Skip to content
Permalink
Browse files

Add 'HTTPS state' to settings objects

This patch threads Fetch's Response object's 'HTTPS state' through to the
settings object in the Document or Worker that the response populates.
This seems fairly straightforward for Workers, but Documents are a bit
iffy.

See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=27147 and
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27190.
  • Loading branch information...
mikewest authored and annevk committed Sep 22, 2015
1 parent 10f28c5 commit 6de524157fcf341e10efb3eec634bcf7325e6ee4
Showing with 73 additions and 9 deletions.
  1. +73 −9 source
82 source
<li><dfn data-noexport="" data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn>
<li><dfn data-noexport="" data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn>
<li><dfn data-noexport="" data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn>
<li><dfn data-noexport="" data-x="concept-response-https-state" data-x-href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</dfn>
</ul>
<li>
<dfn data-noexport="" data-x="concept-request" data-x-href="https://fetch.spec.whatwg.org/#concept-request">request</dfn> and its associated:
<li><p>Let <var>address</var> be the <span>browsing context</span>'s <span>active
document</span>'s <span data-x="the document's address">address</span>.</p></li>

<li><p>Let <var>HTTPS state</var> be the <span data-x="concept-window-https-state">HTTPS
state</span> of the <span>browsing context</span>'s <span>active document</span>'s
<code>Window</code>.</p></li>

<li>

<p><span>Navigate</span><!--DONAV reload after d.open()--> the <span>browsing context</span> to
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-body">body</span> is <var>source</var>, with <span>replacement
enabled</span> and <span>exceptions enabled</span>. The <span>source browsing context</span> is
that given to the <span data-x="an overridden reload">overridden reload</span> algorithm. When
the <span>navigate</span> algorithm creates a <code>Document</code> object for this purpose, set
that <code>Document</code>'s <span>reload override flag</span> and set its <span>reload override
buffer</span> to <var>source</var>.</p>
data-x="concept-response-body">body</span> is <var>source</var> and <span
data-x="concept-response-https-state">HTTPS state</span> is <var>HTTPS state</var>, with
<span>replacement enabled</span> and <span>exceptions enabled</span>. The <span>source browsing
context</span> is that given to the <span data-x="an overridden reload">overridden reload</span>
algorithm. When the <span>navigate</span> algorithm creates a <code>Document</code> object for
this purpose, set that <code>Document</code>'s <span>reload override flag</span> and set its
<span>reload override buffer</span> to <var>source</var>.</p>

<p>When it comes time to <span>set the document's address</span> in the <span
data-x="navigate">navigation algorithm</span>, use <var>address</var> as the
<dd>

<p><span>Navigate</span><!--DONAV iframe--> the element's <span>child browsing context</span> to
a <span data-x="concept-response">response</span> whose <span
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-url-list">url list</span> consists of <code>about:srcdoc</code>, <span
data-x="concept-response-header-list">header list</span> consists of
`<code data-x="">Content-Type</code>`/`<code>text/html</code>`, and <span
data-x="concept-response-body">body</span> is the value of the attribute.
`<code data-x="">Content-Type</code>`/`<code>text/html</code>`, <span
data-x="concept-response-body">body</span> is the value of the attribute, and <span
data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-window-https-state">HTTPS state</span> of the <code>iframe</code> element's
<span>node document</span>'s <code>Window</code>.

<p>The resulting <code>Document</code> must be considered <span>an <code>iframe</code> <code
data-x="attr-iframe-srcdoc">srcdoc</code> document</span>.</p>

<div w-nodev>

<p>The <code>Window</code> has an <dfn data-x="concept-window-https-state">HTTPS state</dfn>,
which represents the security properties of the network channel used to deliver the
<code>Document</code> with which the <code>Window</code> is associated. The value will be one of
"<code data-x="">modern</code>", "<code data-x="">deprecated</code>", or "<code
data-x="">none</code>". If it is not explicitly set, then its value is "<code
data-x="">none</code>".</p>

<p>The <dfn><code data-x="dom-window">window</code></dfn>, <dfn><code data-x="dom-frames">frames</code></dfn>, and <dfn><code data-x="dom-self">self</code></dfn>
IDL attributes must all return the <code>Window</code> object's <span>browsing context</span>'s
<code>WindowProxy</code> object.</p>
<code>Document</code> instead, and change the <code data-x="dom-document">document</code>
attribute of the <code>Window</code> object to point to the new <code>Document</code>.</p>

<li><p>Set the <code>Window</code> object's <span data-x="concept-window-https-state">HTTPS
state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the
resource used to generate the document.</p></li>

<li><p>Set <span>the document's referrer</span> to the <i>address of the resource from which
Request-URIs are obtained</i> as determined when the fetch algorithm obtained the resource, if
that algorithm was used and determined such a value; otherwise, set it to the empty
data-x="dom-history-pushstate">history.pushState()</code>.</p>
</dd>

<dt>An <dfn>HTTPS state</dfn></dt>

<dd>
<p>A value representing the security properties of the network channel used to deliver the
resource with which the <span>environment settings object</span> is associated. The value will
be one of "<code data-x="">modern</code>", "<code data-x="">deprecated</code>", or
"<code data-x="">none</code>".</p>

<p class="note">Resources delivered over HTTPS will generally have an <span>HTTPS state</span>
of "<code data-x="">modern</code>". A user agent can use "<code data-x="">deprecated</code>"
during transitional periods where rejecting the response entirely would be inappropriate (e.g.,
while removing support for a hash function or cypher suite).</p>
</dd>

</dl>

<p>The <dfn>relevant settings object for a global object</dfn> <var>o</var> is the

</dd>

<dt>The <span>HTTPS state</span></dt>
<dd>

<p>Return the <span data-x="concept-window-https-state">HTTPS state</span> of the
<code>Window</code> object.</p>

</dd>

</dl>
</li>
</ol>

</li>

<li><p>Set the new <code>Window</code> object's <span data-x="concept-window-https-state">HTTPS
state</span> to the <span data-x="concept-window-https-state">HTTPS state</span> of the
<code>Window</code> object of the <a>responsible document</a> specified by the <span>entry
settings object</span>.</p></li>

<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E...%3Ciframe%20src%3D%22document%22%3E%3C%2Fiframe%3E%0A%3Cscript%3Eonload%20%3D%20function%20()%20%7B%20f%20%3D%20document.getElementsByTagName('iframe')%5B0%5D%3B%20d%20%3D%20f.contentWindow.document%3B%20%7D%3C%2Fscript%3E%0A%3Cinput%20type%3Dbutton%20onclick%3D%22w(d.documentElement.innerHTML)%22%20value%3D%22dump%22%3E%0A%3Cinput%20type%3Dbutton%20onclick%3D%22d.open()%3B%20d.write('%3Cscript%3Evar%20x%20%3D%20new%20XMLHttpRequest()%3Bx.open(%26quot%3BGET%26quot%3B%2C%20%26quot%3BGET%26quot%3B)%3Bx.onreadystatechange%3Dfunction()%20%7B%20alert(x.readyState)%3B%20%7D%3Bx.send(null)%3B%3C%2Fscript%3E')%3Bd.close()%3B%20setTimeout(function()%20%7B%20d.open()%3B%20d.write('%3Cp%3Etest%3C%2Fp%3E')%3B%20d.close()%20%7D%2C%200)%3B%22%20value%3D%22xhr%22%3E%0A%3Cinput%20type%3Dbutton%20onclick%3D%22d.onclick%20%3D%20function()%20%7B%20w('click')%20%7D%22%20value%3D%22add%20click%20handler%22%3E%0A%3Cinput%20type%3Dbutton%20onclick%3D%22d.open()%3B%20d.write('%3Cp%3Etest%3C%2Fp%3E')%3B%20d.close()%22%20value%3D%22replace%22%3E%0A%3Cinput%20type%3Dbutton%20onclick%3D%22d.open()%3B%20d.write('%3Cp%3E%3Cscript%3Ei%20%3D%200%3B%20setTimeout(%26quot%3Bparent.w(i%2B%2B)%26quot%3B%2C%202000)%3C%2Fscript%3E%3C%2Fp%3E')%3B%20d.close()%22%20value%3D%22replace%20with%20timer%22%3E -->
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A...%3Ciframe%3E%3C%2Fiframe%3E%0D%0A%3Cscript%3E%0D%0Aonload%20%3D%20function%20()%20%7B%0D%0A%20frames%5B0%5D.test%20%3D%201%0D%0A%20w(frames%5B0%5D.test)%3B%0D%0A%20var%20a%20%3D%20frames%5B0%5D.document.location.assign%3B%0D%0A%20w(a)%3B%0D%0A%20w(frames%5B0%5D.document.location.assign%20%3D%3D%3D%20a)%3B%0D%0A%20frames%5B0%5D.document.open()%3B%0D%0A%20frames%5B0%5D.document.write('%3Cscript%3Edocument.write(test)%3C%5C%2Fscript%3E')%3B%0D%0A%20frames%5B0%5D.document.close()%3B%0D%0A%20w(frames%5B0%5D.test)%3B%0D%0A%20w(frames%5B0%5D.document.location.assign%20%3D%3D%3D%20a)%3B%0D%0A%7D%0D%0A%3C%2Fscript%3E -->

data-x="concept-WorkerGlobalScope-url">url</dfn> (null or a <span>URL</span>). It is initially
null.

<p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-dfn-for="WorkerGlobalScope"
data-x="concept-WorkerGlobalScope-https-state">HTTPS state</dfn> ("<code data-x="">modern</code>",
"<code data-x="">deprecated</code>", or "<code data-x="">none</code>"). It is initially "<code
data-x="">none</code>".

<p>The <dfn><code data-x="dom-WorkerGlobalScope-self">self</code></dfn> attribute must return the
<code>WorkerGlobalScope</code> object itself.</p>

data-x="concept-WorkerGlobalScope-url">url</span> to <var>response</var>'s <span
data-x="concept-response-url">url</span>.</p></li>

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span> to <var>response</var>'s <span
data-x="concept-response-https-state">HTTPS state</span>.</p></li>

<li><p>In the newly created execution environment, create a <span>JavaScript global
environment</span> whose <i>global object</i> is <var>worker global scope</var>. If <var>worker
global scope</var> is a <code>DedicatedWorkerGlobalScope</code> object, then this is a

</dd>

<dt>The <span>HTTPS state</span></dt>
<dd>

<p>Return <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span>.</p>

</dd>

</dl>

</li>

0 comments on commit 6de5241

Please sign in to comment.
You can’t perform that action at this time.