Merge branch 'master' of https://github.com/w3c/webappsec

Author: hillbrad

demos/credential-management/favicon.ico

@@ -1,103 +1,44 @@
-<style>
-  button {
-    display: block;
-  }
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Credential Management API Demo</title>
+  <link href="style.css" rel="stylesheet"></link>
+  <script defer src="script.js"></script>
+  <meta charset="UTF-8">
+</head>
+<body class="signedout">
+  <header>
+    <h1>Exciting Website</h1>
+    <button id="signin">Sign In</button>
+  </header>
+  <section class="signedout">
+    Signed out.
+  </section>
+  <section class="signedin">
+    <p>Welcome, <var id="displayed-username">name</var>!</p>
+    <button id="signout">Sign Out</button>
+  </section>
+  <section>
+    <p>
+      This is where this websites' content would go if it was a real website.
+      Until then, lorem ipsum!
+    </p>
+    <p>Lorem ipsum dolor sït amet, sed éu dicit qûodsï sénserit. Id possïm çaûsaê meî, alîquip pérsècutï instructiœr te ëam, éx mél aliqùam çonsëtetur vituperatorîbùs. Cu his ullùm vïvendo dîsputâtioni, moderàtius scrîptorèm no dùo, eî quî diçô nobîs adolésçens! Ex sît ïllud delïcata, nœ ërrèm reprèhéndunt his.</p>
+    <p>Usu in soleat luptàtûm àdversarîum. Animal întellégat éx mël, ad quo consul habèmus quaéstîo. Té nèc illum iudicàbît. Dêcorè ménandri për èî. In pro quas hàbémùs quaêrendûm.</p>
+    <p>Sêd ne porrœ vivendùm sadïpscing, accumsan mênandri accusàmûs ïn meî, nàtum îracundïà àt ëàm. Vivëndûm elêïfênd cum ei, in aeque legimûs plaçerat mêî? Mêà ex tâtîœn exercî vôluptûà, libêr laudem vèrïtus vèl in. Eu âlïqùip èlàborarét quo, mèa no pèrsius urbanitâs sïgniferumqûè? Pri te solûta pôsîdonïum, zril apeïrian voluptatùm îd îus, ëà vim caûsâê deleniti dêlëctûs?</p>
+    <p>Te vix odiô summo contêntiœnès! Né modo ïntéllegebàt éam. Agàm quas êum èû! Cû qùî affert patrioque. Pri an ïdqûè mëlîus, sèa êi illud vîtaë.</p>
+  </section>
+  <dialog>
+    <form>
+    <!-- UGLY HACK: working around https://crbug.com/529272
+      <label for="username">Username:</label>
+      <input id="username" type="text" name="username" autocomplete="username"></input>
+      <label for="password">Password:</label>
+      <input id="password" type="password" name="password" autocomplete="new-password"></input>
+      <input type="submit">
+    -->
+    </form>
+  </dialog>
+</body>
+</html>
 
-  div {
-    display: none;
-  }
-</style>
-<button id="signin-button">Sign In</button>
-<button id="signout-button">Sign Out</button>
-<div>
-  <form id="signin">
-    <h2>Sign In!</h2>
-    <label for="username">Username:</label>
-    <input id="username" name="username" autocomplete="username"></input>
-    <label for="password">Password:</label>
-    <input id="password" name="password" autocomplete="current-password"></input>
-    <input type="submit">
-  </form>
-  <form id="signup">
-    <h2>Sign Up!</h2>
-    <label for="username-signup">Username:</label>
-    <input id="username-signup" name="username" autocomplete="username"></input>
-    <label for="password-signup">Password:</label>
-    <input id="password-signup" name="password" autocomplete="new-password"></input>
-    <input type="submit">
-  </form>
-</div>
-<script>
-  // Attempt to automatically sign a user in.
-  if (navigator.credentials) {
-    console.log("Automagical sign in?");
-    navigator.credentials.get({
-      'password': true,
-      'suppressUI': true
-    }).then(function (credential) {
-      if (credential) {
-        console.log("Got credentials! Signing in!");
-        document.querySelector('button').innerText = "Signed in!";
-        return;
-      }
-
-      console.log("No credentials. Sadness abounds.");
-    });
-  }
-
-  // When a user clicks on the sign in button, grab a credential, or render a sign in form.
-  document.querySelector('button').addEventListener('click', function () {
-    if (navigator.credentials) {
-      console.log("Manually-toggled credentials.get!");
-      navigator.credentials.get({ 'password': true }).then(function (credential) {
-        if (!credential) {
-          console.log("Still no credentials. Moar sadness.");
-          toggleSignInForm();
-          return;
-        }
-
-        console.log("Got credentials! Signing in!");
-        document.querySelector('button').innerText = "Signing in!";
-      });
-    } else {
-      toggleSignInForm();
-    }
-  });
-
-  function toggleSignInForm() {
-    document.querySelector('button').style.display = 'none';
-    document.querySelector('div').style.display = 'block';
-  }
-
-  // Capture "Sign Up" calls, store credentials.
-  document.querySelector('#signup').addEventListener('submit', function (e) {
-    if (navigator.credentials) {
-      console.log("Creating credentials!");
-      var c;
-      try {
-        c = new PasswordCredential({
-            id: document.querySelector('#username-signup').value,
-            password: document.querySelector('#password-signup').value
-        });
-      } catch (e) {
-        c = new PasswordCredential(
-            document.querySelector('#username-signup').value,
-            document.querySelector('#password-signup').value
-        );
-      }
-      navigator.credentials.store(c).then(function () {
-        console.log("Stored credential!");
-      });
-      e.preventDefault();
-      return false;
-    }
-  });
-
-  // Capture "sign out" calls.
-  document.querySelector('#signout-button').addEventListener('click', function () {
-    navigator.credentials.requireUserMediation();
-  });
-
-  [].forEach.call(document.querySelectorAll('input[type=submit]'), function(el) {
-  });
-</script>

demos/credential-management/index.html

@@ -0,0 +1,137 @@
+/*
+ * First, try to log the user in automatically by calling `get()`, and passing
+ * in the `suppressUI` option. If the user can be unambigiously signed in (e.g.
+ * there is one and only one valid credential for the origin, and the user has
+ * the auto-sign-in option set), then credentials will be provided.
+ */
+if (navigator.credentials) {
+  console.log("Trying automatic sign-in.");
+  navigator.credentials.get({
+    password: true,
+    suppressUI: true
+  }).then(processResponse);
+}
+
+function toggleState() {
+  console.log("Toggling UI state.");
+  document.body.classList.toggle('signedin');
+  document.body.classList.toggle('signedout');
+}
+
+function processResponse(c) {
+  if (c) {
+    console.log("Got credentials for %s!", c.id);
+
+    // In a real site, we'd do something like the following to asynchronously
+    // sign the user in:
+    //
+    //   var fd = c.toFormData();
+    //   fetch("https://example.com/signinEndpoint/", { body: fd, method: "POST" })
+    //       .then(function (response) {
+    //         if ([check that the response is a valid signin event])
+    //           updateUI();
+    //       });
+    //
+    // Here, we'll just update the UI:
+    toggleState();
+    document.querySelector('var').textContent = c.id;
+  }
+}
+
+/*
+ * Next, wire up the "Sign In" button to call `get()` without the `suppressUI`
+ * option, and to fall back to a sign in form if the API is not available (or
+ * if no credential is provided).
+ */
+document.querySelector('#signin').addEventListener('click', function () {
+  console.log("Clicked 'sign in!'");
+  if (navigator.credentials) {
+    navigator.credentials.get({
+      password: true
+    }).then(function (c) {
+      processResponse(c);
+      if (!c) {
+        document.querySelector('form').innerHTML = '<label for="username">Username:</label><input id="username" type="text" name="username" autocomplete="username"></input><label for="password">Password:</label><input id="password" type="password" name="password" autocomplete="new-password"></input><input type="submit">';
+        document.querySelector('dialog').showModal();
+      }
+    });
+  } else {
+    document.querySelector('form').innerHTML = '<label for="username">Username:</label><input id="username" type="text" name="username" autocomplete="username"></input><label for="password">Password:</label><input id="password" type="password" name="password" autocomplete="new-password"></input><input type="submit">';
+    document.querySelector('dialog').showModal();
+  }
+});
+
+/*
+ * Wire up the 'Sign Out' link to call `requireUserMediation()`
+ */
+document.querySelector('#signout').addEventListener('click', function () {
+  console.log("Clicked 'sign out!'");
+  if (navigator.credentials)
+    navigator.credentials.requireUserMediation();
+  document.body.classList.toggle('signedin');
+  document.body.classList.toggle('signedout');
+});
+
+/*
+ * Finally, we'll wire up the submit button on the form to call `store()` upon
+ * submission if the API is available.
+ */
+document.querySelector('form').addEventListener('submit', function (e) {
+  console.log("Submitted a sign-in form.");
+  e.preventDefault();
+
+  if (navigator.credentials) {
+    var c = new PasswordCredential({
+      id: document.querySelector('#username').value,
+      password: document.querySelector('#password').value,
+      iconURL: getFace(document.querySelector('#username').value)
+    });
+
+    navigator.credentials.store(c).then(function (a) { console.log(a); }).catch(function (e) { console.log(e); });
+  }
+
+  // Sign the user in asynchronously using the data in the form. This will either look like
+  // the code in `processResponse()` above (if the credentials API is available), or
+  // something like the following if it's not:
+  //
+  // fetch("https://example.com/signinEndpoint/",
+  //       { body: new FormData(document.querySelector('form')), method: "POST" });
+  //  
+  // Note that we call `e.preventDefault()` at the top of this event handler to prevent
+  // the actual form submission while we do the asynchronous request.
+
+  toggleState();
+  document.querySelector('var').textContent = document.querySelector('#username').value;
+  document.querySelector('dialog').close();
+
+  // Clear out the form's value, because we're not actually navigating... fake it.
+  document.querySelector('#username').value = "";
+  document.querySelector('#password').value = "";
+
+  return false;
+});
+
+function getFace(string) {
+  var hashString = function() {
+    var hash = 0, i, chr, len;
+    if (string.length == 0) return hash;
+    for (i = 0, len = string.length; i < len; i++) {
+      chr = string.charCodeAt(i);
+      hash = ((hash << 5) - hash) + chr;
+      hash |= 0; // Convert to 32bit integer
+    }
+    return hash;
+  };
+
+  // Faces from uifaces.com. Thanks!
+  var faces = [
+    "https://s3.amazonaws.com/uifaces/faces/twitter/jsa/128.jpg",
+    "https://s3.amazonaws.com/uifaces/faces/twitter/sauro/128.jpg",
+    "https://s3.amazonaws.com/uifaces/faces/twitter/brad_frost/128.jpg",
+    "https://s3.amazonaws.com/uifaces/faces/twitter/rem/128.jpg",
+    "https://s3.amazonaws.com/uifaces/faces/twitter/pixeliris/128.jpg",
+    "https://s3.amazonaws.com/uifaces/faces/twitter/csswizardry/128.jpg",
+  ];
+
+  return faces[hashString(string) % faces.length];
+}

demos/credential-management/script.js

@@ -0,0 +1,54 @@
+body {
+  margin: 0 auto;
+  width: 500px;  
+}
+header {
+  background: #EEE;
+  display: flex;
+}
+  h1 {
+    font: 700 30px/1 sans-serif;
+    font-weight: bold;
+    margin: 0;
+    padding: 0.25em;
+    flex: 1 1 auto;
+  }
+  header button {
+    font: 700 15px/30px sans-serif;
+    flex: 1 1 auto;
+  }
+p {
+  font: 16px/1.2 sans-serif;
+  text-align: justify;
+  hyphens: auto;
+}
+
+section.signedout, section.signedin {
+  display: none;
+}
+
+.signedout section.signedout {
+  border: 1px solid #999;
+  background: #FF6666;
+  margin: 0.25em 0;
+  padding: 1em;
+  display: block;
+}
+
+.signedin section.signedin {
+  border: 1px solid #999;
+  background: #66FF66;
+  margin: 0.25em 0;
+  padding: 1em;
+  display: block;
+}
+
+label, input {
+  display: block;
+  margin: 0;
+  font: 700 15px/30px sans-serif;
+}
+
+input[type=submit] {
+  margin-top: 0.5em;
+}

demos/credential-management/style.css

@@ -17,7 +17,7 @@ CSP2-PR: CSP2/published/2015-08-PR.html
 CSP3: content-security-policy/index.html
 EPR: epr/index.html
 MIX: mixedcontent/index.html
-MIX-CR: mixedcontent/published/2015-08-CR.html
+MIX-CR: mixedcontent/published/2015-09-CR.html
 MIX-PR: mixedcontent/published/2015-07-PR.html
 POWER: powerfulfeatures/index.html
 POWER-WD: powerfulfeatures/published/WD.html
@@ -61,8 +61,8 @@ mixedcontent/index.html: mixedcontent/index.src.html biblio.json
 mixedcontent/published/2015-07-PR.html: mixedcontent/index.src.html
 	bikeshed -f spec --md-status=PR --md-date=2015-07-01 --md-deadline=2015-08-01 ./mixedcontent/index.src.html ./mixedcontent/published/2015-07-PR.html
 
-mixedcontent/published/2015-08-CR.html: mixedcontent/index.src.html
-	bikeshed -f spec --md-status=CR --md-date=2015-08-04 --md-deadline=2015-09-04 ./mixedcontent/index.src.html ./mixedcontent/published/2015-08-CR.html
+mixedcontent/published/2015-09-CR.html: mixedcontent/index.src.html
+	bikeshed -f spec --md-status=CR --md-date=2015-09-22 --md-deadline=2015-10-22 ./mixedcontent/index.src.html ./mixedcontent/published/2015-09-CR.html
 
 referrer-policy/index.html: referrer-policy/index.src.html biblio.json
 	bikeshed -f spec ./referrer-policy/index.src.html