W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] RFC: <input type="username">

From: Dirk Pranke <dpranke@chromium.org>
Date: Tue, 4 May 2010 19:56:13 -0700
Message-ID: <r2u3726d1bf1005041956k6773f927ld18c27a95360d870@mail.gmail.com>
On Tue, May 4, 2010 at 7:40 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, May 5, 2010 at 1:27 PM, Dirk Pranke <dpranke at chromium.org> wrote:
>> The principal difference or change is that as far as I know, Mozilla's
>> account manager offers only an out-of-page experience for managing
>> your logged-in status.
> I don't think this is true. Sites can report user login status even if the
> user logged in using in-page UI. See
> https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager/Spec/Latest#Determining_the_Account_Session_Status

I'm sorry, I was unclear. What I meant was, as far as I know, the
Mozilla Account Manager extension offers a consistent UI for logging
in and logging out through the chrome of the page (i.e., out-of-page)
-- I haven't actually tried the extension lately. In addtiion, you can
presumably continue to do in-page login and logout (and display
status) using whatever existing mechanism you have, but that will
continue to be the same inconsistent UI we have today - every page can
do it a little differently.

I believe that site authors would like to control the look and feel of
the sign-in/sign-out process and offer some sort of in-page way of
displaying login status, but there is an obvious tradeoff between
control over the UX and creating security risks. They can continue to
use the mechanisms they are using today, of course, but that presents
the same sort of security issues we have today. What I would like to
offer is a way to control some amount of the sign-in/sign-out
experience while improving the security, by at least giving an in-page
way to trigger sign-in / sign-out (the actual mechanism of collecting
the credentials and performing the sign-in would be done by the
browser without page intervention, where possible, for security

The Account Manager spec and extensions do not provide any such hooks,
as far as I know.

-- Dirk
Received on Tuesday, 4 May 2010 19:56:13 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC