HTML Standard Tracker


File a bug

SVNBugCommentTime (UTC)
2432Define a way to expose HTTP login forms to spiders in 401 (or even 200) responses.2008-11-25 05:25
@@ -32773,20 +32773,61 @@ interface <dfn>HTMLOptionElement</dfn> : <span>HTMLElement</span> {
    title="">event name</var> be <code
    <li><p>For each element in <var title="">controls</var>, in
    <span>tree order</span>, <span>fire a simple event</span> named
    <var title="">event name</var> at the element.</p></li>
+  <h4>Login forms</h4>
+  <p>A common use for forms is user authentication. To indicate that
+  an HTTP <span>URL</span> requires authentication through such a form
+  before use, the HTTP 401 response code with a <code
+  title="">WWW-Authenticate</code> challenge "<code
+  title="">HTML</code>" may be used.</p>
+  <p>For this authentication scheme, the framework defined in RFC2617
+  is used as follows. <a href="#refsRFC2617">[RFC2617]</a></p>
+  <pre><dfn title="bnf-formauth-challenge">challenge</dfn> = "<code title="">HTML</code>" [ <span title="bnf-formauth-form">form</span> ]
+<dfn title="bnf-formauth-form">form</dfn>      = "<code title="">form</code>" "<code title="">=</code>" <span title="bnf-formauth-form-name">form-name</span>
+<dfn title="bnf-formauth-form-name">form-name</dfn> = quoted-string</pre>
+  <p>The <span title="bnf-formauth-form">form</span> parameter, if
+  present, indicates that the first <code>form</code> element in the
+  entity body whose <span title="attr-form-name">name</span> is the
+  specified string, in <span>tree order</span>, if any, is the login
+  form. If the parameter is omitted, then the first <code>form</code>
+  element in the entity body, in <span>tree order</span>, if any, is
+  the login form.</p>
+  <p>There is no <code title="">credentials</code> production for this
+  scheme because the login information is to be sent as a normal form
+  submission and not using the <code title="">Authorization</code>
+  HTTP header.</p>
+  <p>This authentication scheme must only be used for entities whose
+  bodies contain HTML or XML with at least one <code>form</code>
+  element.</p>
+  <p class="note">Pages that include a login form but are not
+  protected by the login form (and for which a 401 response would
+  therefore be inappropriate) can have an "<code title="">HTML</code>"
+  challenge included in a <code title="">WWW-Authenticate</code>
+  header even though the response code is not 401. This allows user
+  agents to identify login forms on pages even when the user might not
+  want to log in.</p>
   <h3 id="interactive-elements">Interactive elements</h3>
   <h4>The <dfn><code>details</code></dfn> element</h4>
   <dl class="element">
    <dd><span>Flow content</span>.</dd>
    <dd><span>Interactive content</span>.</dd>