Skip to content
Permalink
Browse files

[giow] (3) Fix <area> to match <a> in terms of security checking. Als…

…o, some editorial fixes.

Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=21654
Affected topics: DOM APIs, HTML, Video Text Tracks, Workers

git-svn-id: http://svn.whatwg.org/webapps@7836 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Apr 15, 2013
1 parent f341b90 commit 464ab1051a102e519f6b0e9dcea46054cda00398
Showing with 114 additions and 53 deletions.
  1. +34 −16 complete.html
  2. +34 −16 index
  3. +46 −21 source

<div class=impl>

<!--CLEANUP-->
<p>The <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>, <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>, <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code>, and <code title=attr-hyperlink-ping><a href=#ping>ping</a></code>
attributes affect what happens when users <a href=#following-hyperlinks title="following hyperlinks">follow
hyperlinks</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download hyperlinks</a> created using
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2033 -->
<!-- (didn't test if the bc has to be active) -->

<li><p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception and abort these steps.</li>
<li>

<p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>

<ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>

<li><p>Abort these steps witout following the hyperlink.</li>

</ol></li>

<li><p>If the target of the <code title=event-click><a href=#event-click>click</a></code> event is an <code><a href=#the-img-element>img</a></code>
element with an <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> attribute specified, then server-side
<li><p>Add <var title="">cue</var> to the method's <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text
track</a>'s <a href=#text-track-list-of-cues>text track list of cues</a>.</li>

<li><p>If the <code>TextTrack object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
<li><p>If the <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
element</a>'s <a href=#list-of-text-tracks>list of text tracks</a>, run the <i><a href=#time-marches-on>time marches on</a></i> steps for that
<a href=#media-element>media element</a>.</code></li>
<a href=#media-element>media element</a>.</li>

</ol><p>The <dfn id=dom-texttrack-removecue title=dom-TextTrack-removeCue><code>removeCue(<var title="">cue</var>)</code></dfn>
method of <code><a href=#texttrack>TextTrack</a></code> objects, when invoked, must run the following steps:</p>

<div class=impl>

<!--CLEANUP-->
<p>The <a href=#activation-behavior>activation behavior</a> of <code><a href=#the-area-element>area</a></code> elements is to run the following
steps:</p>

<ol><!-- c.f. <a>'s similar section --><li><p>If the <code><a href=#the-a-element>a</a></code> element's <code><a href=#document>Document</a></code> is not in a <a href=#browsing-context>browsing
context</a>, then abort these steps.</li>

<li><p>If the <code title=event-click><a href=#event-click>click</a></code> event in question is not <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> (i.e. a <code title=dom-click><a href=#dom-click>click()</a></code>
method call was the reason for the event being dispatched), and the <code><a href=#the-area-element>area</a></code> element has
a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception and abort these steps.</li>
<li>

<p>If the <code><a href=#the-area-element>area</a></code> element has
a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not
<a href=#allowed-to-show-a-popup>allowed to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>

<ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>

<li><p>Abort these steps witout following the hyperlink.</li>

</ol></li>

<li><p>Otherwise, the user agent must <a href=#following-hyperlinks title="following hyperlinks">follow the
hyperlink</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download the hyperlink</a> created by

<h4 id=importing-scripts-and-libraries><span class=secno>9.3.1 </span>Importing scripts and libraries</h4>

<!--CLEANUP-->
<p>When a script invokes the <dfn id=dom-workerglobalscope-importscripts title=dom-WorkerGlobalScope-importScripts><code>importScripts(<var title="">urls</var>)</code></dfn> method on a
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, the user agent must run the
following steps:</p>
argument.</li>

<li><p>If any fail, throw a <code><a href=#syntaxerror>SyntaxError</a></code>
exception.</li>
exception and abort these steps.</li>

<li>

};
<a href=#window>Window</a> implements <a href=#windowlocalstorage>WindowLocalStorage</a>;</pre>

<!--CLEANUP-->
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
<a href=#origin>origin</a>.
marcos uses them from another spec -->

<ol><li><p>The user agent may throw a <code><a href=#securityerror>SecurityError</a></code>
exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
exception and abort these steps instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>

50 index

<div class=impl>

<!--CLEANUP-->
<p>The <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>, <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>, <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code>, and <code title=attr-hyperlink-ping><a href=#ping>ping</a></code>
attributes affect what happens when users <a href=#following-hyperlinks title="following hyperlinks">follow
hyperlinks</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download hyperlinks</a> created using
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2033 -->
<!-- (didn't test if the bc has to be active) -->

<li><p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception and abort these steps.</li>
<li>

<p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>

<ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>

<li><p>Abort these steps witout following the hyperlink.</li>

</ol></li>

<li><p>If the target of the <code title=event-click><a href=#event-click>click</a></code> event is an <code><a href=#the-img-element>img</a></code>
element with an <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> attribute specified, then server-side
<li><p>Add <var title="">cue</var> to the method's <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text
track</a>'s <a href=#text-track-list-of-cues>text track list of cues</a>.</li>

<li><p>If the <code>TextTrack object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
<li><p>If the <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
element</a>'s <a href=#list-of-text-tracks>list of text tracks</a>, run the <i><a href=#time-marches-on>time marches on</a></i> steps for that
<a href=#media-element>media element</a>.</code></li>
<a href=#media-element>media element</a>.</li>

</ol><p>The <dfn id=dom-texttrack-removecue title=dom-TextTrack-removeCue><code>removeCue(<var title="">cue</var>)</code></dfn>
method of <code><a href=#texttrack>TextTrack</a></code> objects, when invoked, must run the following steps:</p>

<div class=impl>

<!--CLEANUP-->
<p>The <a href=#activation-behavior>activation behavior</a> of <code><a href=#the-area-element>area</a></code> elements is to run the following
steps:</p>

<ol><!-- c.f. <a>'s similar section --><li><p>If the <code><a href=#the-a-element>a</a></code> element's <code><a href=#document>Document</a></code> is not in a <a href=#browsing-context>browsing
context</a>, then abort these steps.</li>

<li><p>If the <code title=event-click><a href=#event-click>click</a></code> event in question is not <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> (i.e. a <code title=dom-click><a href=#dom-click>click()</a></code>
method call was the reason for the event being dispatched), and the <code><a href=#the-area-element>area</a></code> element has
a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception and abort these steps.</li>
<li>

<p>If the <code><a href=#the-area-element>area</a></code> element has
a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not
<a href=#allowed-to-show-a-popup>allowed to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>

<ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>

<li><p>Abort these steps witout following the hyperlink.</li>

</ol></li>

<li><p>Otherwise, the user agent must <a href=#following-hyperlinks title="following hyperlinks">follow the
hyperlink</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download the hyperlink</a> created by

<h4 id=importing-scripts-and-libraries><span class=secno>9.3.1 </span>Importing scripts and libraries</h4>

<!--CLEANUP-->
<p>When a script invokes the <dfn id=dom-workerglobalscope-importscripts title=dom-WorkerGlobalScope-importScripts><code>importScripts(<var title="">urls</var>)</code></dfn> method on a
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, the user agent must run the
following steps:</p>
argument.</li>

<li><p>If any fail, throw a <code><a href=#syntaxerror>SyntaxError</a></code>
exception.</li>
exception and abort these steps.</li>

<li>

};
<a href=#window>Window</a> implements <a href=#windowlocalstorage>WindowLocalStorage</a>;</pre>

<!--CLEANUP-->
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
<a href=#origin>origin</a>.
marcos uses them from another spec -->

<ol><li><p>The user agent may throw a <code><a href=#securityerror>SecurityError</a></code>
exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
exception and abort these steps instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>

0 comments on commit 464ab10

Please sign in to comment.
You can’t perform that action at this time.