From 58921e0254b0f46e1d0ac53a6fa84afe14397d0c Mon Sep 17 00:00:00 2001
From: Mike West <mike@mikewest.org>
Date: Fri, 28 Nov 2014 11:59:51 +0100
Subject: [PATCH] POWER: Cleaning up definitions.
In response to Chaals' [1], this patch cleans up the definitions section
of the specification. This breaks down into three changes:
1. Flavor text has been dropped from section 2.1; it now simply lists
defined terms, and points to their definitions elsewhere in the
document.
2. The <dfn> tags have been removed from section 2.2, ensuring that
Bikeshed's glorious autolinks for those terms point outside this
document.
3. "Environment settings object" is now "settings object", which is the
most that W3C and WHATWG's respective documents seem to be able to
agree upon.
[1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0360.html
---
specs/powerfulfeatures/index.html | 170 ++++++++++----------------
specs/powerfulfeatures/index.src.html | 159 ++++++++++++------------
2 files changed, 144 insertions(+), 185 deletions(-)
diff --git a/specs/powerfulfeatures/index.html b/specs/powerfulfeatures/index.html
index 8e6bdcfe..4ec32e90 100644
--- a/specs/powerfulfeatures/index.html
+++ b/specs/powerfulfeatures/index.html
@@ -53,8 +53,8 @@
</p>
<h1 class="p-name no-ref" id=title>Requirements for Powerful Features</h1>
<h2 class="no-num no-toc no-ref heading settled" id=subtitle><span class=content>Editor’s Draft,
- <span class=dt-updated><span class=value-title title=20141124>24 November 2014</span></span></span></h2>
- <div data-fill-with=spec-metadata><dl><dt>This version:<dd><a class=u-url href=https://w3c.github.io/webappsec/specs/powerfulfeatures/>https://w3c.github.io/webappsec/specs/powerfulfeatures/</a><dt>Latest version:<dd><a href=http://www.w3c.org/TR/powerful-features/>http://www.w3c.org/TR/powerful-features/</a><dt>Version History:<dd><a href=https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html>https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html</a><dt>Feedback:<dd><span><a href="mailto:public-webappsec@w3.org?subject=%5BPOWER%5D%20feedback">public-webappsec@w3.org</a> with subject line “<kbd>[POWER] <var>… message topic …</var></kbd>” (<a href=http://lists.w3.org/Archives/Public/public-webappsec/ rel=discussion>archives</a>)</span><dt class=editor>Editor:<dd class=editor><div class="p-author h-card vcard"><a class="p-name fn u-email email" href=mailto:mkwst@google.com>Mike West</a> (<span class="p-org org">Google Inc.</span>)</div></dl></div>
+ <span class=dt-updated><span class=value-title title=20141128>28 November 2014</span></span></span></h2>
+ <div data-fill-with=spec-metadata><dl><dt>This version:<dd><a class=u-url href=https://w3c.github.io/webappsec/specs/powerfulfeatures/>https://w3c.github.io/webappsec/specs/powerfulfeatures/</a><dt>Latest version:<dd><a href=http://www.w3c.org/TR/powerful-features/>http://www.w3c.org/TR/powerful-features/</a><dt>Version History:<dd><a href=https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html>https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html</a><dt>Feedback:<dd><span><a href="mailto:public-webappsec@w3.org?subject=%5BPOWER%5D%20feedback">public-webappsec@w3.org</a> with subject line “<kbd>[POWER] <var>… message topic …</var></kbd>” (<a href=http://lists.w3.org/Archives/Public/public-webappsec/ rel=discussion>archives</a>)</span><dt>Issue Tracking:<dd><a href=#issues-index>Inline In Spec</a><dt class=editor>Editor:<dd class=editor><div class="p-author h-card vcard"><a class="p-name fn u-email email" href=mailto:mkwst@google.com>Mike West</a> (<span class="p-org org">Google Inc.</span>)</div></dl></div>
<div data-fill-with=warning></div>
<p class=copyright data-fill-with=copyright><a href=http://www.w3.org/Consortium/Legal/ipr-notice#Copyright>Copyright</a> © 2014
<a href=http://www.w3.org/><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup>
@@ -126,7 +126,7 @@ <h2 class="no-num no-toc no-ref heading settled" id=contents><span class=content
</span></a><ul class=toc><li><a href=#threat-models><span class=secno>3.1</span> <span class=content>Threat Models</span></a><ul class=toc><li><a href=#passive-network-attacker><span class=secno>3.1.1</span> <span class=content>Passive Network Attacker</span></a><li><a href=#active-network-attacker><span class=secno>3.1.2</span> <span class=content>Active Network Attacker</span></a></ul></ul><li><a href=#algorithms><span class=secno>4</span> <span class=content>Algorithms</span></a><ul class=toc><li><a href=#document-sufficiently-secure><span class=secno>4.1</span> <span class=content>
Is <var>Document</var> a sufficiently secure context?
</span></a><li><a href=#settings-sufficiently-secure><span class=secno>4.2</span> <span class=content>
- Is <var>environment settings object</var> a sufficiently secure context?
+ Is <var>settings object</var> a sufficiently secure context?
</span></a><li><a href=#is-origin-trustworthy><span class=secno>4.3</span> <span class=content>
Is <var>origin</var> potentially trustworthy?
</span></a></ul><li><a href=#implementation-considerations><span class=secno>5</span> <span class=content>Implementation Considerations</span></a><ul class=toc><li><a href=#packaged-applications><span class=secno>5.1</span> <span class=content>Packaged Applications</span></a><li><a href=#development-environments><span class=secno>5.2</span> <span class=content>Development Environments</span></a></ul><li><a href=#acknowledgements><span class=secno>6</span> <span class=content>Acknowledgements</span></a><li><a href=#conformance><span class=secno></span> <span class=content>Conformance</span></a><ul class=toc><li><a href=#conventions><span class=secno></span> <span class=content>Document conventions</span></a><li><a href=#conformant-algorithms><span class=secno></span> <span class=content>Conformant Algorithms</span></a><li><a href=#conformance-classes><span class=secno></span> <span class=content>Conformance Classes</span></a></ul><li><a href=#references><span class=secno></span> <span class=content>References</span></a><ul class=toc><li><a href=#normative><span class=secno></span> <span class=content>Normative References</span></a><li><a href=#informative><span class=secno></span> <span class=content>Informative References</span></a></ul><li><a href=#index><span class=secno></span> <span class=content>Index</span></a><li><a href=#issues-index><span class=secno></span> <span class=content>Issues Index</span></a></ul></div>
@@ -165,11 +165,9 @@ <h2 class="heading settled" data-level=2 id=terms><span class=secno>2. </span><s
<h3 class="heading settled" data-level=2.1 id=terms-defined-here><span class=secno>2.1. </span><span class=content>Terms defined by this specification</span><a class=self-link href=#terms-defined-here></a></h3>
<dl>
- <dt><dfn data-dfn-type=dfn data-noexport="" id=powerful-feature>powerful feature<a class=self-link href=#powerful-feature></a></dfn></dt>
+ <dt><dfn data-dfn-type=dfn data-export="" id=powerful-feature>powerful feature<a class=self-link href=#powerful-feature></a></dfn></dt>
<dd>
- The considerations around categorizing a feature as
- <strong>powerful</strong> are explored in more detail in
- <a data-section="" href=#is-feature-powerful>§3
+ Defined in <a data-section="" href=#is-feature-powerful>§3
Is [insert feature here] powerful?
</a>.
</dd>
@@ -178,91 +176,55 @@ <h3 class="heading settled" data-level=2.1 id=terms-defined-here><span class=sec
sufficiently secure context
<a class=self-link href=#sufficiently-secure-context></a></dfn></dt>
<dd>
- A <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code> or <a data-link-type=dfn href=#environment-settings-object title="environment settings object">environment settings object</a> is considered
- <strong>sufficiently secure</strong> to use <a data-link-type=dfn href=#powerful-feature title="powerful features">powerful features</a> if
- and only if the algorithm defined in <a data-section="" href=#document-sufficiently-secure>§4.1
+ A <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code> is considered <strong>sufficiently secure</strong> if
+ the algorithm defined in <a data-section="" href=#document-sufficiently-secure>§4.1
Is Document a sufficiently secure context?
- </a>
- or <a data-section="" href=#settings-sufficiently-secure>§4.2
- Is environment settings object a sufficiently secure context?
- </a>, respectively, returns
+ </a> returns
<code>Sufficiently Secure</code> when executed upon it.
-<p>The goal of the normative algorithms noted above is that
- <a data-link-type=dfn href=#powerful-feature title="powerful features">powerful features</a> only be enabled in the
- context of an <a data-link-type=dfn href=#origin title=origin>origin</a> with one or more of the following
- characteristics:</p>
-
- <ol>
- <li>
- The scheme component is either <code>https</code>, <code>wss</code>,
- or <code>file</code>.
- </li>
- <li>
- The host component is or falls within "localhost." <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6761 title=RFC6761>[RFC6761]</a>
- </li>
- <li>
- The host component is an IP address within a
- <dfn data-dfn-type=dfn data-noexport="" id=loopback-special-purpose-ip-address-range>loopback special-purpose IP address range<a class=self-link href=#loopback-special-purpose-ip-address-range></a></dfn> (i.e.
- <code>127.0.0.0/8</code> or <code>::1/128</code>) <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6890 title=RFC6890>[RFC6890]</a>.
- </li>
- </ol>
- </dd>
- </dl>
-
- <h3 class="heading settled" data-level=2.2 id=terms-defined-by-reference><span class=secno>2.2. </span><span class=content>Terms defined by reference</span><a class=self-link href=#terms-defined-by-reference></a></h3>
- <dl>
- <dt><dfn data-dfn-type=dfn data-noexport="" id=origin>origin<a class=self-link href=#origin></a></dfn></dt>
- <dd>
- An origin defines the scope of authority or privilege under which a
- resource operates. It is defined in detail in the Origin specification
- <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6454 title=RFC6454>[RFC6454]</a>.
- </dd>
-
- <dt>
- <dfn data-dfn-type=dfn data-local-title="potentially secure" data-noexport="" id=potentially-secure-origin>
- potentially secure origin
- <a class=self-link href=#potentially-secure-origin></a></dfn>
- </dt>
- <dd>
- The term <strong>potentially secure origin</strong> is defined in the
- Mixed Content specification <a data-biblio-type=normative data-link-type=biblio href=#biblio-mix title=MIX>[MIX]</a>.
- </dd>
-
- <dt><dfn data-dfn-type=dfn data-noexport="" id=globally-unique-identifier>globally unique identifier<a class=self-link href=#globally-unique-identifier></a></dfn></dt>
- <dd>
- This term is defined in
- <a href=http://tools.ietf.org/html/rfc6454#section-4>Section 4 of
- RFC6454</a> <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6454 title=RFC6454>[RFC6454]</a>.
-
-<p class=note role=note>Note: URLs that do not use
- <a href=http://tools.ietf.org/html/rfc3986#section-3.2>hierarchical
- elements</a> as naming authorities (for example: <code>blob:</code>, and
- <code>data:</code>) have origins which are globally unique identifiers
- <a data-biblio-type=informative data-link-type=biblio href=#biblio-uri title=URI>[URI]</a>.</p>
- </dd>
-
- <dt><dfn data-dfn-type=dfn data-local-title="tls state" data-noexport="" id=request-client-tls-state>request client TLS state<a class=self-link href=#request-client-tls-state></a></dfn></dt>
- <dt><dfn data-dfn-type=dfn data-noexport="" id=response-tls-state>response TLS state<a class=self-link href=#response-tls-state></a></dfn></dt>
- <dd>
- These terms are defined in
- <a href=http://fetch.spec.whatwg.org/#requests>Section 2.2</a> of the
- Fetch living standard <a data-biblio-type=normative data-link-type=biblio href=#biblio-fetch title=FETCH>[FETCH]</a>.
- </dd>
-
- <dt><dfn data-dfn-type=dfn data-noexport="" id=environment-settings-object>environment settings object<a class=self-link href=#environment-settings-object></a></dfn></dt>
- <dd>
- Defined in <a data-biblio-type=normative data-link-type=biblio href=#biblio-html5 title=HTML5>[HTML5]</a>.
+<p>Likewise, a <a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#settings-object>settings object</a> is considered <strong>sufficiently
+ secure</strong> if the algorithm defined in
+ <a data-section="" href=#settings-sufficiently-secure>§4.2
+ Is settings object a sufficiently secure context?
+ </a> returns <code>Sufficiently
+ Secure</code> when executed upon it.</p>
</dd>
<dt><dfn data-dfn-type=dfn data-noexport="" id=embedding-document>embedding document<a class=self-link href=#embedding-document></a></dfn></dt>
<dd>
- Given a <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code> <var>A</var>, the <strong>embedding
- document</strong> of <var>A</var> is the <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code>
+ Given a <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code> <var>A</var>, the <strong>embedding
+ document</strong> of <var>A</var> is the <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code>
<a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context-nested-through title="nested through">through which</a> <var>A</var>’s <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context title="browsing context">browsing
context</a> is nested.
</dd>
</dl>
+
+ <h3 class="heading settled" data-level=2.2 id=terms-defined-by-reference><span class=secno>2.2. </span><span class=content>Terms defined by reference</span><a class=self-link href=#terms-defined-by-reference></a></h3>
+
+<p>An <strong><a data-link-type=dfn href=https://tools.ietf.org/html/rfc6454#section-3.2>origin</a></strong> defines the scope of authority or privilege
+ under which a resource operates. It boils down to a tuple of scheme, host,
+ and port. The concept is defined in detail in <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6454 title=RFC6454>[RFC6454]</a>.</p>
+
+<p>A <strong><a data-link-type=dfn href=http://www.w3.org/TR/mixed-content/#potentially-secure-origin>potentially secure origin</a></strong> is an origin that isn’t
+ insecure <i lang=la>a priori</i>, defined in detail in <a data-biblio-type=normative data-link-type=biblio href=#biblio-mix title=MIX>[MIX]</a>.</p>
+
+<p>The <strong><a data-link-type=dfn href=https://fetch.spec.whatwg.org/#concept-response-tls-state>TLS State</a></strong> of a <strong><code class=idl><a data-link-type=idl href=https://fetch.spec.whatwg.org/#response-class>Response</a></code></strong> is
+ defined in <a data-biblio-type=normative data-link-type=biblio href=#biblio-fetch title=FETCH>[FETCH]</a>.</p>
+
+<p>The following terms are defined in <a data-biblio-type=normative data-link-type=biblio href=#biblio-html5 title=HTML5>[HTML5]</a>:</p>
+
+ <ul>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document>an iframe srcdoc document</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context>browsing context</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context-container>browsing context container</a></strong></li>
+ <li><strong><code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object>incumbent settings object</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context-nested-through>nested through</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxing-flag-set>sandboxing flag set</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#settings-object>settings object</a></strong></li>
+ <li><strong><a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context>top-level browsing context</a></strong></li>
+ </ul>
</section>
<section>
@@ -290,8 +252,8 @@ <h2 class="heading settled" data-level=3 id=is-feature-powerful><span class=secn
<a data-biblio-type=informative data-link-type=biblio href=#biblio-geolocation-api title=GEOLOCATION-API>[GEOLOCATION-API]</a> and <a data-biblio-type=informative data-link-type=biblio href=#biblio-mediacapture-streams title=MEDIACAPTURE-STREAMS>[MEDIACAPTURE-STREAMS]</a> are historical examples.
</li>
<li>
- The feature provides access to or information about other devices a user
- has access to. <a data-biblio-type=informative data-link-type=biblio href=#biblio-discovery title=DISCOVERY>[DISCOVERY]</a> and <a data-biblio-type=informative data-link-type=biblio href=#biblio-bluetooth title=BLUETOOTH>[BLUETOOTH]</a> are good examples.
+ The feature provides access to or information about other devices a user
+ has access to. <a data-biblio-type=informative data-link-type=biblio href=#biblio-discovery title=DISCOVERY>[DISCOVERY]</a> and <a data-biblio-type=informative data-link-type=biblio href=#biblio-bluetooth title=BLUETOOTH>[BLUETOOTH]</a> are good examples.
</li>
<li>
The feature exposes temporary or persistent identifiers, including
@@ -367,26 +329,26 @@ <h3 class="heading settled" data-level=4.1 id=document-sufficiently-secure><span
Is <var>Document</var> a sufficiently secure context?
</span><a class=self-link href=#document-sufficiently-secure></a></h3>
-<p>Given a <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code> <var>document</var>, this algorithm returns
- <code>Sufficiently Secure</code> if the <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code> represents a
- <a data-link-type=dfn href=#sufficiently-secure-context title="sufficiently secure context">sufficiently secure context</a> or <code>Insecure</code> otherwise.</p>
+<p>Given a <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code> <var>document</var>, this algorithm returns
+ <code>Sufficiently Secure</code> if the <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code> represents a
+ <a data-link-type=dfn href=#sufficiently-secure-context>sufficiently secure context</a> or <code>Insecure</code> otherwise.</p>
<ol>
<li>
While <var>document</var> corresponds to <a data-link-type=dfn href=http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document title="an iframe srcdoc Document">an iframe srcdoc
Document</a>, let <var>document</var> be that Document’s <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context title="browsing context">browsing
- context</a>’s <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context-container title="browsing context container">browsing context container</a>’s <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object title=Document>Document</a></code>.
+ context</a>’s <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#browsing-context-container>browsing context container</a>’s <code class=idl><a data-link-type=idl href=http://www.w3.org/TR/html5/dom.html#the-document-object>Document</a></code>.
</li>
<li>
- Let <var>origin</var> be the <a data-link-type=dfn href=#origin title=origin>origin</a> of <var>document</var>.
+ Let <var>origin</var> be the <a data-link-type=dfn href=https://tools.ietf.org/html/rfc6454#section-3.2>origin</a> of <var>document</var>.
</li>
<li>
- If <var>document</var>’s active <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxing-flag-set title="sandboxing flag set">sandboxing flag set</a> has its
- <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing context flag">sandboxed origin browsing context flag</a> set:
+ If <var>document</var>’s active <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxing-flag-set>sandboxing flag set</a> has its
+ <a data-link-type=dfn href=http://www.w3.org/TR/html5/browsers.html#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> set:
<ol>
<li>
- Set <var>origin</var> to the <a data-link-type=dfn href=#origin title=origin>origin</a> of
+ Set <var>origin</var> to the <a data-link-type=dfn href=https://tools.ietf.org/html/rfc6454#section-3.2>origin</a> of
<var>document</var>’s address.
</li>
</ol>
@@ -394,9 +356,9 @@ <h3 class="heading settled" data-level=4.1 id=document-sufficiently-secure><span
<li>
Let <var>result</var> be the result of executing the
<a data-section="" href=#settings-sufficiently-secure>§4.2
- Is environment settings object a sufficiently secure context?
+ Is settings object a sufficiently secure context?
</a> algorithm on <var>document</var>’s
- <a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object title="incumbent settings object">incumbent settings object</a>.
+ <a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object>incumbent settings object</a>.
</li>
<li>
If <var>result</var> is <code>Insecure</code>, return
@@ -407,11 +369,11 @@ <h3 class="heading settled" data-level=4.1 id=document-sufficiently-secure><span
<ol>
<li>
- If <var>document</var> has an <a data-link-type=dfn href=#embedding-document title="embedding document">embedding document</a>, return the
+ If <var>document</var> has an <a data-link-type=dfn href=#embedding-document>embedding document</a>, return the
result of executing <a data-section="" href=#document-sufficiently-secure>§4.1
Is Document a sufficiently secure context?
</a> on
- <var>document</var>’s <a data-link-type=dfn href=#embedding-document title="embedding document">embedding document</a> with the
+ <var>document</var>’s <a data-link-type=dfn href=#embedding-document>embedding document</a> with the
<var>ancestors flag</var> set to <code>true</code>.
</li>
<li>
@@ -433,16 +395,16 @@ <h3 class="heading settled" data-level=4.1 id=document-sufficiently-secure><span
<section>
<h3 class="heading settled" data-level=4.2 id=settings-sufficiently-secure><span class=secno>4.2. </span><span class=content>
- Is <var>environment settings object</var> a sufficiently secure context?
+ Is <var>settings object</var> a sufficiently secure context?
</span><a class=self-link href=#settings-sufficiently-secure></a></h3>
-<p>Given an <a data-link-type=dfn href=#environment-settings-object title="environment settings object">environment settings object</a> <var>settings</var>, this
- algorithm returns <code>Sufficiently Secure</code> if the object represents
- a <a data-link-type=dfn href=#sufficiently-secure-context title="sufficiently secure context">sufficiently secure context</a>, and <code>Insecure</code> otherwise.</p>
+<p>Given an <a data-link-type=dfn href=http://www.w3.org/TR/html5/webappapis.html#settings-object>settings object</a> <var>settings</var>, this algorithm returns
+ <code>Sufficiently Secure</code> if the object represents a <a data-link-type=dfn href=#sufficiently-secure-context title="sufficiently secure context">sufficiently
+ secure context</a>, and <code>Insecure</code> otherwise.</p>
<ol>
<li>
- If <var>settings</var>' <a data-link-type=dfn href=#request-client-tls-state title="TLS state">TLS state</a> is
+ If <var>settings</var>' <a data-link-type=dfn href=https://fetch.spec.whatwg.org/#concept-response-tls-state>TLS state</a> is
<code>authenticated</code>, return <code>Sufficiently Secure</code>.
</li>
<li>
@@ -450,7 +412,7 @@ <h3 class="heading settled" data-level=4.2 id=settings-sufficiently-secure><span
<ol>
<li>
- Let <var>origin</var> be <var>settings</var>' <a data-link-type=dfn href=#origin title=origin>origin</a>.
+ Let <var>origin</var> be <var>settings</var>' <a data-link-type=dfn href=https://tools.ietf.org/html/rfc6454#section-3.2>origin</a>.
</li>
<li>
If the result of executing the <a data-section="" href=#is-origin-trustworthy>§4.3
@@ -484,13 +446,13 @@ <h3 class="heading settled" data-level=4.3 id=is-origin-trustworthy><span class=
<p>A user agent MAY choose to extend this trust to other, vendor-specific URL
schemes like <code>app:</code> or <code>chrome-extension:</code>.</p>
-<p>Given an <a data-link-type=dfn href=#origin title=origin>origin</a> <var>origin</var>, the following algorithm returns
+<p>Given an <a data-link-type=dfn href=https://tools.ietf.org/html/rfc6454#section-3.2>origin</a> <var>origin</var>, the following algorithm returns
<code>Potentially Trustworthy</code> or <code>Not Trustworthy</code> as
appropriate.</p>
<ol>
<li>
- If <var>origin</var> is a <a data-link-type=dfn href=#potentially-secure-origin title="potentially secure origin">potentially secure origin</a>,
+ If <var>origin</var> is a <a data-link-type=dfn href=http://www.w3.org/TR/mixed-content/#potentially-secure-origin>potentially secure origin</a>,
return <code>Potentially Trustworthy</code>.
<p class=note role=note>Note: The origin of <code>blob:</code> and <code>filesystem:</code> URLs
@@ -618,7 +580,7 @@ <h3 class="no-ref no-num heading settled" id=conformance-classes><span class=con
-<h2 class="no-num heading settled" id=references><span class=content>References</span><a class=self-link href=#references></a></h2><h3 class="no-num heading settled" id=normative><span class=content>Normative References</span><a class=self-link href=#normative></a></h3><dl><dt id=biblio-fetch title=FETCH><a class=self-link href=#biblio-fetch></a>[FETCH]<dd>Anne van Kesteren. <a href=http://fetch.spec.whatwg.org/>Fetch</a>. Living Standard. URL: <a href=http://fetch.spec.whatwg.org/>http://fetch.spec.whatwg.org/</a><dt id=biblio-mix title=MIX><a class=self-link href=#biblio-mix></a>[MIX]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>Mixed Content</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>https://w3c.github.io/webappsec/specs/mixedcontent/</a><dt id=biblio-rfc4632 title=RFC4632><a class=self-link href=#biblio-rfc4632></a>[RFC4632]<dd>Vince Fuller; Tony Li. <a href=http://www.ietf.org/rfc/rfc4632.txt>Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc4632.txt>http://www.ietf.org/rfc/rfc4632.txt</a><dt id=biblio-rfc6454 title=RFC6454><a class=self-link href=#biblio-rfc6454></a>[RFC6454]<dd>Adam Barth. <a href=http://www.ietf.org/rfc/rfc6454.txt>The Web Origin Concept</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6454.txt>http://www.ietf.org/rfc/rfc6454.txt</a><dt id=biblio-rfc6761 title=RFC6761><a class=self-link href=#biblio-rfc6761></a>[RFC6761]<dd>Stuart Cheshire; Marc Krochmal. <a href=http://www.ietf.org/rfc/rfc6761.txt>Special-Use Domain Names</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6761.txt>http://www.ietf.org/rfc/rfc6761.txt</a><dt id=biblio-rfc6890 title=RFC6890><a class=self-link href=#biblio-rfc6890></a>[RFC6890]<dd>Michelle Cotton; et al. <a href=http://www.ietf.org/rfc/rfc6890.txt>Special-Purpose IP Address Registries</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6890.txt>http://www.ietf.org/rfc/rfc6890.txt</a><dt id=biblio-html5 title=html5><a class=self-link href=#biblio-html5></a>[html5]<dd>Robin Berjon; et al. <a href=http://www.w3.org/TR/html5/>HTML5</a>. 28 October 2014. REC. URL: <a href=http://www.w3.org/TR/html5/>http://www.w3.org/TR/html5/</a><dt id=biblio-rfc2119 title=rfc2119><a class=self-link href=#biblio-rfc2119></a>[rfc2119]<dd>S. Bradner. <a href=http://www.ietf.org/rfc/rfc2119.txt>Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href=http://www.ietf.org/rfc/rfc2119.txt>http://www.ietf.org/rfc/rfc2119.txt</a></dl><h3 class="no-num heading settled" id=informative><span class=content>Informative References</span><a class=self-link href=#informative></a></h3><dl><dt id=biblio-bluetooth title=BLUETOOTH><a class=self-link href=#biblio-bluetooth></a>[BLUETOOTH]<dd>Jeffrey Yasskin; Vincent Scheib. <a href=https://webbluetoothcg.github.io/web-bluetooth/>Web Bluetooth</a>. URL: <a href=https://webbluetoothcg.github.io/web-bluetooth/>https://webbluetoothcg.github.io/web-bluetooth/</a><dt id=biblio-comcast title=COMCAST><a class=self-link href=#biblio-comcast></a>[COMCAST]<dd>David Kravets. <a href=http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>Comcast Wi-Fi serving self-promotional ads via JavaScript injection</a>. URL: <a href=http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/</a><dt id=biblio-credential-management title=CREDENTIAL-MANAGEMENT><a class=self-link href=#biblio-credential-management></a>[CREDENTIAL-MANAGEMENT]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/credentialmanagement/>Credential Management</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/credentialmanagement/>https://w3c.github.io/webappsec/specs/credentialmanagement/</a><dt id=biblio-discovery title=DISCOVERY><a class=self-link href=#biblio-discovery></a>[DISCOVERY]<dd>Rich Tibbett. <a href=http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html>Network Service Discovery</a>. URL: <a href=http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html>http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html</a><dt id=biblio-powerful-new-features title=POWERFUL-NEW-FEATURES><a class=self-link href=#biblio-powerful-new-features></a>[POWERFUL-NEW-FEATURES]<dd>Chrome Security Team. <a href=https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>Prefer Secure Origins For Powerful New Features</a>. URL: <a href=https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features</a><dt id=biblio-rfc7258 title=RFC7258><a class=self-link href=#biblio-rfc7258></a>[RFC7258]<dd>Stephen Farrell; Hannes Tschofenig. <a href=http://www.ietf.org/rfc/rfc7258.txt>Pervasive Monitoring Is an Attack</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc7258.txt>http://www.ietf.org/rfc/rfc7258.txt</a><dt id=biblio-uri title=URI><a class=self-link href=#biblio-uri></a>[URI]<dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href=http://www.ietf.org/rfc/rfc3986.txt>Uniform Resource Identifiers (URI): generic syntax</a>. January 2005. URL: <a href=http://www.ietf.org/rfc/rfc3986.txt>http://www.ietf.org/rfc/rfc3986.txt</a><dt id=biblio-verizon title=VERIZON><a class=self-link href=#biblio-verizon></a>[VERIZON]<dd>Mark Bergen; Alex Kantrowitz. <a href=http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/>Verizon looks to target its mobile subscribers with ads</a>. URL: <a href=http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/>http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/</a><dt id=biblio-encrypted-media title=encrypted-media><a class=self-link href=#biblio-encrypted-media></a>[encrypted-media]<dd>David Dorwin; et al. <a href=http://www.w3.org/TR/encrypted-media/>Encrypted Media Extensions</a>. 28 August 2014. WD. URL: <a href=http://www.w3.org/TR/encrypted-media/>http://www.w3.org/TR/encrypted-media/</a><dt id=biblio-geolocation-api title=geolocation-API><a class=self-link href=#biblio-geolocation-api></a>[geolocation-API]<dd>Andrei Popescu. <a href=http://www.w3.org/TR/geolocation-API/>Geolocation API Specification</a>. 24 October 2013. REC. URL: <a href=http://www.w3.org/TR/geolocation-API/>http://www.w3.org/TR/geolocation-API/</a><dt id=biblio-mediacapture-streams title=mediacapture-streams><a class=self-link href=#biblio-mediacapture-streams></a>[mediacapture-streams]<dd>Daniel Burnett; et al. <a href=http://www.w3.org/TR/mediacapture-streams/>Media Capture and Streams</a>. 3 September 2013. WD. URL: <a href=http://www.w3.org/TR/mediacapture-streams/>http://www.w3.org/TR/mediacapture-streams/</a><dt id=biblio-service-workers title=service-workers><a class=self-link href=#biblio-service-workers></a>[service-workers]<dd>Alex Russell; Jungkee Song. <a href=http://www.w3.org/TR/service-workers/>Service Workers</a>. 8 May 2014. WD. URL: <a href=http://www.w3.org/TR/service-workers/>http://www.w3.org/TR/service-workers/</a></dl><h2 class="no-num heading settled" id=index><span class=content>Index</span><a class=self-link href=#index></a></h2><ul class=indexlist><li>conformant server, <a href=#conformant-server title="section Unnumbered section">Unnumbered section</a><li>conformant user agent, <a href=#conformant-user-agent title="section Unnumbered section">Unnumbered section</a><li>embedding document, <a href=#embedding-document title="section 2.2">2.2</a><li>environment settings object, <a href=#environment-settings-object title="section 2.2">2.2</a><li>globally unique identifier, <a href=#globally-unique-identifier title="section 2.2">2.2</a><li>loopback special-purpose IP address range, <a href=#loopback-special-purpose-ip-address-range title="section 2.1">2.1</a><li>origin, <a href=#origin title="section 2.2">2.2</a><li>potentially secure, <a href=#potentially-secure-origin title="section 2.2">2.2</a><li>potentially secure origin, <a href=#potentially-secure-origin title="section 2.2">2.2</a><li>powerful feature, <a href=#powerful-feature title="section 2.1">2.1</a><li>request client TLS state, <a href=#request-client-tls-state title="section 2.2">2.2</a><li>response TLS state, <a href=#response-tls-state title="section 2.2">2.2</a><li>sufficiently secure context, <a href=#sufficiently-secure-context title="section 2.1">2.1</a><li>tls state, <a href=#request-client-tls-state title="section 2.2">2.2</a></ul><h2 class="no-num heading settled" id=issues-index><span class=content>Issues Index</span><a class=self-link href=#issues-index></a></h2><div style=counter-reset:issue><div class=issue>We need to distinguish between legacy features like cookies,
+<h2 class="no-num heading settled" id=references><span class=content>References</span><a class=self-link href=#references></a></h2><h3 class="no-num heading settled" id=normative><span class=content>Normative References</span><a class=self-link href=#normative></a></h3><dl><dt id=biblio-fetch title=FETCH><a class=self-link href=#biblio-fetch></a>[FETCH]<dd>Anne van Kesteren. <a href=http://fetch.spec.whatwg.org/>Fetch</a>. Living Standard. URL: <a href=http://fetch.spec.whatwg.org/>http://fetch.spec.whatwg.org/</a><dt id=biblio-mix title=MIX><a class=self-link href=#biblio-mix></a>[MIX]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>Mixed Content</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>https://w3c.github.io/webappsec/specs/mixedcontent/</a><dt id=biblio-rfc4632 title=RFC4632><a class=self-link href=#biblio-rfc4632></a>[RFC4632]<dd>Vince Fuller; Tony Li. <a href=http://www.ietf.org/rfc/rfc4632.txt>Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc4632.txt>http://www.ietf.org/rfc/rfc4632.txt</a><dt id=biblio-rfc6454 title=RFC6454><a class=self-link href=#biblio-rfc6454></a>[RFC6454]<dd>Adam Barth. <a href=http://www.ietf.org/rfc/rfc6454.txt>The Web Origin Concept</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6454.txt>http://www.ietf.org/rfc/rfc6454.txt</a><dt id=biblio-rfc6761 title=RFC6761><a class=self-link href=#biblio-rfc6761></a>[RFC6761]<dd>Stuart Cheshire; Marc Krochmal. <a href=http://www.ietf.org/rfc/rfc6761.txt>Special-Use Domain Names</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6761.txt>http://www.ietf.org/rfc/rfc6761.txt</a><dt id=biblio-html5 title=html5><a class=self-link href=#biblio-html5></a>[html5]<dd>Robin Berjon; et al. <a href=http://www.w3.org/TR/html5/>HTML5</a>. 28 October 2014. REC. URL: <a href=http://www.w3.org/TR/html5/>http://www.w3.org/TR/html5/</a><dt id=biblio-rfc2119 title=rfc2119><a class=self-link href=#biblio-rfc2119></a>[rfc2119]<dd>S. Bradner. <a href=http://www.ietf.org/rfc/rfc2119.txt>Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href=http://www.ietf.org/rfc/rfc2119.txt>http://www.ietf.org/rfc/rfc2119.txt</a></dl><h3 class="no-num heading settled" id=informative><span class=content>Informative References</span><a class=self-link href=#informative></a></h3><dl><dt id=biblio-bluetooth title=BLUETOOTH><a class=self-link href=#biblio-bluetooth></a>[BLUETOOTH]<dd>Jeffrey Yasskin; Vincent Scheib. <a href=https://webbluetoothcg.github.io/web-bluetooth/>Web Bluetooth</a>. URL: <a href=https://webbluetoothcg.github.io/web-bluetooth/>https://webbluetoothcg.github.io/web-bluetooth/</a><dt id=biblio-comcast title=COMCAST><a class=self-link href=#biblio-comcast></a>[COMCAST]<dd>David Kravets. <a href=http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>Comcast Wi-Fi serving self-promotional ads via JavaScript injection</a>. URL: <a href=http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/</a><dt id=biblio-credential-management title=CREDENTIAL-MANAGEMENT><a class=self-link href=#biblio-credential-management></a>[CREDENTIAL-MANAGEMENT]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/credentialmanagement/>Credential Management</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/credentialmanagement/>https://w3c.github.io/webappsec/specs/credentialmanagement/</a><dt id=biblio-discovery title=DISCOVERY><a class=self-link href=#biblio-discovery></a>[DISCOVERY]<dd>Rich Tibbett. <a href=http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html>Network Service Discovery</a>. URL: <a href=http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html>http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html</a><dt id=biblio-powerful-new-features title=POWERFUL-NEW-FEATURES><a class=self-link href=#biblio-powerful-new-features></a>[POWERFUL-NEW-FEATURES]<dd>Chrome Security Team. <a href=https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>Prefer Secure Origins For Powerful New Features</a>. URL: <a href=https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features</a><dt id=biblio-rfc7258 title=RFC7258><a class=self-link href=#biblio-rfc7258></a>[RFC7258]<dd>Stephen Farrell; Hannes Tschofenig. <a href=http://www.ietf.org/rfc/rfc7258.txt>Pervasive Monitoring Is an Attack</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc7258.txt>http://www.ietf.org/rfc/rfc7258.txt</a><dt id=biblio-verizon title=VERIZON><a class=self-link href=#biblio-verizon></a>[VERIZON]<dd>Mark Bergen; Alex Kantrowitz. <a href=http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/>Verizon looks to target its mobile subscribers with ads</a>. URL: <a href=http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/>http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/</a><dt id=biblio-encrypted-media title=encrypted-media><a class=self-link href=#biblio-encrypted-media></a>[encrypted-media]<dd>David Dorwin; et al. <a href=http://www.w3.org/TR/encrypted-media/>Encrypted Media Extensions</a>. 28 August 2014. WD. URL: <a href=http://www.w3.org/TR/encrypted-media/>http://www.w3.org/TR/encrypted-media/</a><dt id=biblio-geolocation-api title=geolocation-API><a class=self-link href=#biblio-geolocation-api></a>[geolocation-API]<dd>Andrei Popescu. <a href=http://www.w3.org/TR/geolocation-API/>Geolocation API Specification</a>. 24 October 2013. REC. URL: <a href=http://www.w3.org/TR/geolocation-API/>http://www.w3.org/TR/geolocation-API/</a><dt id=biblio-mediacapture-streams title=mediacapture-streams><a class=self-link href=#biblio-mediacapture-streams></a>[mediacapture-streams]<dd>Daniel Burnett; et al. <a href=http://www.w3.org/TR/mediacapture-streams/>Media Capture and Streams</a>. 3 September 2013. WD. URL: <a href=http://www.w3.org/TR/mediacapture-streams/>http://www.w3.org/TR/mediacapture-streams/</a><dt id=biblio-service-workers title=service-workers><a class=self-link href=#biblio-service-workers></a>[service-workers]<dd>Alex Russell; Jungkee Song. <a href=http://www.w3.org/TR/service-workers/>Service Workers</a>. 8 May 2014. WD. URL: <a href=http://www.w3.org/TR/service-workers/>http://www.w3.org/TR/service-workers/</a></dl><h2 class="no-num heading settled" id=index><span class=content>Index</span><a class=self-link href=#index></a></h2><ul class=indexlist><li>conformant server, <a href=#conformant-server title="section Unnumbered section">Unnumbered section</a><li>conformant user agent, <a href=#conformant-user-agent title="section Unnumbered section">Unnumbered section</a><li>embedding document, <a href=#embedding-document title="section 2.1">2.1</a><li>powerful feature, <a href=#powerful-feature title="section 2.1">2.1</a><li>sufficiently secure context, <a href=#sufficiently-secure-context title="section 2.1">2.1</a></ul><h2 class="no-num heading settled" id=issues-index><span class=content>Issues Index</span><a class=self-link href=#issues-index></a></h2><div style=counter-reset:issue><div class=issue>We need to distinguish between legacy features like cookies,
<code>localStorage</code>, IndexedDB, etc, which all persist state (and
potentially identifiers) across browsing sessions. They’re certainly not
features we can reasonably limit to secure contexts in the forseeable future.
diff --git a/specs/powerfulfeatures/index.src.html b/specs/powerfulfeatures/index.src.html
index 2508644d..0db0b843 100644
--- a/specs/powerfulfeatures/index.src.html
+++ b/specs/powerfulfeatures/index.src.html
@@ -24,7 +24,7 @@ <h1>Requirements for Powerful Features</h1>
██ ██ ██ ██ ██████ ██ ██ ███████ ██ ██ ██████
-->
<!--
- HTML Definitions
+ Definitions
-->
<pre class="anchors">
[
@@ -56,6 +56,13 @@ <h1>Requirements for Powerful Features</h1>
"shortname": "html5",
"level": 0
},
+ {
+ "linkingText": "origin",
+ "type": "dfn",
+ "url": "https://tools.ietf.org/html/rfc6454#section-3.2",
+ "shortname": "RFC6454",
+ "level": 0
+ },
{
"linkingText": "nested through",
"type": "dfn",
@@ -63,6 +70,13 @@ <h1>Requirements for Powerful Features</h1>
"shortname": "html5",
"level": 0
},
+ {
+ "linkingText": "potentially secure origin",
+ "type": "dfn",
+ "url": "http://www.w3.org/TR/mixed-content/#potentially-secure-origin",
+ "shortname": "MIX",
+ "level": 0
+ },
{
"linkingText": "sandboxed origin browsing context flag",
"type": "dfn",
@@ -77,6 +91,20 @@ <h1>Requirements for Powerful Features</h1>
"shortname": "html5",
"level": 0
},
+ {
+ "linkingText": "settings object",
+ "type": "dfn",
+ "url": "http://www.w3.org/TR/html5/webappapis.html#settings-object",
+ "shortname": "html5",
+ "level": 0
+ },
+ {
+ "linkingText": "tls state",
+ "type": "dfn",
+ "url": "https://fetch.spec.whatwg.org/#concept-response-tls-state",
+ "shortname": "FETCH",
+ "level": 0
+ },
{
"linkingText": "top-level browsing context",
"type": "dfn",
@@ -87,7 +115,7 @@ <h1>Requirements for Powerful Features</h1>
]
</pre>
<!--
- HTML Interfaces
+ Interfaces
-->
<pre class="anchors">
[
@@ -97,6 +125,13 @@ <h1>Requirements for Powerful Features</h1>
"url": "http://www.w3.org/TR/html5/dom.html#the-document-object",
"shortname": "html5",
"level": 0
+ },
+ {
+ "linkingText": "response",
+ "type": "interface",
+ "url": "https://fetch.spec.whatwg.org/#response-class",
+ "shortname": "FETCH",
+ "level": 0
}
]
</pre>
@@ -143,88 +178,23 @@ <h2 id="terms">Key Concepts and Terminology</h2>
<h3 id="terms-defined-here">Terms defined by this specification</h3>
<dl>
- <dt><dfn>powerful feature</dfn></dt>
+ <dt><dfn export>powerful feature</dfn></dt>
<dd>
- The considerations around categorizing a feature as
- <strong>powerful</strong> are explored in more detail in
- [[#is-feature-powerful]].
+ Defined in [[#is-feature-powerful]].
</dd>
<dt><dfn export>
sufficiently secure context
</dfn></dt>
<dd>
- A {{Document}} or <a>environment settings object</a> is considered
- <strong>sufficiently secure</strong> to use <a>powerful features</a> if
- and only if the algorithm defined in [[#document-sufficiently-secure]]
- or [[#settings-sufficiently-secure]], respectively, returns
+ A {{Document}} is considered <strong>sufficiently secure</strong> if
+ the algorithm defined in [[#document-sufficiently-secure]] returns
<code>Sufficiently Secure</code> when executed upon it.
- The goal of the normative algorithms noted above is that
- <a>powerful features</a> only be enabled in the
- context of an <a>origin</a> with one or more of the following
- characteristics:
-
- <ol>
- <li>
- The scheme component is either <code>https</code>, <code>wss</code>,
- or <code>file</code>.
- </li>
- <li>
- The host component is or falls within "localhost." [[!RFC6761]]
- </li>
- <li>
- The host component is an IP address within a
- <dfn>loopback special-purpose IP address range</dfn> (i.e.
- <code>127.0.0.0/8</code> or <code>::1/128</code>) [[!RFC6890]].
- </li>
- </ol>
- </dd>
- </dl>
-
- <h3 id="terms-defined-by-reference">Terms defined by reference</h3>
- <dl>
- <dt><dfn>origin</dfn></dt>
- <dd>
- An origin defines the scope of authority or privilege under which a
- resource operates. It is defined in detail in the Origin specification
- [[!RFC6454]].
- </dd>
-
- <dt>
- <dfn local-title="potentially secure">
- potentially secure origin
- </dfn>
- </dt>
- <dd>
- The term <strong>potentially secure origin</strong> is defined in the
- Mixed Content specification [[!MIX]].
- </dd>
-
- <dt><dfn>globally unique identifier</dfn></dt>
- <dd>
- This term is defined in
- <a href="http://tools.ietf.org/html/rfc6454#section-4">Section 4 of
- RFC6454</a> [[!RFC6454]].
-
- Note: URLs that do not use
- <a href="http://tools.ietf.org/html/rfc3986#section-3.2">hierarchical
- elements</a> as naming authorities (for example: <code>blob:</code>, and
- <code>data:</code>) have origins which are globally unique identifiers
- [[URI]].
- </dd>
-
- <dt><dfn local-title="tls state">request client TLS state</dfn></dt>
- <dt><dfn>response TLS state</dfn></dt>
- <dd>
- These terms are defined in
- <a href="http://fetch.spec.whatwg.org/#requests">Section 2.2</a> of the
- Fetch living standard [[!FETCH]].
- </dd>
-
- <dt><dfn>environment settings object</dfn></dt>
- <dd>
- Defined in [[!HTML5]].
+ Likewise, a <a>settings object</a> is considered <strong>sufficiently
+ secure</strong> if the algorithm defined in
+ [[#settings-sufficiently-secure]] returns <code>Sufficiently
+ Secure</code> when executed upon it.
</dd>
<dt><dfn>embedding document</dfn></dt>
@@ -235,6 +205,33 @@ <h3 id="terms-defined-by-reference">Terms defined by reference</h3>
context</a> is nested.
</dd>
</dl>
+
+ <h3 id="terms-defined-by-reference">Terms defined by reference</h3>
+
+ An <strong><a>origin</a></strong> defines the scope of authority or privilege
+ under which a resource operates. It boils down to a tuple of scheme, host,
+ and port. The concept is defined in detail in [[!RFC6454]].
+
+ A <strong><a>potentially secure origin</a></strong> is an origin that isn't
+ insecure <i lang="la">a priori</i>, defined in detail in [[!MIX]].
+
+ The <strong><a>TLS State</a></strong> of a <strong>{{Response}}</strong> is
+ defined in [[!FETCH]].
+
+ The following terms are defined in [[!HTML5]]:
+
+ <ul>
+ <li><strong><a>an iframe srcdoc document</a></strong></li>
+ <li><strong><a>browsing context</a></strong></li>
+ <li><strong><a>browsing context container</a></strong></li>
+ <li><strong>{{Document}}</strong></li>
+ <li><strong><a>incumbent settings object</a></strong></li>
+ <li><strong><a>nested through</a></strong></li>
+ <li><strong><a>sandboxed origin browsing context flag</a></strong></li>
+ <li><strong><a>sandboxing flag set</a></strong></li>
+ <li><strong><a>settings object</a></strong></li>
+ <li><strong><a>top-level browsing context</a></strong></li>
+ </ul>
</section>
<section>
@@ -262,8 +259,8 @@ <h2 id="is-feature-powerful">
[[GEOLOCATION-API]] and [[MEDIACAPTURE-STREAMS]] are historical examples.
</li>
<li>
- The feature provides access to or information about other devices a user
- has access to. [[DISCOVERY]] and [[BLUETOOTH]] are good examples.
+ The feature provides access to or information about other devices a user
+ has access to. [[DISCOVERY]] and [[BLUETOOTH]] are good examples.
</li>
<li>
The feature exposes temporary or persistent identifiers, including
@@ -401,12 +398,12 @@ <h3 id="document-sufficiently-secure">
<section>
<h3 id="settings-sufficiently-secure">
- Is <var>environment settings object</var> a sufficiently secure context?
+ Is <var>settings object</var> a sufficiently secure context?
</h3>
- Given an <a>environment settings object</a> <var>settings</var>, this
- algorithm returns <code>Sufficiently Secure</code> if the object represents
- a <a>sufficiently secure context</a>, and <code>Insecure</code> otherwise.
+ Given an <a>settings object</a> <var>settings</var>, this algorithm returns
+ <code>Sufficiently Secure</code> if the object represents a <a>sufficiently
+ secure context</a>, and <code>Insecure</code> otherwise.
<ol>
<li>