[] (0) Define a way to expose HTTP login forms to spiders in 401 (or …

…even 200) responses. git-svn-id: http://svn.whatwg.org/webapps@2432 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Nov 25, 2008 · 2913be0b90bdd067fe4b536f3b676f4620b45d8e · 2913be0
1 parent f3094cb
commit 2913be0b90bdd067fe4b536f3b676f4620b45d8e
Unified Split

Showing with 86 additions and 3 deletions.

+45 −3 index

+41 −0 source
diff --git a/index b/index
@@ -17,7 +17,7 @@
   <div class=head>
    <p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
    <h1>HTML 5</h1>
-   <h2 class="no-num no-toc" id=draft-recommendation-&mdash;-date:-01-jan-1901>Draft Recommendation &mdash; 24 November 2008</h2>
+   <h2 class="no-num no-toc" id=draft-recommendation-&mdash;-date:-01-jan-1901>Draft Recommendation &mdash; 25 November 2008</h2>
    <p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <dl><dt>Multiple-page version:</dt>
@@ -568,7 +568,8 @@
        <li><a href=#multipart-form-data><span class=secno>4.10.15.4 </span>Multipart form data</a></li>
        <li><a href=#plain-text-form-data><span class=secno>4.10.15.5 </span>Plain text form data</a></ol></li>
      <li><a href=#resetting-a-form><span class=secno>4.10.16 </span>Resetting a form</a></li>
-     <li><a href=#event-dispatch><span class=secno>4.10.17 </span>Event dispatch</a></ol></li>
+     <li><a href=#event-dispatch><span class=secno>4.10.17 </span>Event dispatch</a></li>
+     <li><a href=#login-forms><span class=secno>4.10.18 </span>Login forms</a></ol></li>
    <li><a href=#interactive-elements><span class=secno>4.11 </span>Interactive elements</a>
     <ol>
      <li><a href=#the-details-element><span class=secno>4.11.1 </span>The <code>details</code> element</a></li>
@@ -29000,7 +29001,48 @@ interface <dfn id=htmloptionelement>HTMLOptionElement</dfn> : <a href=#htmleleme
    <a href=#tree-order>tree order</a>, <a href=#fire-a-simple-event>fire a simple event</a> named
    <var title="">event name</var> at the element.</li>
 
-  </ol><h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
+  </ol><h4 id=login-forms><span class=secno>4.10.18 </span>Login forms</h4>
+
+  <p>A common use for forms is user authentication. To indicate that
+  an HTTP <a href=#url>URL</a> requires authentication through such a form
+  before use, the HTTP 401 response code with a <code title="">WWW-Authenticate</code> challenge "<code title="">HTML</code>" may be used.</p>
+
+  <p>For this authentication scheme, the framework defined in RFC2617
+  is used as follows. <a href=#refsRFC2617>[RFC2617]</a></p>
+
+  <pre><dfn id=bnf-formauth-challenge title=bnf-formauth-challenge>challenge</dfn> = "<code title="">HTML</code>" [ <a href=#bnf-formauth-form title=bnf-formauth-form>form</a> ]
+<dfn id=bnf-formauth-form title=bnf-formauth-form>form</dfn>      = "<code title="">form</code>" "<code title="">=</code>" <a href=#bnf-formauth-form-name title=bnf-formauth-form-name>form-name</a>
+<dfn id=bnf-formauth-form-name title=bnf-formauth-form-name>form-name</dfn> = quoted-string</pre>
+
+  <p>The <a href=#bnf-formauth-form title=bnf-formauth-form>form</a> parameter, if
+  present, indicates that the first <code><a href=#the-form-element>form</a></code> element in the
+  entity body whose <a href=#attr-form-name title=attr-form-name>name</a> is the
+  specified string, in <a href=#tree-order>tree order</a>, if any, is the login
+  form. If the parameter is omitted, then the first <code><a href=#the-form-element>form</a></code>
+  element in the entity body, in <a href=#tree-order>tree order</a>, if any, is
+  the login form.</p>
+
+  <p>There is no <code title="">credentials</code> production for this
+  scheme because the login information is to be sent as a normal form
+  submission and not using the <code title="">Authorization</code>
+  HTTP header.</p>
+
+  <p>This authentication scheme must only be used for entities whose
+  bodies contain HTML or XML with at least one <code><a href=#the-form-element>form</a></code>
+  element.</p>
+
+  <p class=note>Pages that include a login form but are not
+  protected by the login form (and for which a 401 response would
+  therefore be inappropriate) can have an "<code title="">HTML</code>"
+  challenge included in a <code title="">WWW-Authenticate</code>
+  header even though the response code is not 401. This allows user
+  agents to identify login forms on pages even when the user might not
+  want to log in.</p>
+
+
+
+
+  <h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
 
   <h4 id=the-details-element><span class=secno>4.11.1 </span>The <dfn><code>details</code></dfn> element</h4>
 

diff --git a/source b/source
@@ -32780,6 +32780,47 @@ interface <dfn>HTMLOptionElement</dfn> : <span>HTMLElement</span> {
   </ol>
 
 
+  <h4>Login forms</h4>
+
+  <p>A common use for forms is user authentication. To indicate that
+  an HTTP <span>URL</span> requires authentication through such a form
+  before use, the HTTP 401 response code with a <code
+  title="">WWW-Authenticate</code> challenge "<code
+  title="">HTML</code>" may be used.</p>
+
+  <p>For this authentication scheme, the framework defined in RFC2617
+  is used as follows. <a href="#refsRFC2617">[RFC2617]</a></p>
+
+  <pre><dfn title="bnf-formauth-challenge">challenge</dfn> = "<code title="">HTML</code>" [ <span title="bnf-formauth-form">form</span> ]
+<dfn title="bnf-formauth-form">form</dfn>      = "<code title="">form</code>" "<code title="">=</code>" <span title="bnf-formauth-form-name">form-name</span>
+<dfn title="bnf-formauth-form-name">form-name</dfn> = quoted-string</pre>
+
+  <p>The <span title="bnf-formauth-form">form</span> parameter, if
+  present, indicates that the first <code>form</code> element in the
+  entity body whose <span title="attr-form-name">name</span> is the
+  specified string, in <span>tree order</span>, if any, is the login
+  form. If the parameter is omitted, then the first <code>form</code>
+  element in the entity body, in <span>tree order</span>, if any, is
+  the login form.</p>
+
+  <p>There is no <code title="">credentials</code> production for this
+  scheme because the login information is to be sent as a normal form
+  submission and not using the <code title="">Authorization</code>
+  HTTP header.</p>
+
+  <p>This authentication scheme must only be used for entities whose
+  bodies contain HTML or XML with at least one <code>form</code>
+  element.</p>
+
+  <p class="note">Pages that include a login form but are not
+  protected by the login form (and for which a 401 response would
+  therefore be inappropriate) can have an "<code title="">HTML</code>"
+  challenge included in a <code title="">WWW-Authenticate</code>
+  header even though the response code is not 401. This allows user
+  agents to identify login forms on pages even when the user might not
+  want to log in.</p>
+
+
 
 
   <h3 id="interactive-elements">Interactive elements</h3>