[whatwg] New HTML5 Form type from Michael Herold on 2011-10-23 (public-whatwg-archive@w3.org from October 2011)

From: Michael Herold <herold@physik.fu-berlin.de>
Date: Sun, 23 Oct 2011 03:47:36 +0200
Message-ID: <4EA37238.8090003@physik.fu-berlin.de>

Hello,

i want to discuss some thoughts on the html <form> element (see below).
If somebody thinks this idea might be useful I would continue to check
how a implementation of this feature would be possible and what the
technical difficulties would be.

I have no idea if there is a way to bring this to HTML5 or commit this
in any other way to the W3C.

Best wishes, Michael

 **Suggestion**
Add a new possible value "auth" to the HTML <form> //method// attribute.
If input elements named username/password are present they are used to
authenticate. Otherwise the first input element is used as username and
the first input[type=password] element is used as password.

It may be useful to interact with the http-status as the browser needs a
//nonce// for digest auth.

The aim would be to create custom login and logout dialogs without
JavaScript.

 **Thoughts regarding authentication**
Today there are three common ways to authenticate using HTTP: GET,
cookies, HTTP-Auth.

**GET**
Putting a session (+user) in the get.
- copy+paste and visual access can steal login
- have to depend on users ip to add a bit of security
- supported by every browser
- the website has to adjust every link for every user
- the url gets unreadable

**cookies**
Putting a session (+user) in a cookie.
- can be implemented with sufficient security
- broken by standard (none standard SLD fix in every browser)
- disabled or not supported by many clients for various reasons
- leaves footsteps on hdd per definition

**HTTP-Auth**
Basic or Digest Access Auth
- can be implemented with sufficient security
- the "right" way to authenticate
- the browser may give the user the full controle/overview over page
logins
- very simple to set up

 **Thoughts regarding HTML**
By now the HTML(5) <form> element only supports two different values for
the method attribute, namely "get" and "post". As the abstract meaning
of the method attribute -as far as i know- is not defined, one may
suppose that this attribute defines the way how the form data are used
for a HTTP request.

If we take this definition, one may enhance the method element to other
features of the HTTP protocol. These are some of the features that are
used to shared data:
- GET
- POST
- Auth
- Cookies
As cookies are working in the other direction, we may exclude them from
our list for this purpose.

Received on Saturday, 22 October 2011 18:47:36 UTC