Some apps have different language versions. The client could specify what version should be returned to the user by adding an optional parameter like "lang" or "locale" containing the ISO 639-1 code.

I have been implementing this specification for Backdrop CMS via the Well-known module. After reading the specification I was unsure of how I should be handling an anonymous user arriving at http://example.org/.well-known/change-password. Indeed, initially I mistakenly implemented this by redirecting them to the reset password page. This mistake has been corrected, but I think it would be would be nice if the specification was more explicit on this point.

I think it would add clarity if the specification distinguished between changing a password verses resetting a password; and that the expected behaviour for anonymous users is that a website should invite a user to login before redirecting them to the change password page.

There is a reference to this subject in issue #4 by @craigfrancis, so this issue could be considered a duplicate of that one. However, I think it would be helpful to be explicit about the change vs reset terms in the specification.

Hi,

I'm working on implementing the change-password well known URL in Drupal core (see this issue).

A maintainer has asked about the pathway to W3C adoption. They are concerned about the potential of the /.well-known/change-password URL changing when formally adopted by the W3C, resulting in Drupal core having to support a legacy URL.

Are you able to advise on the pathway for this standard to be adopted by W3C (if at all)?

Thanks!

What if there are two apps, https://example.org/appA and https://example.org/appB each with their own login system with different sets of credentials?

See https://news.ycombinator.com/item?id=18618534

It's a good idea to have a well-known URI for this, even though as I understand it, the typical use cases for well-known are cases when it's impossible to use embedded links for identifying a URI.
In this case, at least there's also the case for making the change-password-url discoverable from a resource (such as the home page of a user). I am wondering whether it wouldn't be useful to have a link relation type as well?

We can resolve this when WICG/wicg.github.io#8 and w3c/webappsec#569 land.

Today, we have this:

Clients must handle such redirects when requesting a change password url.

We should better clarify that resolving the Change Password URL may require following more than one redirect. For instance:

https://example.com/.well-known/change-password
may redirect to
https://www.example.com/.well-known/change-password
which may redirect to
https://www.example.com/actual-change-password-page

If a client only followed a single redirect, they’d be misled. This came up in issue #14.

IIRC @mikewest invited us to move this to WebAppSec at TPAC last autumn. I think that's a fine idea. Any objections or concerns?

cc @rmondello @WICG/chairs

See https://news.ycombinator.com/item?id=18620373

As this is to change a password for an existing account, and not for a forgotten password.

If the user is not currently logged on, I assume it's acceptable to redirect to the login page first, then on successful login, redirect to the change password form?

If "Servers must not locate the actual change password page at the change password url" I would expect servers redirect to the actual change password page as a response. However "Clients must handle ok status responses", how would such response should be handled? I guess it should be handled anyway as a valid response, would be great to clarify.

https://github.com/WICG/change-password-url/blob/5ea606f98f1282502fd9e4892d75b1135c5f9751/index.bs#L85

Requested in protocol-registries/well-known-uris#12 and protocol-registries/well-known-uris#13.

Only origins whose scheme is "https" may have a change password url.

This doesn't say what happens if origins who's scheme is "http" attempt to have one anyway.

I suggest deleting the "may" in the quoted sentence, and preferably also adding something that starts with "Clients must not [...]"

In section 3:

Servers must not locate the actual change password page at the change password url, per RFC8615 §1.1 Appropriate Use of Well-Known URIs.

In PR #17, the reference was updated from the obsolete RFC 5785 to the current RFC 8615, leaving the section reference unchanged. However, 8615 does not contain a section 1.1, nor does it contain any section directly addressing the appropriate use of well-known URIs.

The best reference I can find in 8615 to support this spec prohibiting servers from locating the resource itself at the well-known URI is section 1, in which the RFC implies that well-known URIs are for metadata (only?): the penultimate paragraph includes "Future specifications that need to define a resource for such metadata [...]".

See also issue #9.

Hi, WICG chairs are just going through the repos and checking status... I seem to recall Safari supports this feature (and twitter was using it, right?)? Did other browser vendors get behind it? If yes, should we consider moving it to the W3C or WHATWG?

While crawling A Well-Known URL for Changing Passwords, the following normative referenced were detected as pointing to discontinued specifications:

• HTTP-SEMANTICS has been obsoleted by rfc9110

_{This issue was detected and reported semi-automatically by Strudy based on data collected in webref.}

Origins have an ASCII domain, meaning that a host like example.إختبار will show up as example.xn-kgbechtv in the origin, and therefore in the change-password well-known URL. Is that what we'd like?

This was raised on public-webappsec:

I am also concerning that draft is not considering 3rd level domains take over and how an attacker could advertise a password change URL to get a Beef kind of hooking of clients in a bot fashion.

The spec accepts all redirect status codes, as listed in the fetch spec, including the permanent ones: 301 and 308.

Since 301 and 308 inform clients that the redirection is permanent, they might cache the URL found in the Location header, and stop calling the URL that triggered the redirection (here, the well-known URL)
I remember Firefox doing this at some point, and some proxies might also do this.

We can't be sure that website maintainers will not change the URL of their "change password" page. With permanent redirect status codes, some users might land on the old page, or on a 404.

This could be avoided by limiting the redirection status code to 302, 303, and 307.

@terriko raised this concern on public-webappsec:

I do wonder if we should (non-normatively) mention the concern that having a well-known password change url could be used for nefarious purposes (e.g. sending a lot of emails, denial of service if there’s a rate limit on password changes, authentication attacks against security questions, etc.).

see https://github.com/tobie/pr-preview/blob/master/README.md

The response-code-reliability proposal says: If response’s status is an ok status, reject p. Otherwise, resolve p.

Is this ideal? E.g. error codes like 502 Bad Gateway or 503 Service Unavailable don't positively indicate that /.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 behaves like expected.

Should we change the spec to look for /.well-known/resource-that-should-not-exist-whose-status-code-should-be-404 ?

I've been experimenting with the .well-known/change-password route on a number of sites. On some, such as https://twitch.tv/, it's currently impossible to detect programatically that the route does not exist.

There are two reasons why this problem occurs:

• You see a redirect, as Twitch redirect users from their "naked" domain to the www subdomain.
• Twitch is a SPA, and doesn't seem to set status codes consistently. You see a 200 on the page you're redirected to, even though it's a 404.
  Requests occasionally go to the cache, and a 404 is correctly returned, so you may need to visit a number of times to observe this behaviour.

While in this example the server is setup incorrectly, for clients wishing to implement this spec, this is still a problem. It would be nice if servers were expected to exhibit additional behaviour (setting a header perhaps) so that more reliable detection could be done.

For my use case, I'm actually making CORS requests, so only know the status code and if we were redirected. It might not be possible for a solution to work for my use case - I certainly can't read headers - but am mentioning in case there is a CORS compatible option here.

I'd suggest being a bit more pedantic about the URL generation algorithm. Perhaps something like:

1.  If |origin| is not a [=potentially trustworthy origin=], return failure.

2.  Assert: |origin| is a [=tuple origin=].

3.  Let |url| be a new [=URL=] with values set as follows:
    
    :   [=url/scheme=]
    ::  |origin|'s [=origin/scheme=]
    :   [=url/host=]
    ::  |origin|'s [=origin/host=]
    :   [=url/port=]
    ::  |origin|'s [=origin/port=]
    :   [=url/path=]
    ::  « "`.well-known`", "`change-password`" ».

4.  Return |url|.  

@annevk might have opinions about whether it's better to generate URLs this way or by feeding strings into the parser (if the latter, you'll need to serialize the origin before parsing it). This seems clearer to me?

See dani-garcia/vaultwarden#1691 (comment) .

We noticed that the current draft does not specify which navigations should be affected by .well-known/change-password. I can think of several possibilities:

1. All navigations
2. All navigations in the main frame
3. Only navigations triggered by the browser (e.g. via a "Change password" button") - but not those triggered by a user-typed URL nor from links nor site-initiated navigations.

My intuition would go with 2 as this allows a website like https://passwords.google.com to just redirect to example.com/.well-known/change-password in the assumption that the user won't be greeted by a 404.

I can also see a reason for 3: In this case there would be less special casing for site-initiated navigations. Also browser extensions would probably have more control.

I don't see a lot of value in 1 (supporting the spec for iframes).

WDYT? @rmondello @hober