Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Idea for improving password security in the web
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel F via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 04 Jul 2022 11:58:42 +0200
W dniu 2022-07-04 11:09, Daniel Stenberg via curl-library napisaĆ(a):
> On Sat, 25 Jun 2022, Isaac Boukris via curl-library wrote:
>
>> The idea is to add a new HTTP authentication scheme, where the browser
>> will make sure the prompt to enter the password has a distinguish UI
>> which cannot be faked with javascript or anything
>
> I've been told many times that one of the primary reasons HTTP based
> auth mechnisms have failed compared to POST + cookies, is this reason:
> that web site designers prefer a system where they can design the
> crendential prompt to their liking and *not* rely on the stiff and
> ugly same-for-everyone popup-window the browsers provide. (Another big
> reason being that the HTTP auths don't have a proper "logout" action
> or expiry the easy way cookies do.)
>
Looks that browsers need some way to make default login popup
customization. Every browser should use the same HTML code to describe
contents of this popup. It also should be possible to create CSS sheet
which would be loaded into that popup, so every website could customize
how it looks.
Browsers also may provide some "login form" control which could be added
to the page, with predefined way to style it with CSS. It should be a
black box for JS, so scripts could not access and modify login data.
Date: Mon, 04 Jul 2022 11:58:42 +0200
W dniu 2022-07-04 11:09, Daniel Stenberg via curl-library napisaĆ(a):
> On Sat, 25 Jun 2022, Isaac Boukris via curl-library wrote:
>
>> The idea is to add a new HTTP authentication scheme, where the browser
>> will make sure the prompt to enter the password has a distinguish UI
>> which cannot be faked with javascript or anything
>
> I've been told many times that one of the primary reasons HTTP based
> auth mechnisms have failed compared to POST + cookies, is this reason:
> that web site designers prefer a system where they can design the
> crendential prompt to their liking and *not* rely on the stiff and
> ugly same-for-everyone popup-window the browsers provide. (Another big
> reason being that the HTTP auths don't have a proper "logout" action
> or expiry the easy way cookies do.)
>
Looks that browsers need some way to make default login popup
customization. Every browser should use the same HTML code to describe
contents of this popup. It also should be possible to create CSS sheet
which would be loaded into that popup, so every website could customize
how it looks.
Browsers also may provide some "login form" control which could be added
to the page, with predefined way to style it with CSS. It should be a
black box for JS, so scripts could not access and modify login data.
-- Regards, Daniel -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-07-04