- From: Soni L. <fakedme+http@gmail.com>
- Date: Mon, 17 May 2021 10:33:19 -0300
- To: HTTP Working Group <ietf-http-wg@w3.org>
Every website has taken to hiding the login form and presenting a sign-up form on the front page. What if it was possible to get the benefits of both, and some additional benefits from having more secure authentication methods? It'd be nice to be able to send WWW-Authenticate on HTTP 200/404 responses, as an "Authentication Supported" hint, without showing a login pop-up but allowing login information to be inserted beside the address bar. This wouldn't prevent the user from using a dedicated login page (where options such as "login with google" may be available) but it'd provide a convenience for the common use-case. Ideally it'd also use more secure methods like webauthn (if webauthn over www-authenticate ever gets specified) or RFC 8120, altho we all know devs are gonna just throw basic auth at it (and a Logger.debug(password) in the backend) until/unless it gets deprecated... but it's worth a try, at least? (Also, really, never make your login form a pop-up in pages with user content, unless you want XSS to hijack your login form...)
Received on Monday, 17 May 2021 13:33:40 UTC