HTML Standard Tracker

Diff (omit for latest revision)

Short URL:

File a bug

SVNBugCommentTime (UTC)
2432Define a way to expose HTTP login forms to spiders in 401 (or even 200) responses.2008-11-25 05:25
Index: source
--- source	(revision 2431)
+++ source	(revision 2432)
@@ -32780,8 +32780,49 @@
+  <h4>Login forms</h4>
+  <p>A common use for forms is user authentication. To indicate that
+  an HTTP <span>URL</span> requires authentication through such a form
+  before use, the HTTP 401 response code with a <code
+  title="">WWW-Authenticate</code> challenge "<code
+  title="">HTML</code>" may be used.</p>
+  <p>For this authentication scheme, the framework defined in RFC2617
+  is used as follows. <a href="#refsRFC2617">[RFC2617]</a></p>
+  <pre><dfn title="bnf-formauth-challenge">challenge</dfn> = "<code title="">HTML</code>" [ <span title="bnf-formauth-form">form</span> ]
+<dfn title="bnf-formauth-form">form</dfn>      = "<code title="">form</code>" "<code title="">=</code>" <span title="bnf-formauth-form-name">form-name</span>
+<dfn title="bnf-formauth-form-name">form-name</dfn> = quoted-string</pre>
+  <p>The <span title="bnf-formauth-form">form</span> parameter, if
+  present, indicates that the first <code>form</code> element in the
+  entity body whose <span title="attr-form-name">name</span> is the
+  specified string, in <span>tree order</span>, if any, is the login
+  form. If the parameter is omitted, then the first <code>form</code>
+  element in the entity body, in <span>tree order</span>, if any, is
+  the login form.</p>
+  <p>There is no <code title="">credentials</code> production for this
+  scheme because the login information is to be sent as a normal form
+  submission and not using the <code title="">Authorization</code>
+  HTTP header.</p>
+  <p>This authentication scheme must only be used for entities whose
+  bodies contain HTML or XML with at least one <code>form</code>
+  element.</p>
+  <p class="note">Pages that include a login form but are not
+  protected by the login form (and for which a 401 response would
+  therefore be inappropriate) can have an "<code title="">HTML</code>"
+  challenge included in a <code title="">WWW-Authenticate</code>
+  header even though the response code is not 401. This allows user
+  agents to identify login forms on pages even when the user might not
+  want to log in.</p>
   <h3 id="interactive-elements">Interactive elements</h3>
   <h4>The <dfn><code>details</code></dfn> element</h4>