Skip to content
Browse files

[] (0) Synchronise with the latest Origin spec rules and semantics.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=7599

git-svn-id: http://svn.whatwg.org/webapps@4011 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent b52e8bc commit 72b80a2b2d42c9024f3f8ed8cd58c5db457adcbc @Hixie Hixie committed
Showing with 292 additions and 186 deletions.
  1. +123 −84 index
  2. +169 −102 source
View
207 index
@@ -5003,8 +5003,9 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>
- <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource, the
- following steps must be run:</p>
+ <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource, optionally
+ from an origin <i title="">origin</i>, the following steps must be
+ run:</p>
<ol><li><p>If the resource is identified by the <a href=#url>URL</a>
<dfn id=about:blank><code>about:blank</code></dfn>, then return the empty string
@@ -5018,11 +5019,11 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
equivalent</a>), and it is already being downloaded for other
- reasons (e.g. another invocation of this algorithm), and the user
- agent is configured such that it is to reuse the data from the
- existing download instead of initiating a new one, then use the
- results of the existing download instead of starting a new
- one.</p>
+ reasons (e.g. another invocation of this algorithm), and this
+ request would be identical to the previous one (e.g. same <code title=http-accept>Accept</code> and <code title=http-origin>Origin</code> headers), and the user agent is
+ configured such that it is to reuse the data from the existing
+ download instead of initiating a new one, then use the results of
+ the existing download instead of starting a new one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
@@ -5052,7 +5053,12 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
browsing context">browsing context</a> of the <a href=#first-script>first
script</a>.</dd>
- </dl></li>
+ </dl><p>For the purposes of the <code title=http-origin>Origin</code>
+ header, if the <a href=#fetch title=fetch>fetching algorithm</a> was
+ explicitly initiated from an <i title="">origin</i>, then <i title="">the origin that initiated the HTTP request</i> is <i title="">origin</i>. Otherwise, this is <i title="">a request from
+ a "privacy-sensitive" context</i>. <a href=#refsORIGIN>[ORIGIN]</a></p>
+
+ </li>
<li>
@@ -10550,14 +10556,13 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p&gt;
applied (as defined below). <span class=impl>For external
resources that are represented in the DOM (for example, style
sheets), the DOM representation must be made available even if the
- resource is not applied. To obtain the resource, the user agent must
- <a href=#resolve-a-url title="resolve a url">resolve</a> the <a href=#url>URL</a>
- given by the <code title=attr-link-href><a href=#attr-link-href>href</a></code> attribute,
- relative to the element, and then <a href=#fetch>fetch</a> the resulting
- <a href=#absolute-url>absolute URL</a>. User agents may opt to only
- <a href=#fetch>fetch</a> such resources when they are needed, instead of
- pro-actively <a href=#fetch title=fetch>fetching</a> all the external
- resources that are not applied.</span></p>
+ resource is not applied. To <dfn id=concept-link-obtain title=concept-link-obtain>obtain
+ the resource</dfn>, the user agent must <a href=#resolve-a-url title="resolve a
+ url">resolve</a> the <a href=#url>URL</a> given by the <code title=attr-link-href><a href=#attr-link-href>href</a></code> attribute, relative to the
+ element, and then <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
+ URL</a>. User agents may opt to only <a href=#fetch>fetch</a> such
+ resources when they are needed, instead of pro-actively <a href=#fetch title=fetch>fetching</a> all the external resources that are
+ not applied.</span></p> <!-- http-origin privacy sensitive -->
<div class=impl>
@@ -10671,15 +10676,14 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p&gt;
the given type. If the attribute is omitted, but the external
resource link type has a default type defined, then the user agent
must assume that the resource is of that type. If the UA does not
- support the given <a href=#mime-type>MIME type</a> for the given link relationship, then
- the UA should not fetch the resource; if the UA does support the
- given <a href=#mime-type>MIME type</a> for the given link relationship, then the UA should
- <a href=#fetch>fetch</a> the resource. If the attribute is omitted, and
- the external resource link type does not have a default type
- defined, but the user agent would fetch the resource if the type was
- known and supported, then the user agent should <a href=#fetch>fetch</a>
- the resource under the assumption that it will be
- supported.</span></p>
+ support the given <a href=#mime-type>MIME type</a> for the given link
+ relationship, then the UA should not <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource; if the UA
+ does support the given <a href=#mime-type>MIME type</a> for the given link
+ relationship, then the UA should <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource. If the
+ attribute is omitted, and the external resource link type does not
+ have a default type defined, but the user agent would <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource if the type
+ was known and supported, then the user agent should <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource under the
+ assumption that it will be supported.</span></p>
<div class=impl>
@@ -12117,7 +12121,9 @@ people expect to have work and what is necessary.
<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
attribute, then the value of that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a> relative to the element, and
- if that is successful, the specified resource must then be <a href=#fetch title=fetch>fetched</a>.</p>
+ if that is successful, the specified resource must then be <a href=#fetch title=fetch>fetched</a>, from the <a href=#origin>origin</a> of the
+ element's <code>Document</code>.</p> <!-- not http-origin privacy
+ sensitive -->
<p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
URL</a>, then the user agent must not, despite the requirements
@@ -18356,7 +18362,8 @@ interface <dfn id=htmlimageelement>HTMLImageElement</dfn> : <a href=#htmlelement
user agent must <a href=#resolve-a-url title="resolve a url">resolve</a> the value
of that attribute, relative to the element, and if that is
successful must then <a href=#fetch>fetch</a> that resource.</p> <!-- Note
- how this does NOT happen when the base URL changes. -->
+ how this does NOT happen when the base URL changes. --> <!--
+ http-origin privacy sensitive -->
<p>The <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute's value is an
<i>ignored self-reference</i> if its value is the empty string, and
@@ -20257,7 +20264,9 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
the value of the element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code>
attribute, relative to the element. If that is successful, the
user agent should <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
- URL</a>. The <a href=#concept-task title=concept-task>task</a> that is
+ URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
+ origin</a> if it has one<!-- potentially http-origin privacy
+ sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is
<a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking
task source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> must find and instantiate an
appropriate <a href=#plugin>plugin</a> based on the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and hand that
@@ -20558,7 +20567,9 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
element.</p>
<p>If that is successful, <a href=#fetch>fetch</a> the resulting
- <a href=#absolute-url>absolute URL</a>.</p>
+ <a href=#absolute-url>absolute URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing
+ context scope origin</a> if it has one<!-- potentially
+ http-origin privacy sensitive -->.</p>
<!-- similar text in various places -->
<p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a>
@@ -21051,10 +21062,12 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
or when the <code title=attr-video-poster><a href=#attr-video-poster>poster</a></code> attribute
is set, its value must be <a href=#resolve-a-url title="resolve a
url">resolved</a> relative to the element, and if that is
- successful, the resulting <a href=#absolute-url>absolute URL</a> must be <a href=#fetch title=fetch>fetched</a>; this must <a href=#delay-the-load-event>delay the load
- event</a> of the element's document. The <dfn id=poster-frame>poster frame</dfn>
- is then the image obtained from that resource, if any.</span></p>
- <!-- thus it is unaffected by changes to the base URL. -->
+ successful, the resulting <a href=#absolute-url>absolute URL</a> must be <a href=#fetch title=fetch>fetched</a>, from the element's
+ <code>Document</code>'s <a href=#origin>origin</a>; this must <a href=#delay-the-load-event>delay
+ the load event</a> of the element's document. The <dfn id=poster-frame>poster
+ frame</dfn> is then the image obtained from that resource, if
+ any.</span></p> <!-- thus it is unaffected by changes to the base
+ URL. -->
<p class=note>The image given by the <code title=attr-video-poster><a href=#attr-video-poster>poster</a></code> attribute, the <i><a href=#poster-frame>poster
frame</a></i>, is intended to be a representative frame of the video
@@ -22296,7 +22309,9 @@ interface <dfn>CueRangeCallback</dfn> {
<li>
<p>Begin to <a href=#fetch>fetch</a> the <var title="">current media
- resource</var>.</p>
+ resource</var>, from the <a href=#media-element>media element</a>'s
+ <code>Document</code>'s <a href=#origin>origin</a>.</p> <!-- not
+ http-origin privacy sensitive (looking forward to CORS here) -->
<p>Every 350ms (&plusmn;200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -34676,7 +34691,8 @@ interface <dfn id=htmlformelement>HTMLFormElement</dfn> : <a href=#htmlelement>H
<code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute, relative to the
element, and if that is successful, must <a href=#fetch>fetch</a> the
resulting <a href=#absolute-url>absolute URL</a>:</p> <!-- Note how this does NOT
- happen when the base URL changes. -->
+ happen when the base URL changes. --> <!-- http-origin privacy
+ sensitive -->
<ul><li>The <code><a href=#the-input-element>input</a></code> element's <code title=attr-input-type><a href=#attr-input-type>type</a></code> attribute is first set to the
<a href=#image-button-state title=attr-input-type-image>Image Button</a> state
@@ -42341,14 +42357,15 @@ interface <dfn>DataGridListener</dfn> {
<dd>Append the command to the menu, respecting its <a href=#concept-facet title=concept-facet>facets</a><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span>, and then
- that image should be associated with the command, such that each
- command only has its image fetched once, to prevent changes to the
- base URL from having effects after the image has been fetched
- once. (no need to resolve the Icon facet, it's an absolute URL)
- -->. <!--If the element is a <code>command</code> element with a
- <code title="attr-command-default">default</code> attribute, mark
- the command as being a default command.--></dd>
+ command, it should be <span title="fetch">fetched</span> (this
+ would be http-origin privacy-sensitive), and then that image should
+ be associated with the command, such that each command only has its
+ image fetched once, to prevent changes to the base URL from having
+ effects after the image has been fetched once. (no need to resolve
+ the Icon facet, it's an absolute URL) -->. <!--If the element is a
+ <code>command</code> element with a <code
+ title="attr-command-default">default</code> attribute, mark the
+ command as being a default command.--></dd>
<dt>An <code><a href=#the-hr-element>hr</a></code> element</dt>
@@ -48227,7 +48244,17 @@ document.body.appendChild(outer);</pre>
document</a> of <var title="">A</var> (possibly in fact being
<var title="">A</var> itself).</li>
- </ul></div>
+ </ul><hr><p>An element has a <dfn id=browsing-context-scope-origin>browsing context scope origin</dfn> if its
+ <code>Document</code>'s <a href=#browsing-context>browsing context</a> is a
+ <a href=#top-level-browsing-context>top-level browsing context</a> or if all of its
+ <code>Document</code>'s <a href=#ancestor-browsing-context title="ancestor browsing
+ context">ancestor browsing contexts</a> all have <a href=#active-document title="active document">active documents</a> whose
+ <a href=#origin>origin</a> are the <a href=#same-origin>same origin</a> as the
+ element's <code>Document</code>'s <a href=#origin>origin</a>. If an element
+ has a <a href=#browsing-context-scope-origin>browsing context scope origin</a>, then its value is
+ the <a href=#origin>origin</a> of the element's <code>Document</code>.</p>
+
+ </div>
<div class=impl>
@@ -52709,7 +52736,9 @@ NETWORK:
<li>
<p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a> the resource
- from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p>
+ from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> <!-- http-origin
+ privacy sensitive, though it doesn't matter, since this can never
+ be cross-origin -->
<p>If the resource is labeled with the <a href=#mime-type>MIME type</a>
<code><a href=#text/cache-manifest>text/cache-manifest</a></code>, parse <var title="">manifest</var> according to the <a href=#parse-a-manifest title="parse a
@@ -52922,18 +52951,20 @@ NETWORK:
<li>
- <p><a href=#fetch>Fetch</a> the resource. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
- use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a>
- <a href=#application-cache>application cache</a> in <var title="">cache
- group</var> as an HTTP cache, and honor HTTP caching semantics
- (such as expiration, ETags, and so forth) with respect to that
- cache. User agents may also have other caches in place that are
- also honored.</p>
+ <p><a href=#fetch>Fetch</a> the resource, from the <a href=#origin>origin</a>
+ of the <a href=#url>URL</a> <var title="">manifest URL</var>. If
+ this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade
+ attempt</a>, then use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a> <a href=#application-cache>application
+ cache</a> in <var title="">cache group</var> as an HTTP
+ cache, and honor HTTP caching semantics (such as expiration,
+ ETags, and so forth) with respect to that cache. User agents may
+ also have other caches in place that are also honored.</p> <!--
+ not http-origin privacy sensitive -->
<p class=note>If the resource in question is already being
downloaded for other reasons then the existing download process
- can be used for the purposes of this step, as defined by the
- <a href=#fetch title=fetch>fetching</a> algorithm.</p>
+ can sometimes be used for the purposes of this step, as defined
+ by the <a href=#fetch title=fetch>fetching</a> algorithm.</p>
<p class=example>An example of a resource that might already
be being downloaded is a large image on a Web page that is being
@@ -53088,7 +53119,8 @@ NETWORK:
<p><a href=#fetch>Fetch</a> the resource from <var title="">manifest
URL</var> again, and let <var title="">second manifest</var> be
- that resource.</p>
+ that resource.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
</li>
@@ -54464,25 +54496,28 @@ NETWORK:
<p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
already been obtained<!-- it's obtained by <object>, for instance
- -->. If the resource is being fetched using HTTP, and the method
- is not GET<!-- or HEAD (but that can't happen) -->, then the user
- agent must include an <code title=http-origin>Origin</code>
- header whose value is determined as follows:</p>
+ -->.</p>
+
+ <p>If the resource is being fetched using a method other than one
+ <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
+ HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+ <a href=#navigate title=navigate>navigation algorithm</a> was invoked as
+ a result of the <a href=#concept-form-submit title=concept-form-submit>form submission
+ algorithm</a>, then the <a href=#fetch title=fetch>fetching
+ algorithm</a> must be invoked from the <a href=#origin>origin</a> of
+ the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
+ context</a>, if any.</p> <!-- potentially http-origin privacy
+ sensitive -->
+
+ <p>If the <a href=#browsing-context>browsing context</a> being navigated is a
+ <a href=#child-browsing-context>child browsing context</a> for an <code><a href=#the-iframe-element>iframe</a></code> or
+ <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching
+ algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or
+ <code><a href=#the-object-element>object</a></code> element's <a href=#browsing-context-scope-origin>browsing context scope
+ origin</a>, if it has one.</p> <!-- potentially http-origin
+ privacy sensitive -->
- <dl class=switch><dt>If the <a href=#navigate title=navigate>navigation</a> algorithm has
- so far contacted more than one <a href=#origin>origin</a></dt>
- <dt>If there is no <a href=#source-browsing-context>source browsing context</a></dt>
-
- <dd>The value must be the string "<code title="">null</code>".</dd>
-
- <dt>Otherwise</dt>
-
- <dd>The value must be the <a href=#ascii-serialization-of-an-origin title="ASCII serialization of an
- origin">ASCII serialization</a> of the <a href=#origin>origin</a> of
- the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
- context</a> at the time the navigation was started.</dd>
-
- </dl></li>
+ </li>
<li>
@@ -55429,7 +55464,9 @@ NETWORK:
<a href=#fetch title=fetch>fetching</a> the specified URLs using the
POST method, with an entity body with the <a href=#mime-type>MIME type</a>
<code><a href=#text/ping>text/ping</a></code> consisting of the four-character string
- "<code title="">PING</code>". All relevant cookie and HTTP
+ "<code title="">PING</code>", from the <a href=#origin>origin</a> of the
+ <code>Document</code> containing the <a href=#hyperlink>hyperlink</a>. <!--
+ not http-origin privacy sensitive --> All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -55466,13 +55503,7 @@ NETWORK:
nor include a <code title=http-ping-from>Ping-From</code> HTTP
header.</dd>
- </dl><p>In addition, an <code title=http-origin>Origin</code> header
- must always be included, whose value is the <a href=#ascii-serialization-of-an-origin title="ASCII
- serialization of an origin">ASCII serialization</a> of the
- <a href=#origin>origin</a> of the <code>Document</code> containing the
- <a href=#hyperlink>hyperlink</a>.</p>
-
- <p class=note>To save bandwidth, implementors might also wish to
+ </dl><p class=note>To save bandwidth, implementors might also wish to
consider omitting optional headers such as <code>Accept</code> from
these requests.</p>
@@ -74053,8 +74084,10 @@ time:empty { binding: <i title="">time</i>; }</pre>
its <a href=#fallback-content>fallback content</a>, the element must be ignored (it
represents nothing).</p>
- <p>Otherwise, <span class=XXX>define how the element works,
- if supported</span>.</p> <!-- remember to delay the laod event -->
+ <p>Otherwise, <span class=XXX>define how the element works, if
+ supported</span>.</p> <!-- remember to delay the load event --> <!--
+ remember to include ", from the element's <span>browsing context
+ scope origin</span> if it has one" when fetching -->
<p>The <code><a href=#the-applet-element>applet</a></code> element must implement the
<code><a href=#htmlappletelement>HTMLAppletElement</a></code> interface.</p>
@@ -74651,7 +74684,8 @@ interface <a href=#htmlheadelement>HTMLHeadElement</a> {
<li><p>For each token that is successfully resolved,
<a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute URL</a> and
- apply the appropriate processing.</li>
+ apply the appropriate processing.</li> <!-- http-origin privacy
+ sensitive -->
</ol><p>The <dfn id=dom-head-profile title=dom-head-profile><code>profile</code></dfn> IDL
attribute of the <code><a href=#the-head-element-0>head</a></code> element must <a href=#reflect>reflect</a>
@@ -75871,6 +75905,11 @@ interface <a href=#htmldocument>HTMLDocument</a> {
in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
Section 4.6.2. OpenSearch.org.</dd>
+ <dt id=refsORIGIN>[ORIGIN]</dt>
+ <dd><cite><a href=http://tools.ietf.org/html/draft-abarth-origin>The HTTP
+ Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+ September 2009.</dd>
+
<dt id=refsPINGBACK>[PINGBACK]</dt>
<dd><cite><a href=http://www.hixie.ch/specs/pingback/pingback>Pingback
1.0</a></cite>, S. Langridge, I. Hickson. January 2007.</dd>
View
271 source
@@ -4662,8 +4662,9 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<h3>Fetching resources</h3>
- <p>When a user agent is to <dfn>fetch</dfn> a resource, the
- following steps must be run:</p>
+ <p>When a user agent is to <dfn>fetch</dfn> a resource, optionally
+ from an origin <i title="">origin</i>, the following steps must be
+ run:</p>
<ol>
@@ -4679,11 +4680,13 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <span title="concept-http-equivalent-get">or
equivalent</span>), and it is already being downloaded for other
- reasons (e.g. another invocation of this algorithm), and the user
- agent is configured such that it is to reuse the data from the
- existing download instead of initiating a new one, then use the
- results of the existing download instead of starting a new
- one.</p>
+ reasons (e.g. another invocation of this algorithm), and this
+ request would be identical to the previous one (e.g. same <code
+ title="http-accept">Accept</code> and <code
+ title="http-origin">Origin</code> headers), and the user agent is
+ configured such that it is to reuse the data from the existing
+ download instead of initiating a new one, then use the results of
+ the existing download instead of starting a new one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
@@ -4719,6 +4722,14 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
</dl>
+ <p>For the purposes of the <code title="http-origin">Origin</code>
+ header, if the <span title="fetch">fetching algorithm</span> was
+ explicitly initiated from an <i title="">origin</i>, then <i
+ title="">the origin that initiated the HTTP request</i> is <i
+ title="">origin</i>. Otherwise, this is <i title="">a request from
+ a "privacy-sensitive" context</i>. <a
+ href="#refsORIGIN">[ORIGIN]</a></p>
+
</li>
<li>
@@ -11019,14 +11030,15 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p>
applied (as defined below). <span class="impl">For external
resources that are represented in the DOM (for example, style
sheets), the DOM representation must be made available even if the
- resource is not applied. To obtain the resource, the user agent must
- <span title="resolve a url">resolve</span> the <span>URL</span>
- given by the <code title="attr-link-href">href</code> attribute,
- relative to the element, and then <span>fetch</span> the resulting
- <span>absolute URL</span>. User agents may opt to only
- <span>fetch</span> such resources when they are needed, instead of
- pro-actively <span title="fetch">fetching</span> all the external
- resources that are not applied.</span></p>
+ resource is not applied. To <dfn title="concept-link-obtain">obtain
+ the resource</dfn>, the user agent must <span title="resolve a
+ url">resolve</span> the <span>URL</span> given by the <code
+ title="attr-link-href">href</code> attribute, relative to the
+ element, and then <span>fetch</span> the resulting <span>absolute
+ URL</span>. User agents may opt to only <span>fetch</span> such
+ resources when they are needed, instead of pro-actively <span
+ title="fetch">fetching</span> all the external resources that are
+ not applied.</span></p> <!-- http-origin privacy sensitive -->
<div class="impl">
@@ -11161,15 +11173,18 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p>
the given type. If the attribute is omitted, but the external
resource link type has a default type defined, then the user agent
must assume that the resource is of that type. If the UA does not
- support the given <span>MIME type</span> for the given link relationship, then
- the UA should not fetch the resource; if the UA does support the
- given <span>MIME type</span> for the given link relationship, then the UA should
- <span>fetch</span> the resource. If the attribute is omitted, and
- the external resource link type does not have a default type
- defined, but the user agent would fetch the resource if the type was
- known and supported, then the user agent should <span>fetch</span>
- the resource under the assumption that it will be
- supported.</span></p>
+ support the given <span>MIME type</span> for the given link
+ relationship, then the UA should not <span
+ title="concept-link-obtain">obtain</span> the resource; if the UA
+ does support the given <span>MIME type</span> for the given link
+ relationship, then the UA should <span
+ title="concept-link-obtain">obtain</span> the resource. If the
+ attribute is omitted, and the external resource link type does not
+ have a default type defined, but the user agent would <span
+ title="concept-link-obtain">obtain</span> the resource if the type
+ was known and supported, then the user agent should <span
+ title="concept-link-obtain">obtain</span> the resource under the
+ assumption that it will be supported.</span></p>
<div class="impl">
@@ -12829,7 +12844,9 @@ people expect to have work and what is necessary.
attribute, then the value of that attribute must be <span
title="resolve a url">resolved</span> relative to the element, and
if that is successful, the specified resource must then be <span
- title="fetch">fetched</span>.</p>
+ title="fetch">fetched</span>, from the <span>origin</span> of the
+ element's <code>Document</code>.</p> <!-- not http-origin privacy
+ sensitive -->
<p>For historical reasons, if the <span>URL</span> is a <span
title="javascript protocol"><code title="">javascript:</code>
@@ -19644,7 +19661,8 @@ interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
user agent must <span title="resolve a url">resolve</span> the value
of that attribute, relative to the element, and if that is
successful must then <span>fetch</span> that resource.</p> <!-- Note
- how this does NOT happen when the base URL changes. -->
+ how this does NOT happen when the base URL changes. --> <!--
+ http-origin privacy sensitive -->
<p>The <code title="attr-img-src">src</code> attribute's value is an
<i>ignored self-reference</i> if its value is the empty string, and
@@ -21716,7 +21734,9 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
the value of the element's <code title="attr-embed-src">src</code>
attribute, relative to the element. If that is successful, the
user agent should <span>fetch</span> the resulting <span>absolute
- URL</span>. The <span title="concept-task">task</span> that is
+ URL</span>, from the element's <span>browsing context scope
+ origin</span> if it has one<!-- potentially http-origin privacy
+ sensitive -->. The <span title="concept-task">task</span> that is
<span title="queue a task">queued</span> by the <span>networking
task source</span> once the resource has been <span
title="fetch">fetched</span> must find and instantiate an
@@ -22048,7 +22068,9 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
element.</p>
<p>If that is successful, <span>fetch</span> the resulting
- <span>absolute URL</span>.</p>
+ <span>absolute URL</span>, from the element's <span>browsing
+ context scope origin</span> if it has one<!-- potentially
+ http-origin privacy sensitive -->.</p>
<!-- similar text in various places -->
<p>Fetching the resource must <span>delay the load event</span>
@@ -22592,10 +22614,12 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
is set, its value must be <span title="resolve a
url">resolved</span> relative to the element, and if that is
successful, the resulting <span>absolute URL</span> must be <span
- title="fetch">fetched</span>; this must <span>delay the load
- event</span> of the element's document. The <dfn>poster frame</dfn>
- is then the image obtained from that resource, if any.</span></p>
- <!-- thus it is unaffected by changes to the base URL. -->
+ title="fetch">fetched</span>, from the element's
+ <code>Document</code>'s <span>origin</span>; this must <span>delay
+ the load event</span> of the element's document. The <dfn>poster
+ frame</dfn> is then the image obtained from that resource, if
+ any.</span></p> <!-- thus it is unaffected by changes to the base
+ URL. -->
<p class="note">The image given by the <code
title="attr-video-poster">poster</code> attribute, the <i>poster
@@ -24053,7 +24077,9 @@ interface <dfn>CueRangeCallback</dfn> {
<li>
<p>Begin to <span>fetch</span> the <var title="">current media
- resource</var>.</p>
+ resource</var>, from the <span>media element</span>'s
+ <code>Document</code>'s <span>origin</span>.</p> <!-- not
+ http-origin privacy sensitive (looking forward to CORS here) -->
<p>Every 350ms (&#xB1;200ms) or for every byte received, whichever
is <em>least</em> frequent, <span>queue a task</span> to
@@ -38564,7 +38590,8 @@ interface <dfn>HTMLFormElement</dfn> : <span>HTMLElement</span> {
<code title="attr-input-src">src</code> attribute, relative to the
element, and if that is successful, must <span>fetch</span> the
resulting <span>absolute URL</span>:</p> <!-- Note how this does NOT
- happen when the base URL changes. -->
+ happen when the base URL changes. --> <!-- http-origin privacy
+ sensitive -->
<ul>
@@ -47238,14 +47265,15 @@ interface <dfn>DataGridListener</dfn> {
title="concept-facet">facets</span><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span>, and then
- that image should be associated with the command, such that each
- command only has its image fetched once, to prevent changes to the
- base URL from having effects after the image has been fetched
- once. (no need to resolve the Icon facet, it's an absolute URL)
- -->. <!--If the element is a <code>command</code> element with a
- <code title="attr-command-default">default</code> attribute, mark
- the command as being a default command.--></dd>
+ command, it should be <span title="fetch">fetched</span> (this
+ would be http-origin privacy-sensitive), and then that image should
+ be associated with the command, such that each command only has its
+ image fetched once, to prevent changes to the base URL from having
+ effects after the image has been fetched once. (no need to resolve
+ the Icon facet, it's an absolute URL) -->. <!--If the element is a
+ <code>command</code> element with a <code
+ title="attr-command-default">default</code> attribute, mark the
+ command as being a default command.--></dd>
<dt>An <code>hr</code> element</dt>
@@ -54416,6 +54444,19 @@ document.body.appendChild(outer);</pre>
</ul>
+ <hr>
+
+ <p>An element has a <dfn>browsing context scope origin</dfn> if its
+ <code>Document</code>'s <span>browsing context</span> is a
+ <span>top-level browsing context</span> or if all of its
+ <code>Document</code>'s <span title="ancestor browsing
+ context">ancestor browsing contexts</span> all have <span
+ title="active document">active documents</span> whose
+ <span>origin</span> are the <span>same origin</span> as the
+ element's <code>Document</code>'s <span>origin</span>. If an element
+ has a <span>browsing context scope origin</span>, then its value is
+ the <span>origin</span> of the element's <code>Document</code>.</p>
+
</div>
@@ -59591,7 +59632,9 @@ NETWORK:
<p><i>Fetching the manifest</i>: <span>Fetch</span> the resource
from <var title="">manifest URL</var>, and let <var
- title="">manifest</var> be that resource.</p>
+ title="">manifest</var> be that resource.</p> <!-- http-origin
+ privacy sensitive, though it doesn't matter, since this can never
+ be cross-origin -->
<p>If the resource is labeled with the <span>MIME type</span>
<code>text/cache-manifest</code>, parse <var
@@ -59850,19 +59893,21 @@ NETWORK:
<li>
- <p><span>Fetch</span> the resource. If this is an <span
- title="concept-appcache-upgrade">upgrade attempt</span>, then
- use the <span title="concept-appcache-newer">newest</span>
- <span>application cache</span> in <var title="">cache
- group</var> as an HTTP cache, and honor HTTP caching semantics
- (such as expiration, ETags, and so forth) with respect to that
- cache. User agents may also have other caches in place that are
- also honored.</p>
+ <p><span>Fetch</span> the resource, from the <span>origin</span>
+ of the <span>URL</span> <var title="">manifest URL</var>. If
+ this is an <span title="concept-appcache-upgrade">upgrade
+ attempt</span>, then use the <span
+ title="concept-appcache-newer">newest</span> <span>application
+ cache</span> in <var title="">cache group</var> as an HTTP
+ cache, and honor HTTP caching semantics (such as expiration,
+ ETags, and so forth) with respect to that cache. User agents may
+ also have other caches in place that are also honored.</p> <!--
+ not http-origin privacy sensitive -->
<p class="note">If the resource in question is already being
downloaded for other reasons then the existing download process
- can be used for the purposes of this step, as defined by the
- <span title="fetch">fetching</span> algorithm.</p>
+ can sometimes be used for the purposes of this step, as defined
+ by the <span title="fetch">fetching</span> algorithm.</p>
<p class="example">An example of a resource that might already
be being downloaded is a large image on a Web page that is being
@@ -60045,7 +60090,8 @@ NETWORK:
<p><span>Fetch</span> the resource from <var title="">manifest
URL</var> again, and let <var title="">second manifest</var> be
- that resource.</p>
+ that resource.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
</li>
@@ -61662,27 +61708,26 @@ NETWORK:
<p>Otherwise, <span>fetch</span> the new resource, if it has not
already been obtained<!-- it's obtained by <object>, for instance
- -->. If the resource is being fetched using HTTP, and the method
- is not GET<!-- or HEAD (but that can't happen) -->, then the user
- agent must include an <code title="http-origin">Origin</code>
- header whose value is determined as follows:</p>
-
- <dl class="switch">
-
- <dt>If the <span title="navigate">navigation</span> algorithm has
- so far contacted more than one <span>origin</span></dt>
- <dt>If there is no <span>source browsing context</span></dt>
-
- <dd>The value must be the string "<code title="">null</code>".</dd>
-
- <dt>Otherwise</dt>
-
- <dd>The value must be the <span title="ASCII serialization of an
- origin">ASCII serialization</span> of the <span>origin</span> of
- the <span>active document</span> of the <span>source browsing
- context</span> at the time the navigation was started.</dd>
-
- </dl>
+ -->.</p>
+
+ <p>If the resource is being fetched using a method other than one
+ <span title="concept-http-equivalent-get">equivalent to</span>
+ HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+ <span title="navigate">navigation algorithm</span> was invoked as
+ a result of the <span title="concept-form-submit">form submission
+ algorithm</span>, then the <span title="fetch">fetching
+ algorithm</span> must be invoked from the <span>origin</span> of
+ the <span>active document</span> of the <span>source browsing
+ context</span>, if any.</p> <!-- potentially http-origin privacy
+ sensitive -->
+
+ <p>If the <span>browsing context</span> being navigated is a
+ <span>child browsing context</span> for an <code>iframe</code> or
+ <code>object</code> element, then the <span title="fetch">fetching
+ algorithm</span> must be invoked from the <code>iframe</code> or
+ <code>object</code> element's <span>browsing context scope
+ origin</span>, if it has one.</p> <!-- potentially http-origin
+ privacy sensitive -->
</li>
@@ -64644,7 +64689,9 @@ interface <dfn>SQLTransactionSync</dfn> {
<span title="fetch">fetching</span> the specified URLs using the
POST method, with an entity body with the <span>MIME type</span>
<code>text/ping</code> consisting of the four-character string
- "<code title="">PING</code>". All relevant cookie and HTTP
+ "<code title="">PING</code>", from the <span>origin</span> of the
+ <code>Document</code> containing the <span>hyperlink</span>. <!--
+ not http-origin privacy sensitive --> All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -64690,12 +64737,6 @@ interface <dfn>SQLTransactionSync</dfn> {
</dl>
- <p>In addition, an <code title="http-origin">Origin</code> header
- must always be included, whose value is the <span title="ASCII
- serialization of an origin">ASCII serialization</span> of the
- <span>origin</span> of the <code>Document</code> containing the
- <span>hyperlink</span>.</p>
-
<p class="note">To save bandwidth, implementors might also wish to
consider omitting optional headers such as <code>Accept</code> from
these requests.</p>
@@ -71065,9 +71106,9 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
<p>When a user agent is to <dfn>run a worker</dfn> for a script with
<span>URL</span> <var title="">url</var>, a browsing context <var
- title="">owner browsing context</var>, and with global scope <var
- title="">worker global scope</var>, it must run the following
- steps:</p>
+ title="">owner browsing context</var>, an origin <var title="">owner
+ origin</var>, and with global scope <var title="">worker global
+ scope</var>, it must run the following steps:</p>
<ol>
@@ -71094,7 +71135,8 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
<li>
<p>Attempt to <span>fetch</span> the resource identified by <var
- title="">url</var>.</p>
+ title="">url</var>, from the <var title="">owner origin</var>.</p>
+ <!-- not http-origin privacy sensitive -->
<p>If the attempt fails, or if the attempt involves any redirects
to URIs that do not have the <span>same origin</span> as <var
@@ -71533,9 +71575,8 @@ interface <dfn>Worker</dfn> : <span>AbstractWorker</span> {
<p>If the <span>origin</span> of the resulting <span>absolute
URL</span> is not the <span title="same origin">same</span> as the
- origin of the <span title="concept-script">script</span> that
- invoked the constructor, then throw a <span>security
- exception</span>.</p>
+ origin of the <span>first script</span>, then throw a
+ <span>security exception</span>.</p>
<p class="note">Thus, scripts must be external files with the same
scheme as the original page: you can't load a script from a <code
@@ -71619,8 +71660,9 @@ interface <dfn>Worker</dfn> : <span>AbstractWorker</span> {
<p><span>Run a worker</span> for the resulting <span>absolute
URL</span>, with the <span>script browsing context</span> of the
script that invoked the method as the <var title="">owner browsing
- context</var>, and with <var title="">worker global scope</var> as
- the global scope.</p>
+ context</var>, with the <span>origin</span> of the <span>first
+ script</span> as the <var title="">owner origin</var>, and with
+ <var title="">worker global scope</var> as the global scope.</p>
</li>
@@ -71667,7 +71709,7 @@ interface <dfn>SharedWorker</dfn> : <span>AbstractWorker</span> {
<p>If the <span>origin</span> of <var title="">scriptURL</var> is
not the <span title="same origin">same</span> as the origin of the
- script that invoked the constructor, then throw a <span>security
+ <span>first script</span>, then throw a <span>security
exception</span>.</p>
<p class="note">Thus, scripts must be external files with the same
@@ -71863,8 +71905,9 @@ interface <dfn>SharedWorker</dfn> : <span>AbstractWorker</span> {
<p><span>Run a worker</span> for <var title="">scriptURL</var>,
with the <span>script browsing context</span> of the script that
invoked the method as the <var title="">owner browsing
- context</var>, and with <var title="">worker global scope</var> as
- the global scope.</p>
+ context</var>, with the <span>origin</span> of the <span>first
+ script</span> as the <var title="">owner origin</var>, and with
+ <var title="">worker global scope</var> as the global scope.</p>
</li>
@@ -71923,7 +71966,9 @@ interface <dfn>WorkerUtils</dfn> {
<li>
<p>Attempt to <span>fetch</span> each resource identified by the
- resulting <span title="absolute URLs">absolute URL</span>.</p>
+ resulting <span title="absolute URLs">absolute URL</span>, from
+ the <span>first script</span>'s <span>origin</span>.</p> <!-- not
+ http-origin privacy sensitive -->
</li>
@@ -72305,7 +72350,9 @@ interface <dfn>EventSource</dfn> {
<li>
<p><span>Fetch</span> the resource identified by the resulting
- <span>absolute URL</span>, and process it as described below.</p>
+ <span>absolute URL</span>, from the <span>first script</span>'s
+ <span>origin</span>, and process it as described below.</p> <!--
+ not http-origin privacy sensitive -->
<p class="note">The definition of the <span
title="fetch">fetching</span> algorithm is such that if the
@@ -72482,6 +72529,10 @@ interface <dfn>EventSource</dfn> {
the resource at a later point, it must return to the previously
specified URL for this event source.</p>
+ <p class="note">The Origin specification also introduces some
+ relevant requirements when dealing with redirects. <a
+ href="#refsORIGIN">[ORIGIN]</a></p>
+
<p>HTTP 305 Use Proxy, HTTP 401 Unauthorized, and 407 Proxy
Authentication Required should be treated transparently as for any
other subresource.</p>
@@ -72518,9 +72569,12 @@ interface <dfn>EventSource</dfn> {
<code title="event-error">error</code> at the
<code>EventSource</code> object, and then <span>fetch</span> the
event source resource again after a delay equal to the reconnection
- time of the event source. <strong>Only if the user agent <span
- title="reset the connection">resets the connection</span> does the
- connection get opened anew!</strong></p>
+ time of the event source, from the same <span>origin</span> as the
+ original request triggered by the <code
+ title="dom-EventSource">EventSource()</code>
+ constructor. <strong>Only if the user agent <span title="reset the
+ connection">resets the connection</span> does the connection get
+ opened anew!</strong></p>
<p>When a user agent is to <dfn>fail the connection</dfn>, the user
agent must set the <code
@@ -74166,6 +74220,10 @@ Proxy-authorization: Basic ZWRuYW1vZGU6bm9jYXBlcyE=</pre>
<hr>
<!--
+redirect support
+we should probably reintroduce this at some point, with the
+multi-origin semantics described in [ORIGIN] applying. (http-origin)
+
<p>If <var title="">mode</var> is <i title="">redirect</i>, then:
If there is not exactly one entry in the <var
title="">headers</var> list whose name is "<code
@@ -87828,8 +87886,10 @@ time:empty { binding: <i title="">time</i>; }</pre>
its <span>fallback content</span>, the element must be ignored (it
represents nothing).</p>
- <p>Otherwise, <span class="XXX">define how the element works,
- if supported</span>.</p> <!-- remember to delay the laod event -->
+ <p>Otherwise, <span class="XXX">define how the element works, if
+ supported</span>.</p> <!-- remember to delay the load event --> <!--
+ remember to include ", from the element's <span>browsing context
+ scope origin</span> if it has one" when fetching -->
<p>The <code>applet</code> element must implement the
<code>HTMLAppletElement</code> interface.</p>
@@ -88594,7 +88654,8 @@ interface <span>HTMLHeadElement</span> {
<li><p>For each token that is successfully resolved,
<span>fetch</span> the resulting <span>absolute URL</span> and
- apply the appropriate processing.</p></li>
+ apply the appropriate processing.</p></li> <!-- http-origin privacy
+ sensitive -->
</ol>
@@ -90082,6 +90143,12 @@ interface <span>HTMLDocument</span> {
in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
Section 4.6.2. OpenSearch.org.</dd>
+ <dt id="refsORIGIN">[ORIGIN]</dt>
+ <dd><cite><a
+ href="http://tools.ietf.org/html/draft-abarth-origin">The HTTP
+ Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+ September 2009.</dd>
+
<dt id="refsPINGBACK">[PINGBACK]</dt>
<dd><cite><a
href="http://www.hixie.ch/specs/pingback/pingback">Pingback

0 comments on commit 72b80a2

Please sign in to comment.
Something went wrong with that request. Please try again.