This was missed in 6682bde.

According to CSP, the interface for the securitypolicyviolation event is SecurityPolicyViolationEvent, not Event: https://w3c.github.io/webappsec-csp/#report-violation.

Removes the idea of sectioning content influencing the document's outline. Instead, the outline is derived from all of the document's h1-h6 elements. (Sectioning content still plays a role in scoping header and footer elements.) This ensures that the outline generated by the outline algorithm, i.e. the document's semantics for authors, better aligns with the way screen reader users navigate through headings and the corresponding normative requirements for implementations in the HTML-AAM specification.

Updates the hgroup element to have a new content model, to use p elements for related content such as subheadings, alternative titles, or taglines (instead of using heading elements for those).

Updates all of the spec's examples to have proper outlines, according to the new outline algorithm. This includes preferring h2 to h1 in markup fragment cases, so as to better suggest that they are part of a larger document whose outline contains a h1.

Closes #83. Closes #3499 by superseding it. Closes #6462 by updating hgroup's suggested usage instead of obsoleting it. See #7867 for potential followup work in avoiding sectioning content and hgroup influencing the style of h1-h6 elements.

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Co-authored-by: Domenic Denicola <d@domenic.me>

Closes #3871.

The comment to make the current behavior with bfcache more obvious, as mentioned in #6588. (This is just an additional note and doesn't actually change any behavior.)

Closes #6588.

Each time we are about to pause for a user prompt, and after each pause, invoke the appropriate WebDriver BiDi algorithms.

The example incorrectly used "password" instead of "current-password".

Fixes #8019.

This allows displaying Web Authentication credentials through conditional mediation.

Fixes #7999.

This is technically not a normative change right now, but it will be when whatwg/storage#144 lands.

This is notably planned to be used by the ARIA specification.

Co-authored-by: Alice Boxhall <aboxhall@chromium.org>

Closes #3917 by superseding it.

Fixes #4526.

Also remove our definition of the input event, instead pointing to the one in the UI Events specification.

Previously we only had one for origins.

Algorithmize USVString, DOMString, and DOMString? reflection. This is easier to read, partially because it spreads out the steps and branches, and partially because of the asserts making some conditions explicit.

Rewrites the section on enumerated attributes to be more clear about how they work. Notably this gives an explicit algorithm for determining the state, instead of a couple paragraphs of prose. It also broadens the definition of "canonical keyword" to automatically be determined in simpler cases, instead of only used in tricky cases.

Finally, make it clear that DOMString?-reflected enumerated attributes (of which crossOrigin/crossorigin=""  is the only one currently) are always "limited to only known values".

This ensures that ErrorEvent has equivalent expressiveness to reportError().

Fixes #7853.

Fixes #7973.

Both are already supported by Gecko, and WebKit and Chromium already support nonce.

See whatwg/fetch#1433 and whatwg/fetch#1432 for background.

Builds upon whatwg/fetch#1447.

Sometimes a navigation causes a BCG swap, e.g. when the cross-origin isolated capability changes. In that case:

* The timestamps should coarsened based on both documents.
* Some user-agents unload in parallel, which should not become part of the new document's timing info.
* Time origin should be according to the new global's time origin, but coarsened by both.

Closes w3c/navigation-timing#169.

See #7890 for more refactoring follow-up work.

Closes #7949.

Closes #7671. Per discussion there, this prefers httpwg.org links and then rfc-editor.org links, since these have reasonable formatting for recent specifications.

f495c02 added some verification to media range responses, but in reality this verification is not present in most implementations. See discussion in #7655 (comment).

RFC 9239 resolves the disagreement between WHATWG and IETF w.r.t. the JavaScript MIME type. This patch removes the mention of the previously required willful violation and cleans up the MIME type list, removing any JavaScript MIME types that are now no longer mentioned in the HTML Standard.

* Modernize the definitions and usage of various fields associated with script element, e.g. by removing "scare quotes", changing names from verbose things like "the script's type" to just "type", changing flags to booleans, ensuring initial values are defined, etc. Notable field changes:
    * Rename "the script's script" to "result". This serves as preparation for other specifications, such as import maps, which will expand what that field can contain.  
    * Rename "non-blocking" to "force async" to better communicate its connection to the async="" content attribute and to avoid confusion with the blocking="" content attribute.
* Revamp "the script is ready" into three separate concepts: "delaying the load event", "mark as ready", and "steps to run when the result is ready". Fixes #5217, in particular making it so that script elements which are never marked as ready (e.g., <script type="foobar">) don't delay the load event indefinitely.
* Un-export "prepare a script". All uses of it in external specs are either monkeypatches or non-normative references.
* Rename "prepare a script" to "prepare the script element" to emphasize it's about the `<script>` element, not about the separate script concept.
* Rewrite the final of "prepare the script element" from a switch into a series of nested if/else blocks, which better communicates how we can land in the various different script element execution modes.
* Rename "execute a script block" to "execute the script element", since "block" is a strange term.
* Various other editorial improvements to those two algorithms.

Fixes #7736.

Closes #7808.