Short URL: http://html5.org/r/2432
| SVN | Bug | Comment | Time (UTC) |
|---|---|---|---|
| 2432 | Define a way to expose HTTP login forms to spiders in 401 (or even 200) responses. | 2008-11-25 05:25 |
Index: source =================================================================== --- source (revision 2431) +++ source (revision 2432) @@ -32780,8 +32780,49 @@ </ol> + <h4>Login forms</h4> + <p>A common use for forms is user authentication. To indicate that + an HTTP <span>URL</span> requires authentication through such a form + before use, the HTTP 401 response code with a <code + title="">WWW-Authenticate</code> challenge "<code + title="">HTML</code>" may be used.</p> + <p>For this authentication scheme, the framework defined in RFC2617 + is used as follows. <a href="#refsRFC2617">[RFC2617]</a></p> + + <pre><dfn title="bnf-formauth-challenge">challenge</dfn> = "<code title="">HTML</code>" [ <span title="bnf-formauth-form">form</span> ] +<dfn title="bnf-formauth-form">form</dfn> = "<code title="">form</code>" "<code title="">=</code>" <span title="bnf-formauth-form-name">form-name</span> +<dfn title="bnf-formauth-form-name">form-name</dfn> = quoted-string</pre> + + <p>The <span title="bnf-formauth-form">form</span> parameter, if + present, indicates that the first <code>form</code> element in the + entity body whose <span title="attr-form-name">name</span> is the + specified string, in <span>tree order</span>, if any, is the login + form. If the parameter is omitted, then the first <code>form</code> + element in the entity body, in <span>tree order</span>, if any, is + the login form.</p> + + <p>There is no <code title="">credentials</code> production for this + scheme because the login information is to be sent as a normal form + submission and not using the <code title="">Authorization</code> + HTTP header.</p> + + <p>This authentication scheme must only be used for entities whose + bodies contain HTML or XML with at least one <code>form</code> + element.</p> + + <p class="note">Pages that include a login form but are not + protected by the login form (and for which a 401 response would + therefore be inappropriate) can have an "<code title="">HTML</code>" + challenge included in a <code title="">WWW-Authenticate</code> + header even though the response code is not 401. This allows user + agents to identify login forms on pages even when the user might not + want to log in.</p> + + + + <h3 id="interactive-elements">Interactive elements</h3> <h4>The <dfn><code>details</code></dfn> element</h4>