- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 16 Dec 2004 02:49:58 +0100
Hi, Just a small idea i got skimming through the Web Forms draft (i'll try to find time reading it more thoroughly). Why not allow a 'for' attribute on password fields that allows the webmaster to logically connect a password field with a username. The attribute should point to another input field (which can be type=text, type=email or type=uri). It could also point to an arbitary element that contains a username (the text DOM property would be used). Some sites (for example aimexpress.aim.com) will sometimes present you with just an password field and print the username from your last login (probably stored in a cookie). The purpose would be for the UA to be able to provide the ability to fill out a username/password pair that is stored in the UA from a previous login. Most browsers already provide this functionality, but are forced to guess which feilds make up a username/password pair. The browser would be free to ignore this attribute, and it would not be mapped to any DOM property. Changing the attribute would have no effect on already filled in values, but is inadvisable since some UAs might not read the attribute until some userinteraction happens (for example the user rightclicking either field and selecting a 'prefill' item). There are security concerns with letting the for-attribute pointing to a input element with a prefilled username or an arbitary element. This since that might allow a hacked site to 'probe' for usernames/passwords of the users visiting the site. Though mozilla would already be targetable for such an attack. We could either give guidelines for how UAs should behave, or we could simply disallow letting the 'for' attribute pointing at anything but input elements. / Sicking
Received on Wednesday, 15 December 2004 17:49:58 UTC