Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Who supports this? #16

Open
marcoscaceres opened this issue Dec 12, 2019 · 9 comments
Open

Who supports this? #16

marcoscaceres opened this issue Dec 12, 2019 · 9 comments
Assignees
@hober

Comments

@marcoscaceres
Copy link
Member

Hi, WICG chairs are just going through the repos and checking status... I seem to recall Safari supports this feature (and twitter was using it, right?)? Did other browser vendors get behind it? If yes, should we consider moving it to the W3C or WHATWG?
@tschoffelen
Copy link

I think there's quite a lot of websites that implement this now (including Facebook and Twitter), and a few password managers and browsers make use of this spec (Safari, 1Password).

@marcoscaceres
Copy link
Member Author

Great to hear that big sites are using it. What about other browsers?

@battre
Copy link

battre commented Jan 10, 2020

Chrome is generally interested in this, but we have some concerns about the reliability that we haven't quantified, yet.

We see for example servers responding with "200 OK" and a page that says "this page does not exist" or that does not have a login form when you are logged out. I would consider to add a mandatory header that says "Server understands this spec, my HTTP response code is reliable".

To pick on ourselves instead of others: https://news.google.com/.well-known/change-password redirects me to https://news.google.com/?hl=de&gl=DE&ceid=DE:de.

Also there is no commitment on any timeline from our side, yet.

@tschoffelen
Copy link

@battre Yep, that's something that others realised as well: #14

@hober
Copy link
Member

hober commented May 1, 2020

@battre wrote:

Chrome is generally interested in this, but we have some concerns about the reliability that we haven't quantified, yet.

We see for example servers responding with "200 OK" and a page that says "this page does not exist" or that does not have a login form when you are logged out.

Yeah, we've seen this too, and like @tschoffelen points out, it came up before in #14. In that issue, we concluded that a separate well-known URL would be best for detecting this, and in 0b98642 I've defined such a mechanism in a separate document in this repository. Please let me know what you think.

@hober
Copy link
Member

hober commented Jun 9, 2020

@battre, any thoughts?

@hober hober self-assigned this Jun 9, 2020
@battre
Copy link

battre commented Jun 12, 2020

The proposal in https://wicg.github.io/change-password-url/response-code-reliability.html makes sense to me and this is what we are currently implementing.

@marcoscaceres
Copy link
Member Author

marcoscaceres commented Jun 18, 2020
edited
Loading

Thanks for the update @battre ... checking if there is interest from the Gecko side.

@marcoscaceres marcoscaceres mentioned this issue Jun 18, 2020
Closed
@marcoscaceres
Copy link
Member Author

Filed mozilla/standards-positions#372 for a Mozilla position.

@kiding kiding mentioned this issue Jun 23, 2020
Open
@w3c w3c deleted a comment Jul 6, 2020
@w3c w3c deleted a comment Jul 6, 2020
@w3c w3c deleted a comment Jul 6, 2020
@w3c w3c deleted a comment Jul 6, 2020
@w3c w3c deleted a comment Jul 6, 2020
archlinux-github pushed a commit to archlinux/infrastructure that referenced this issue Mar 1, 2021
@klausenbusk
keycloak: Add "Well-Known URL for Changing Passwords"[1]
2d2ab84 
More and more browsers and password managers support this[2].

[1] https://w3c.github.io/webappsec-change-password-url/
[2] w3c/webappsec-change-password-url#16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hober hober

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hober @tschoffelen @battre @marcoscaceres