Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CREDENTIAL: boolean acceptPasswords = true; #249

Closed
annevk opened this issue Apr 13, 2015 · 7 comments
Closed

CREDENTIAL: boolean acceptPasswords = true; #249

annevk opened this issue Apr 13, 2015 · 7 comments
Labels
CREDENTIAL
Milestone
CREDENTIALS: Level 1

Comments

@annevk
Copy link
Member

annevk commented Apr 13, 2015

Boolean arguments should not default to true.
@annevk
Copy link
Member Author

annevk commented Apr 13, 2015

Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=28477 to track this at the IDL level.

@mikewest
Copy link
Member

Why would excludePasswords = false be better? Double-negatives seem more difficult to understand than negated positives.

mikewest added a commit that referenced this issue Apr 13, 2015
@mikewest
CREDENTIAL: Note #249.
fd5567f
@annevk
Copy link
Member Author

annevk commented Apr 13, 2015

If some boolean arguments default to false and others to true, you have to study each method to know when you can omit the argument. I think JavaScript and the platform quite consistently defaults to false (XMLHttpRequest is super confusing due to it behaving differently). Also, the common case would be excludePasswords = true which does not seem hard to understand.

However, you could also make it accept an enum. passwords = "exclude".

@mikewest
Copy link
Member

The underlying question is how to support extensibility. Right now we have Local and Federated credentials. Assume we have MoonVector credentials in the future that use your precise distance and direction from Earth's moon to determine who you are (did you know that each individual has a distinct vector from the moon? AMAZING.). Most websites won't accept this amazing new form of authentication at first, but someday they might only accept this form.

Since we already have federations as a clear control on FederatedCredential, I wanted something similar for LocalCredential. Perhaps it would be siimpler to give a list of acceptable types, defaulting to everything the UA knows about?

@annevk
Copy link
Member Author

annevk commented Apr 13, 2015

Yeah that might be better since the whole setup assumes the user agent is going to be the middle man anyway.

@domenic
Copy link

domenic commented Apr 15, 2015

+1 on boolean arguments defaulting to false.

List of acceptable types seems reasonable as well, although unsure whether it's better to create a string mapping (accept: ["federated", "local"]) or use the types directly (accept: [FederatedCredential, LocalCredential]).

LOL @ moon vectors ^_^

@mikewest
Copy link
Member

I'm going to trivially resolve this by inverting the meaning of the boolean, and deal with the extensibility question as part of #256, which has substantial overlap with @domenic's accept proposal.

@mikewest mikewest mentioned this issue Apr 16, 2015
Open
@mikewest mikewest modified the milestone: CREDENTIALS: Level 1 Apr 17, 2015
mikewest pushed a commit to mikewest/webappsec that referenced this issue Jun 29, 2015
@tabatkins
Merge pull request w3c#249 from foolip/patch-1
03f81e8 
Capitalize Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CREDENTIAL
Projects
None yet
Milestone
CREDENTIALS: Level 1
Development

No branches or pull requests
3 participants
@mikewest @domenic @annevk