diff --git a/specs/mixedcontent/index.html b/specs/mixedcontent/index.html index 7d3729b1..f703e5aa 100644 --- a/specs/mixedcontent/index.html +++ b/specs/mixedcontent/index.html @@ -53,7 +53,7 @@
localhost
), or to a source which can be adequately verified
+ as authentic.
+
+A JavaScript global environment can be called + authenticated if its origin is + authenticated.
+ +These are spelled out in more detail in the + §5.4 + Is origin an authenticated origin? + and §5.5 + Is environment an authenticated environment? + + algorithms. +
Given an origin origin, this algorithm returns
+ authenticated
if the origin is an authenticated origin,
+ and unauthenticated
otherwise.
authenticated
.
+ host
component is
+ localhost
, return
+ authenticated
.
+ host
component matches one of the
+ CIDR notations 127.0.0.0/8
or ::1/128
+ [RFC4632], return authenticated
.
+ scheme
component is
+ file
, return authenticated
.
+ scheme
component is one which the
+ user agent considers to be authenticated, return
+ authenticated
.
+ unauthenticated
.
+ Note: The origin of blob:
and filesystem:
URLs
+ is the origin of the context in which they were created. Therefore, blobs
+ created in an authenticated origin will themselves be authenticated.
Note: Step #5 above is meant to cover vendor-specific URL schemes whose
+ contents are authenticated by the user agent. For example, FirefoxOS
+ application resources are referred to with an URL whose scheme
+ component is app:
. Likewise, Chrome’s extensions and apps
+ live on chrome-extension:
schemes. These could reasonably
+ be considered authenticated origins.
Given a JavaScript global environment environment, this
+ algorithm returns authenticated
if the environment is an
+ authenticated environment, and unauthenticated
+ otherwise.
Document
object of the
+ active document of the browsing context of
+ environment’s global object.
+ Note: Sandboxed documents will have a unique origin. This algorithm uses the
+ location of a sandboxed document to determine whether it should be considered
+ authenticated. That is, the document inside
+ <iframe src="https://example.com/" sandbox="allow-script">
+ would be considered to have an authenticated environment.
+
localhost
), or to a source which can be adequately verified
+ as authentic.
+
+ A JavaScript global environment can be called
+ authenticated if its origin is
+ authenticated.
+
+ These are spelled out in more detail in the
+ [[#is-origin-authenticated]] and [[#is-environment-authenticated]]
+ algorithms.
+ authenticated
if the origin is an authenticated origin,
+ and unauthenticated
otherwise.
+
+ authenticated
.
+ host
component is
+ localhost
, return
+ authenticated
.
+ host
component matches one of the
+ CIDR notations 127.0.0.0/8
or ::1/128
+ [[!RFC4632]], return authenticated
.
+ scheme
component is
+ file
, return authenticated
.
+ scheme
component is one which the
+ user agent considers to be authenticated, return
+ authenticated
.
+ unauthenticated
.
+ blob:
and filesystem:
URLs
+ is the origin of the context in which they were created. Therefore, blobs
+ created in an authenticated origin will themselves be authenticated.
+
+ Note: Step #5 above is meant to cover vendor-specific URL schemes whose
+ contents are authenticated by the user agent. For example, FirefoxOS
+ application resources are referred to with an URL whose scheme
+ component is app:
. Likewise, Chrome's extensions and apps
+ live on chrome-extension:
schemes. These could reasonably
+ be considered authenticated origins.
+ authenticated
if the environment is an
+ authenticated environment, and unauthenticated
+ otherwise.
+
+ <iframe src="https://example.com/" sandbox="allow-script">
+ would be considered to have an authenticated environment.