Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

HTML 5 vs. Yadis

One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a <meta http-equiv="..."> element in an HTML document. <meta http-equiv="...">

HTML 5 has constrained <meta http-equiv="..."> so that it only supports a selection of explicitly allowed headers. At the time of writing, these are "Content-Type", "default-style" and "refresh".

The result of this is that it is impossible to use Yadis in this way while having a conforming HTML 5 document. The current ethos for HTML 5 seems to be to remove any mechanism by which it can be extended in any way without going through the HTML working group and changing the core spec. While I can see the arguments for this in many cases, I don't really see the harm in allowing arbitrary extension HTTP headers (that is, those with an "X-" prefix) to be used in this way when there is a third-party specification that allows it.

It could be argued, however, that Yadis isn't using the http-equiv mechanism in the way it was intended to be used even in HTML 4. The HTML 4 spec for <meta http-equiv="..."> describes it as a mechanism used only on the server; the intention, I guess, was that HTTP servers would parse the HTML before it was served and create "real" HTTP headers matching the values given. I've never seen an HTTP server that actually does this, but it was apparently never intended to be processed by clients.

Fortunately, those who wish to use Yadis while still having a conforming HTML 5 document can use the proper HTTP header X-XRDS-Location. The same cannot be said for OpenID's extensions via <link rel="...">, which are apparently not allowed in HTML 5 either.

Tags: html5, openid, web, whatwg, yadis

  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • Version Targetting for IE8 and beyond

    On A List Apart today is an article on how IE8 will selectively enable its new rendering engine. The executive summary is that pages will now be…

  • Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.