Skip to content
Permalink
Browse files

[cgiow] (0) Change cross-origin='' to crossorigin='' since people don…

…'t seem to like hyphens. Poor hyphens.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=12679

git-svn-id: http://svn.whatwg.org/webapps@6147 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed May 23, 2011
1 parent d712658 commit a6793215666a66622f190966d4fd7a057eb9f201
Showing with 114 additions and 111 deletions.
  1. +37 −36 complete.html
  2. +37 −36 index
  3. +40 −39 source
<table><thead><tr><th> Keyword
<th> State
<th> Brief description
<tbody><tr><td><dfn id=attr-cross-origin-anonymous-keyword title=attr-cross-origin-anonymous-keyword><code>anonymous</code></dfn>
<td><dfn id=attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</dfn>
<tbody><tr><td><dfn id=attr-crossorigin-anonymous-keyword title=attr-crossorigin-anonymous-keyword><code>anonymous</code></dfn>
<td><dfn id=attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</dfn>
<td>Cross-origin CORS requests for the element will not have the <i>credentials flag</i> set.
<tr><td><dfn id=attr-cross-origin-use-credentials-keyword title=attr-cross-origin-use-credentials-keyword><code>use-credentials</code></dfn>
<td><dfn id=attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</dfn>
<tr><td><dfn id=attr-crossorigin-use-credentials-keyword title=attr-crossorigin-use-credentials-keyword><code>use-credentials</code></dfn>
<td><dfn id=attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use Credentials</dfn>
<td>Cross-origin CORS requests for the element will have the <i>credentials flag</i> set.
</table><p>The empty string is also a valid keyword, and maps to the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
attribute's <i>invalid value default</i> is the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
</table><p>The empty string is also a valid keyword, and maps to the <a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a> state. The
attribute's <i>invalid value default</i> is the <a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a> state. The
<i>missing value default</i>, used when the attribute is omitted, is
the <dfn id=attr-cross-origin-none title=attr-cross-origin-none>No CORS</dfn> state.</p>
the <dfn id=attr-crossorigin-none title=attr-crossorigin-none>No CORS</dfn> state.</p>


<h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>

<p>When the user agent is required to perform a <dfn id=potentially-cors-enabled-fetch>potentially
CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
either "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>", "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>", or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</a>",
either "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>", or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use Credentials</a>",
an <a href=#origin>origin</a> <var title="">origin</var>, and a default
origin behaviour <var title="">default</var> which is either
"<i>taint</i>" or "<i>fail</i>", it must run the first applicable
set of steps from the following list. The default origin behaviour
is only used if <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>". This algorithm wraps
is only used if <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>". This algorithm wraps
the <a href=#fetch>fetch</a> algorithm above, and labels the obtained
resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
<dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>

<dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>"</dt>
<dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>

<dd>

</ol></dd>


<dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>" or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
Credentials</a>"</dt>

<dd>
<i>request URL</i> set to <var title="">URL</var>, the
<i>source origin</i> set to <var title="">origin</var>, and the
<i>credentials flag</i> set to true if <var title="">mode</var>
is "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
is "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
Credentials</a>" and set to false otherwise. <a href=#refsCORS>[CORS]</a></li>

<li><p>Wait for the CORS <a href=#cross-origin-request-status>cross-origin request status</a>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-img-alt><a href=#attr-img-alt>alt</a></code></dd>
<dd><code title=attr-img-src><a href=#attr-img-src>src</a></code></dd>
<dd><code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code></dd>
<dd><code title=attr-dim-width><a href=#attr-dim-width>width</a></code></dd>

Slight hitch: their images are at a different origin, and we
don't want to allow arbitrary cross-origin inspection (privacy
leak risk).
leak risk). So it will require them to do CORS opt-in.

* See note at rel=noreferrer.

display transparent images, as they rarely convey meaning and rarely
add anything useful to the document.</p>

<p>The <dfn id=attr-img-cross-origin title=attr-img-cross-origin><code>cross-origin</code></dfn>
<p>The <dfn id=attr-img-crossorigin title=attr-img-crossorigin><code>crossorigin</code></dfn>
attribute is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>

<div class=impl>

<p>Otherwise, do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of
the resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
being the state of the element's <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
being the state of the element's <code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code> content
attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
<i>default origin behaviour</i> set to <i>taint</i>.</p>
conjunction with scripting, though scripting isn't actually
necessary to carry out such an attack). User agents may implement
<a href=#origin title=origin>cross-origin</a> access control policies
that mitigate this attack, but unfortunately such policies are
typically not compatible with existing Web content.</p>
that are stricter than those described above to mitigate this
attack, but unfortunately such policies are typically not
compatible with existing Web content.</p>

</li>

name.</p>

<p>The <dfn id=dom-img-crossorigin title=dom-img-crossOrigin><code>crossOrigin</code></dfn> IDL
attribute must <a href=#reflect>reflect</a> the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
attribute must <a href=#reflect>reflect</a> the <code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code> content
attribute.</p>

<p>The <dfn id=dom-img-usemap title=dom-img-useMap><code>useMap</code></dfn> IDL
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
<dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code></dd>
<dd><code title=attr-video-poster><a href=#attr-video-poster>poster</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
<dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
<dd><code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code></dd>
<a href=#mutabletexttrack>MutableTextTrack</a> <a href=#dom-media-addtexttrack title=dom-media-addTextTrack>addTextTrack</a>(in DOMString kind, in optional DOMString label, in optional DOMString language);
};</pre>

<p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
<p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>,
<code title=attr-media-loop><a href=#attr-media-loop>loop</a></code>,
<code title=attr-media-muted><a href=#attr-media-muted>muted</a></code>, and <code title=attr-media-controls><a href=#attr-media-controls>controls</a></code>, apply to all <a href=#media-element title="media element">media elements</a>. They are defined in
attribute, if present, must contain a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>

<p>The <dfn id=attr-media-cross-origin title=attr-media-cross-origin><code>cross-origin</code></dfn>
<p>The <dfn id=attr-media-crossorigin title=attr-media-crossorigin><code>crossorigin</code></dfn>
content attribute on <a href=#media-element title="media element">media
elements</a> is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>

<a href=#reflect>reflect</a> the content attribute of the same name.</p>

<p>The <dfn id=dom-media-crossorigin title=dom-media-crossOrigin><code>crossOrigin</code></dfn> IDL
attribute must <a href=#reflect>reflect</a> the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
attribute must <a href=#reflect>reflect</a> the <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
attribute.</p>

</div>
<p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
<var title="">current media resource</var>'s <a href=#absolute-url>absolute
URL</a>, with the <i>mode</i> being the state of the
<a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
<a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
<i>default origin behaviour</i> set to <i>taint</i>.</p>

<p>If <var title="">URL</var> is not the empty string, perform a
<a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being the state of the
<a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
<a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
<i>default origin behaviour</i> set to <i>fail</i>.</p>
obtained if the user agent further exposes metadata within the
content such as subtitles or chapter titles. Such information is
therefore only exposed if the video resource passes a CORS
<a href=#resource-sharing-check>resource sharing check</a>. The <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute allows
<a href=#resource-sharing-check>resource sharing check</a>. The <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> attribute allows
authors to control how this check is performed. <a href=#refsCORS>[CORS]</a></p>

<p class=example>Without this restriction, an attacker could trick
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
<code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>;
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-img-alt><a href=#attr-img-alt>alt</a></code>;
<code title=attr-img-src><a href=#attr-img-src>src</a></code>;
<code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code>;
<code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code>;
<code title=attr-dim-width><a href=#attr-dim-width>width</a></code>;
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
<code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code>;
<code title=attr-video-poster><a href=#attr-video-poster>poster</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
<td> <code title=attr-area-coords><a href=#attr-area-coords>area</a></code>
<td> Coordinates for the shape to be created in an <a href=#image-map>image map</a>
<td> <a href=#valid-list-of-integers>Valid list of integers</a>*
<tr><th> <code title="">cross-origin</code>
<td> <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>audio</a></code>;
<code title=attr-img-cross-origin><a href=#attr-img-cross-origin>img</a></code>;
<code title=attr-media-cross-origin><a href=#attr-media-cross-origin>video</a></code>
<td> How the element handles cross-origin requests.
<td> "<code title=attr-cross-origin-anonymous-keyword><a href=#attr-cross-origin-anonymous-keyword>anonymous</a></code>"; "<code title=attr-cross-origin-use-credentials-keyword><a href=#attr-cross-origin-use-credentials-keyword>use-credentials</a></code>"
<tr><th> <code title="">crossorigin</code>
<td> <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>audio</a></code>;
<code title=attr-img-crossorigin><a href=#attr-img-crossorigin>img</a></code>;
<code title=attr-media-crossorigin><a href=#attr-media-crossorigin>video</a></code>
<td> How the element handles crossorigin requests.
<td> "<code title=attr-crossorigin-anonymous-keyword><a href=#attr-crossorigin-anonymous-keyword>anonymous</a></code>"; "<code title=attr-crossorigin-use-credentials-keyword><a href=#attr-crossorigin-use-credentials-keyword>use-credentials</a></code>"
<tr><th> <code title="">data</code>
<td> <code title=attr-object-data><a href=#attr-object-data>object</a></code>
<td> Address of the resource

0 comments on commit a679321

Please sign in to comment.
You can’t perform that action at this time.