Update for nicer html export
Wed Oct 27 04:40:07 UTC 2010 pix@kepibu.org
* Update for nicer html export
diff -rN -u old-httpauth/notes.org new-httpauth/notes.org
--- old-httpauth/notes.org 2013-07-22 16:06:14.000000000 +0000
+++ new-httpauth/notes.org 2013-07-22 16:06:14.000000000 +0000
@@ -1,5 +1,5 @@
-* Site-Controlled HTTP Authentication UI
-** Motivation
+#+TITLE: Site-Controlled HTTP Authentication UI
+* Motivation
HTTP Authentication is significantly less fundamentally broken than cookie-based
authentication. And, while I've been meaning to write this up for years, the
recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.
@@ -14,8 +14,8 @@
This is my proposal to make HTTP Authentication website-controlled, while
remaining backwards compatible with form-based authentication in browsers which
do not support the proposal.
-** Proposal
-*** HTML Forms
+* Proposal
+** HTML Forms
Login forms need add only a single class to their <form> tag:
"http-authentication". This class signals to the browser that it should use the
"username" and "password" fields for this form as the corresponding fields in
@@ -27,7 +27,7 @@
Any fields in the login form not understood by the browser as part of a login
request MUST be submitted as normal for the provided form.
-*** Changes to RFC 2617
+** Changes to RFC 2617
WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to
indicate that a page supports optional authentication. Vary: Authorization and
appropriate Cache-Control headers should be used when doing so to allow caches
@@ -36,7 +36,7 @@
A browser using form-based HTTP Authentication MAY use data acquired from a
WWW-Authenticate header sent with the form to authenticate itself without the
additional round-trip that would otherwise be required.
-*** Stopgap Measure
+** Stopgap Measure
To use this feature before sites implement it, sites may use JavaScript
techniques along the lines of [peej] to silently force the browser into HTTP
Authentication.
@@ -46,7 +46,7 @@
measure and can be fetched as a darcs repository via the command
: darcs get http://repo.kepibu.org/httpauth/
-*** Working with the Stopgap Measure in Browsers that Support This Spec
+** Working with the Stopgap Measure in Browsers that Support This Spec
Assuming sites implement the stopgap measure, and browsers later introduce
native support for this specification, it becomes important for browsers and
sites to communicate with each other about who is in charge of handling the
@@ -62,10 +62,10 @@
add the class 'natively-supported' to forms requesting http authentication.
This will allow sites to easily detect native support and avoid running their
own JavaScript-based form-to-http-auth translators.
-*** Logging Out
+** Logging Out
Forcing logout for users is left to a future version of this specification. See
[tdm] for ideas.
-** References
+* References
* [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
* [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)
@@ -77,4 +77,4 @@
* flyspell :noexport:
LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login
LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs
-// LocalWords: php
+LocalWords: php