Skip to content
Permalink
Browse files

[giow] (2) Recast how origins are defined to explicitly use the conce…

…pt of an origin 'alias' and fix the definitions for about:blank docs to use this new definition.

Affected topics: HTML, Security

git-svn-id: http://svn.whatwg.org/webapps@7141 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Jun 22, 2012
1 parent 1dfe433 commit 035cff362068095b212b2d5afb1236467cd18ea5
Showing with 551 additions and 186 deletions.
  1. +178 −62 complete.html
  2. +178 −62 index
  3. +195 −62 source
specifically to be immediately navigated, then that initial
navigation will have <a href=#replacement-enabled>replacement enabled</a>.</p>

<p id=about-blank-origin>The <a href=#origin>origin</a> of the
<code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is set when the
<code><a href=#document>Document</a></code> is created. If the new <a href=#browsing-context>browsing
context</a> has a <a href=#creator-browsing-context>creator browsing context</a>, then the
<a href=#origin>origin</a> of the <code><a href=#about:blank>about:blank</a></code>
<code><a href=#document>Document</a></code> is the <a href=#origin>origin</a> of the
<a href=#creator-document>creator <code>Document</code></a>. Otherwise, the
<a href=#origin>origin</a> of the <code><a href=#about:blank>about:blank</a></code>
<code><a href=#document>Document</a></code> is a globally unique identifier assigned when
the new <a href=#browsing-context>browsing context</a> is created.</p>
<p id=about-blank-origin>The <a href=#origin>origin</a> and
<a href=#effective-script-origin>effective script origin</a> of the <code><a href=#about:blank>about:blank</a></code>
<code><a href=#document>Document</a></code> are set when the <code><a href=#document>Document</a></code> is
created. If the new <a href=#browsing-context>browsing context</a> has a
<a href=#creator-browsing-context>creator browsing context</a>, then the <a href=#origin>origin</a>
of the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a>
of the <a href=#creator-document>creator <code>Document</code></a> and the
<a href=#effective-script-origin>effective script origin</a> of the <code><a href=#about:blank>about:blank</a></code>
<code><a href=#document>Document</a></code> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective
script origin</a> of the <a href=#creator-document>creator
<code>Document</code></a>. Otherwise, the <a href=#origin>origin</a> of
the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is a globally
unique identifier assigned when the new <a href=#browsing-context>browsing
context</a> is created and the <a href=#effective-script-origin>effective script
origin</a> of the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code>
is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to
its <a href=#origin>origin</a>.</p>

</div>

secure certificate changes, the origin is considered to change as
well.</p>


<div class=impl>

<p>An <a href=#origin>origin</a> or <a href=#effective-script-origin>effective script origin</a>
can be defined as an <dfn id=concept-origin-alias title=concept-origin-alias>alias</dfn>
to another <a href=#origin>origin</a> or <a href=#effective-script-origin>effective script
origin</a>. The value of the <a href=#origin>origin</a> or
<a href=#effective-script-origin>effective script origin</a> is then the value of the
<a href=#origin>origin</a> or <a href=#effective-script-origin>effective script origin</a> to which
it is an alias.</p>

<p>These characteristics are defined as follows:</p>

<dl><dt>For URLs</dt>
sandboxing flag set</a> has its <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
browsing context flag</a> set</dt>

<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
<dd>

<p>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
URL</a></dt>

<dd>The <a href=#origin>origin</a> is equal to the <a href=#origin>origin</a>
of the script of that <a href=#javascript-protocol title="javascript
protocol"><code>javascript:</code> URL</a>.</dd>
<dd>

<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the script of that <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
URL</a>.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> was served over the network and
has an address that uses a URL scheme with a server-based naming
authority</dt>

<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of
<a href="#the-document's-address">the <code>Document</code>'s address</a>.</dd>
<dd>

<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of <a href="#the-document's-address">the <code>Document</code>'s
address</a>.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> that
was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
other protocols)</dt>

<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
protocol"><code title="">data:</code> URL</a>.</dd>
<dd>

<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <a href=#url>URL</a> that redirected to
the <a href=#data-protocol title="data protocol"><code title="">data:</code>
URL</a>.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
found in another <code><a href=#document>Document</a></code> or in a script</dt>

<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</dd>
<dd>

<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> or script that
initiated the <a href=#navigate title=navigate>navigation</a> to that
<a href=#url>URL</a>.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#effective-script-origin>effective script origin</a> of the
<code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> has the <a href="#the-document's-address" title="the
document's address">address</a>
"<code><a href=#about:blank>about:blank</a></code>"</dt>

<dd>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is <a href=#about-blank-origin>the <span>origin</span> it was
assigned when its browsing context was created</a>.</dd>
<dd>

<p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
origin</a> of the <code><a href=#document>Document</a></code> are <a href=#about-blank-origin>those it was assigned when its
browsing context was created</a>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a></dt>

<dd>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
context</a>'s <a href=#browsing-context-container>browsing context container</a>'s
<code><a href=#document>Document</a></code>.</dd>
<dd>

<p>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>'s
<a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-container>browsing context
container</a>'s <code><a href=#document>Document</a></code>.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#effective-script-origin>effective script origin</a> of the
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a>'s
<a href=#browsing-context-container>browsing context container</a>'s
<code><a href=#document>Document</a></code>.</p>

</dd>


<dt>If a <code><a href=#document>Document</a></code> was obtained in some other manner
using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
API, etc)</dt>

<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
<dd>

<p>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</p>

<p>The <a href=#effective-script-origin>effective script origin</a> is initially an
<a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>

</dl><p>When a <code><a href=#document>Document</a></code> is created, its <a href=#effective-script-origin>effective
script origin</a> is initialized to the <a href=#origin>origin</a> of
the <code><a href=#document>Document</a></code>. However, the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute can
be used to change it.</p>
</dd>

</dl><p class=note>The <a href=#effective-script-origin>effective script origin</a> of a
<code><a href=#document>Document</a></code> can be manipulated using the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> IDL
attribute.</p>

</dd>

<dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
its image data is <a href=#cors-same-origin>CORS-same-origin</a></dt>

<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>.</dd>
<dd>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
<code><a href=#document>Document</a></code>.</dd>

<!-- all image loads go through the "potentially CORS-enabled
fetch" algorithm so they're all either CORS-cross-origin or
CORS-same-origin if they succeed at all -->

</dl></dd>
</dl><p>Images do not have an <a href=#effective-script-origin>effective script origin</a>.</p>

</dd>


<dt>For <code><a href=#the-audio-element>audio</a></code> and <code><a href=#the-video-element>video</a></code> elements</dt>
<dt>If the <a href=#media-data>media data</a> is
<a href=#cors-same-origin>CORS-same-origin</a></dt>

<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>.</dd>
<dd>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <a href=#media-element>media element</a>'s
<code><a href=#document>Document</a></code>.</dd>

</dl></dd>
</dl><p><a href=#media-element title="media element">Media elements</a> do not have
an <a href=#effective-script-origin>effective script origin</a>.</p>

</dd>


<dt>For fonts</dt>

<dd>

<p>The <a href=#origin>origin</a> of a downloadable Web font is equal to
the <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
<p>The <a href=#origin>origin</a> of a downloadable Web font is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p> <!-- this means you can
get data from a remote site if you can make it redirect to your
own site in some fashion controlled by the data you want to read
-->

<p>The <a href=#origin>origin</a> of a locally installed system font is
equal to the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in
which that font is being used.</p>
an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in which that
font is being used.</p>

<p>Fonts do not have an <a href=#effective-script-origin>effective script origin</a>.</p>

</dd>


<dd>The owner is the script that provided the URL.</dd>

</dl><p>The <a href=#origin>origin</a> of the script is then equal to the
</dl><p>The <a href=#origin>origin</a> of the script is then an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
<a href=#origin>origin</a> of the owner, and the <a href=#effective-script-origin>effective script
origin</a> of the script is equal to the <a href=#effective-script-origin>effective script
origin</a> of the owner.</p>
origin</a> of the script is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective
script origin</a> of the owner.</p>

</dd>

</dl><p>Other specifications can override the above definitions by
themselves specifying the origin of a particular URL, script,
<code><a href=#document>Document</a></code>, or image.</p>
themselves specifying the origin of a particular <a href=#url>URL</a>,
<code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, font, or
<a href=#concept-script title=concept-script>script</a>.</p>

<!-- e.g.:

<p>The <span>origin</span> of a <code>Document</code> object
returned by the <code>XMLHttpRequest</code> API is equal to the
returned by the <code>XMLHttpRequest</code> API is an <span
title="concept-origin-alias">alias</span> to the
<span>XMLHttpRequest origin</span> of the
<code>XMLHttpRequest</code> object.</p>

throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
steps.</p>

<!-- this is the step that prevents us from ever setting
document.domain if the >effective script origin< isn't a
scheme/host/port tuple -->

</li>

<li>

<li>

<p>Set the host part of the <a href=#effective-script-origin>effective script origin</a>
tuple of the <code><a href=#document>Document</a></code> to <var title="">new
value</var>.</p>
<p>If the <a href=#effective-script-origin>effective script origin</a> of the
<code><a href=#document>Document</a></code> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a>, set it to the value of
the <a href=#effective-script-origin>effective script origin</a> (essentially de-aliasing
the <a href=#effective-script-origin>effective script origin</a>).</p>

</li>

<li>

<p>Set the port part of the <a href=#effective-script-origin>effective script origin</a>
tuple of the <code><a href=#document>Document</a></code> to "manual override" (a value
that, for the purposes of <a href=#same-origin title="same origin">comparing
origins</a>, is identical to "manual override" but not
identical to any other value).</p>
<p>If <var title="">new value</var> is not the empty string, then
run these substeps:</p>

</li>
<ol><li>

<p>Set the host part of the <a href=#effective-script-origin>effective script origin</a>
tuple of the <code><a href=#document>Document</a></code> to <var title="">new
value</var>.</p>

</li>

<li>

<p>Set the port part of the <a href=#effective-script-origin>effective script origin</a>
tuple of the <code><a href=#document>Document</a></code> to "manual override" (a value
that, for the purposes of <a href=#same-origin title="same origin">comparing
origins</a>, is identical to "manual override" but not
identical to any other value).</p>

</li>

</ol></li>

</ol><p>The <dfn id="the-document's-domain" title="the document's domain">domain</dfn> of a
<code><a href=#document>Document</a></code> is the host part of the document's
<a href=#origin>origin</a>, if that is a scheme/host/port tuple. If it
isn't, then the document does not have a domain.</p>
<a href=#origin>origin</a>, if the value of that <a href=#origin>origin</a> is a
scheme/host/port tuple. If it isn't, then the document does not have
a domain.</p>

</div>

0 comments on commit 035cff3

Please sign in to comment.
You can’t perform that action at this time.