@2470 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent 60e0bac commit 06f6da3168da8394710ff749a9b43bbe443543e3 @Hixie Hixie committed Nov 27, 2008
Showing with 32 additions and 93 deletions.
  1. +17 −47 index
  2. +15 −46 source
View
64 index
@@ -571,8 +571,7 @@
<li><a href=#multipart-form-data><span class=secno>4.10.15.4 </span>Multipart form data</a></li>
<li><a href=#plain-text-form-data><span class=secno>4.10.15.5 </span>Plain text form data</a></ol></li>
<li><a href=#resetting-a-form><span class=secno>4.10.16 </span>Resetting a form</a></li>
- <li><a href=#event-dispatch><span class=secno>4.10.17 </span>Event dispatch</a></li>
- <li><a href=#login-forms><span class=secno>4.10.18 </span>Login forms</a></ol></li>
+ <li><a href=#event-dispatch><span class=secno>4.10.17 </span>Event dispatch</a></ol></li>
<li><a href=#interactive-elements><span class=secno>4.11 </span>Interactive elements</a>
<ol>
<li><a href=#the-details-element><span class=secno>4.11.1 </span>The <code>details</code> element</a></li>
@@ -29228,51 +29227,7 @@ interface <dfn id=htmloptionelement>HTMLOptionElement</dfn> : <a href=#htmleleme
<a href=#tree-order>tree order</a>, <a href=#fire-a-simple-event>fire a simple event</a> named
<var title="">event name</var> at the element.</li>
- </ol><h4 id=login-forms><span class=secno>4.10.18 </span>Login forms</h4>
-
- <p>A common use for forms is user authentication. To indicate that
- an HTTP <a href=#url>URL</a> requires authentication through such a form
- before use, the HTTP 401 response code with a <code title="">WWW-Authenticate</code> challenge "<code title="">HTML</code>" may be used.</p>
-
- <p>For this authentication scheme, the framework defined in RFC2617
- is used as follows. <a href=#refsRFC2617>[RFC2617]</a></p>
-
- <pre><dfn id=bnf-formauth-challenge title=bnf-formauth-challenge>challenge</dfn> = "<code title="">HTML</code>" [ <a href=#bnf-formauth-form title=bnf-formauth-form>form</a> ]
-<dfn id=bnf-formauth-form title=bnf-formauth-form>form</dfn> = "<code title="">form</code>" "<code title="">=</code>" <a href=#bnf-formauth-form-name title=bnf-formauth-form-name>form-name</a>
-<dfn id=bnf-formauth-form-name title=bnf-formauth-form-name>form-name</dfn> = quoted-string</pre>
-
- <p>The <a href=#bnf-formauth-form title=bnf-formauth-form>form</a> parameter, if
- present, indicates that the first <code><a href=#the-form-element>form</a></code> element in the
- entity body whose <a href=#attr-form-name title=attr-form-name>name</a> is the
- specified string, in <a href=#tree-order>tree order</a>, if any, is the login
- form. If the parameter is omitted, then the first <code><a href=#the-form-element>form</a></code>
- element in the entity body, in <a href=#tree-order>tree order</a>, if any, is
- the login form.</p>
-
- <p>There is no <code title="">credentials</code> production for this
- scheme because the login information is to be sent as a normal form
- submission and not using the <code title="">Authorization</code>
- HTTP header.</p>
-
- <p>This authentication scheme must only be used for entities whose
- bodies contain HTML or XML with at least one <code><a href=#the-form-element>form</a></code>
- element.</p>
-
- <p class=note>Pages that include a login form but are not
- protected by the login form (and for which a 401 response would
- therefore be inappropriate) can have an "<code title="">HTML</code>"
- challenge included in a <code title="">WWW-Authenticate</code>
- header even though the response code is not 401. This allows user
- agents to identify login forms on pages even when the user might not
- want to log in.</p>
-
- <p class=note>The lack of a <code title=bnf-formauth-realm>realm</code> parameter in the challenge
- is an intentional violation of RFC2617 (it isn't clear how the realm
- concept would apply in this context).</p>
-
-
-
- <h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
+ </ol><h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
<h4 id=the-details-element><span class=secno>4.11.1 </span>The <dfn><code>details</code></dfn> element</h4>
@@ -36828,6 +36783,21 @@ user reload must be equivalent to .reload()
<!-- XXX should we define 205 processing here? e.g. reset all forms? -->
+ <p>HTTP 401 responses that do not include a challenge recognised
+ by the user agent must be processed as if they had no challenge,
+ e.g. rendering the entity body as if the response had been 200
+ OK.</p>
+
+ <p>User agents may show the entity body of an HTTP 401 response
+ even when the response do include a recognised challenge, with the
+ option to login being included in a non-modal fashion, to enable
+ the information provided by the server to be used by the user
+ before authenticating. Similarly, user agents should allow the
+ user to authenticate (in a non-modal fashion) against
+ authentication challenges included in other responses such as HTTP
+ 200 OK responses, effectively allowing resources to present HTTP
+ login forms without requiring their use.</p>
+
</li>
<li><p>Let <var title="">type</var> be <a href=#content-type-sniffing-0 title="Content-Type
View
61 source
@@ -33047,52 +33047,6 @@ interface <dfn>HTMLOptionElement</dfn> : <span>HTMLElement</span> {
</ol>
- <h4>Login forms</h4>
-
- <p>A common use for forms is user authentication. To indicate that
- an HTTP <span>URL</span> requires authentication through such a form
- before use, the HTTP 401 response code with a <code
- title="">WWW-Authenticate</code> challenge "<code
- title="">HTML</code>" may be used.</p>
-
- <p>For this authentication scheme, the framework defined in RFC2617
- is used as follows. <a href="#refsRFC2617">[RFC2617]</a></p>
-
- <pre><dfn title="bnf-formauth-challenge">challenge</dfn> = "<code title="">HTML</code>" [ <span title="bnf-formauth-form">form</span> ]
-<dfn title="bnf-formauth-form">form</dfn> = "<code title="">form</code>" "<code title="">=</code>" <span title="bnf-formauth-form-name">form-name</span>
-<dfn title="bnf-formauth-form-name">form-name</dfn> = quoted-string</pre>
-
- <p>The <span title="bnf-formauth-form">form</span> parameter, if
- present, indicates that the first <code>form</code> element in the
- entity body whose <span title="attr-form-name">name</span> is the
- specified string, in <span>tree order</span>, if any, is the login
- form. If the parameter is omitted, then the first <code>form</code>
- element in the entity body, in <span>tree order</span>, if any, is
- the login form.</p>
-
- <p>There is no <code title="">credentials</code> production for this
- scheme because the login information is to be sent as a normal form
- submission and not using the <code title="">Authorization</code>
- HTTP header.</p>
-
- <p>This authentication scheme must only be used for entities whose
- bodies contain HTML or XML with at least one <code>form</code>
- element.</p>
-
- <p class="note">Pages that include a login form but are not
- protected by the login form (and for which a 401 response would
- therefore be inappropriate) can have an "<code title="">HTML</code>"
- challenge included in a <code title="">WWW-Authenticate</code>
- header even though the response code is not 401. This allows user
- agents to identify login forms on pages even when the user might not
- want to log in.</p>
-
- <p class="note">The lack of a <code
- title="bnf-formauth-realm">realm</code> parameter in the challenge
- is an intentional violation of RFC2617 (it isn't clear how the realm
- concept would apply in this context).</p>
-
-
<h3 id="interactive-elements">Interactive elements</h3>
@@ -41932,6 +41886,21 @@ user reload must be equivalent to .reload()
<!-- XXX should we define 205 processing here? e.g. reset all forms? -->
+ <p>HTTP 401 responses that do not include a challenge recognised
+ by the user agent must be processed as if they had no challenge,
+ e.g. rendering the entity body as if the response had been 200
+ OK.</p>
+
+ <p>User agents may show the entity body of an HTTP 401 response
+ even when the response do include a recognised challenge, with the
+ option to login being included in a non-modal fashion, to enable
+ the information provided by the server to be used by the user
+ before authenticating. Similarly, user agents should allow the
+ user to authenticate (in a non-modal fashion) against
+ authentication challenges included in other responses such as HTTP
+ 200 OK responses, effectively allowing resources to present HTTP
+ login forms without requiring their use.</p>
+
</li>
<li><p>Let <var title="">type</var> be <span title="Content-Type

0 comments on commit 06f6da3

Please sign in to comment.