Commits on Jul 25, 2016
  1. @sideshowbarker @annevk

    Editorial: fix markup flub

    Fix markup typo from 39118df that broke a “child browsing context” dfn xref.
    sideshowbarker committed with annevk Jul 25, 2016
  2. @sideshowbarker @annevk

    Editorial: fix typo

    sideshowbarker committed with annevk Jul 25, 2016
Commits on Jul 22, 2016
  1. @jungkees @annevk

    Service workers: enable the client message queue

    A ServiceWorkerContainer object has a client message queue task source, initially disabled, which holds tasks until the client is ready to get the messages from its service worker. This patch adds a condition that enables the task source:
    
    * when DOMContentLoaded is dispatched
    * when a worker client has executed run a worker algorithm
    
    Related issue: slightlyoff/ServiceWorker#728
    Related commit: slightlyoff/ServiceWorker@5c0ecae
    jungkees committed with annevk Jul 22, 2016
Commits on Jul 21, 2016
  1. @domenic @annevk

    Editorial: use "active function object" more often

    In #1541, a few checks on the "currently-executing constructor" were
    added. The pull request review revealed that this phrase was not
    sufficiently precise, so it was replaced with "active function object",
    a term defined in the JavaScript specification. However, this was only
    done in one of the three places the imprecise term appears. This tidies
    up the other two.
    domenic committed with annevk Jul 21, 2016
  2. @annevk @domenic

    Parse postMessage()'s targetOrigin argument

    Requiring something to be an “absolute URL” doesn’t really mean
    anything to a processing model.
    
    This also makes postMessage() consistently use “this Window object”,
    “associated Document”, and explicitly refer to the origins being
    compared.
    
    Fixes #1579.
    annevk committed with domenic Jul 21, 2016
  3. @domenic @annevk

    Implement new custom element adoption semantics

    This, in conjunction with whatwg/dom#279,
    fixes w3c/webcomponents#512. Custom elements
    now carry with them their custom element definition. An adoptedCallback
    is invoked upon cross-document adoption.
    domenic committed with annevk Jul 21, 2016
  4. @domenic @annevk

    Disallow customElements.define being given named constructors

    #1411 disallowed passing in interface objects, but forgot named
    constructors like Image, Audio, and Option. Noted during the review of
    w3c/web-platform-tests#3308.
    domenic committed with annevk Jul 21, 2016
Commits on Jul 20, 2016
  1. @jakearchibald @domenic

    ImageBitmap: improvements to createImageBitmap clips/resizes/transforms

    * No longer exits early if no cropping specified
    * Cropping happens before resizing
    * If the crop rectangle is outside the dimensions of the original image,
      it's clipped, which is consistent with drawImage
    * If only one of resizeWidth / resizeHeight is specified, it maintains
      ratio with the cropped area
    
    PR: #1546
    jakearchibald committed with domenic Jul 20, 2016
  2. @domenic

    Be more precise about nested and discarded browsing contexts

    This commit tries to clear up some of the confusion in the current spec
    around nested and discarded browsing contexts, and how they impact the
    processing model.
    
    First, many of the definitions in the "nested browsing context" section
    are rephrased for clarity. Per #1180, the term "nested browsing context"
    itself becomes a field of a "browsing context container". The field has
    values of either a browsing context, or null. Then, all algorithms which
    refer to a browsing context container's nested browsing context are
    explicitly updated to account for the null case. In particular, this
    makes it clearer that when a browsing context is discarded, the
    associated browsing context container has its nested browsing context
    set to null.
    
    Then, we make a normative change to make window.{top, parent,
    frameElement} all return null when their associated browsing context has
    been discarded. As discussed in #1279, browser behavior here varies
    extensively, but nobody seems to follow the current spec at all, so we
    went with the 2/4 majority of returning null. A test case is at
    http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4317. We
    add an example to the spec to make the intended behavior clear.
    
    We also make the normative change that documents in discarded browsing
    contexts (i.e. documents belonging to iframe windows when the iframe has
    been removed from the document) have no browsing context. This may have
    been the intention of the spec previously, but a strict reading did not
    support it. Regardless, all user agents seem to agree on this point, as
    seen by how defaultView no longer returns the WindowProxy in
    http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4336, and
    how fetches do not happen and script is not executed in
    http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4339. (They
    differ in the particulars due to bugs, e.g. some return undefined when
    they should return null, and Edge seems to keep the Location object
    around and to give strange errors when accessing defaultView.)
    
    Along the way, this clarifies some of the garbage collection behavior
    and includes a number of editorial tweaks, notably including the
    movement of the definition of "associated Document" to the Window
    object's section, and uniformizing all references to it. (They were
    previously a hodgepodge of "associated Document", "newest Document",
    and "window's Document object".)
    
    Fixes #1180. Fixes #1279.
    domenic committed on GitHub Jul 20, 2016
  3. @domenic

    Use only the incumbent global in postMessage

    Previously one of the origin checks was performed with the entry
    settings object, while the origin and source attributes of the resulting
    MessageEvent were derived from the incumbent settings object. At least
    WebKit and Blink appear to use the same global for both, and it makes
    sense to align the checks on the same global.
    
    The difference is only observable in test cases that fiddle with
    document.domain, as entry and incumbent are always same origin-domain
    (but, in document.domain cases, not always same origin).
    
    Fixes #1542. Helps #1431 but hurts #1430.
    domenic committed on GitHub Jul 20, 2016
  4. @domenic @annevk
Commits on Jul 19, 2016
  1. @domenic @annevk

    Disallow mismatches between custom element local names and brands

    Without this fix, it is possible to install the brand for one type of
    element on an element with a different local name, in one of two
    different ways (both shown here as examples). This fix makes the super()
    call throw when this is attempted, preserving the invariant that a brand
    is only installed on an element with the correct local name.
    
    Originally discussed at
    https://bugs.chromium.org/p/chromium/issues/detail?id=619062.
    domenic committed with annevk Jul 19, 2016
  2. @domenic @annevk

    Do not fetch stylesheets in documents without a browsing context

    This fixes #1495 by changing the "appropriate times to obtain the
    resource" to require that the <link rel="stylesheet"> element be in a
    document that has a browsing context.
    domenic committed with annevk Jul 19, 2016
Commits on Jul 18, 2016
  1. @domenic

    Use current settings object in content document definition

    Since this is a same origin-domain check, we can use any settings
    object, as they are all same origin-domain. Part of #1430.
    domenic committed Jul 12, 2016
  2. @domenic

    Use relevant settings object in protocol handlers

    The test at https://url-parsing-entry-gjqursujea.now.sh/entry/entry.html
    reveals that Firefox at least uses relevant for URL parsing. Boris says
    that Firefox does something nonsensical for the origin check and that he
    would prefer relevant or current.
    
    Code inspection reveals that Blink and WebKit use relevant for both URL
    parsing and origin checking:
    
    - https://chromium.googlesource.com/chromium/src/+/ee94bde91c72a046bec15436d56cfe32bb0e524c/third_party/WebKit/Source/modules/navigatorcontentutils/NavigatorContentUtils.cpp#71
    - https://github.com/WebKit/webkit/blob/83624b838d4fa81df77060c51b09587169f8ff19/Source/WebCore/Modules/navigatorcontentutils/NavigatorContentUtils.cpp#L109
    
    Edge does not support these methods.
    
    Helps with #1431.
    domenic committed Jul 12, 2016
  3. @domenic

    Use the associated document for pushState/replaceState's origin check

    This updates the origin check in pushState/replaceState to use the
    origin of the document of the relevant History object, instead of that
    of the entry settings object. This more correctly matches 2/3 open
    source browsers:
    
    - https://chromium.googlesource.com/chromium/src/+/c21f0b11ac83ea970d0eaf6a0b223d48a32a4b32/third_party/WebKit/Source/core/frame/History.cpp#234
    - https://github.com/WebKit/webkit/blob/0ee7b606dbf35d9688c15b19b1a83ec1ff242cd7/Source/WebCore/page/History.cpp#L150
    
    (Gecko does no such security check). It also helps with #1431.
    
    While there, cleaned up some redundant steps and tightened wording.
    domenic committed Jul 12, 2016
  4. @domenic

    Use "current settings object" in the frameElement origin check

    Since this is a same origin-domain check, we can use any settings
    object, as they are all same origin-domain. Part of #1431.
    domenic committed Jul 12, 2016
  5. @domenic @annevk

    Remove the "replace" argument to window.open()

    As shown by
    http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4320, this
    has only ever been implemented in one browser (IE/Edge). In the many
    years since it was added to the spec, no other engines have made a move
    to support this feature. It is time to remove it.
    
    Previous discussion at
    https://www.w3.org/Bugs/Public/show_bug.cgi?id=12735.
    
    Closes #1537.
    domenic committed with annevk Jul 18, 2016
  6. @domenic

    Remove the unimplemented <input type="range" multiple>

    This was added in 1efac39 as a result
    of https://www.w3.org/Bugs/Public/show_bug.cgi?id=13154. Despite
    definite web developer interest and some implementer support at the
    time, implementation progress or commitment has not materialized in the
    intervening 2.5 years, and it should be removed.
    
    Fixes #1520.
    domenic committed on GitHub Jul 18, 2016
  7. @domenic

    Prevent double custom element constructor calls

    If creating an element failed the first time due a misbehaving
    constructor, it was possible that in the future we would try to upgrade
    the element, running the constructor again. This commit uses the
    newly-introduced (as of whatwg/dom#282) custom
    element state of "failed" to prevent upgrading such elements.
    
    Fixes w3c/webcomponents#533.
    domenic committed on GitHub Jul 18, 2016
  8. @annevk @domenic

    Editorial: text field → text control

    Also change one instance of dropdown to drop down, describe a password
    control consistently, and describe a multiline text control consistently.
    
    Note however that even with these changes there’s still quite a few
    uses of “field” around the autofill feature, including for actual
    terms. It also didn’t make sense to me to use control for all form
    controls. E.g., multi-select listbox is a pretty established term.
    
    Fixes part of #1508.
    annevk committed with domenic Jul 18, 2016
  9. @domenic @annevk
  10. @domenic @annevk

    Editorial: clean up InitializeHostDefinedRealm invocations

    As of tc39/ecma262@7032383,
    it is no longer necessary to specify "Do not obtain any source texts for
    scripts or modules" when invoking JavaScript's
    InitializeHostDefinedRealm abstract operation. Fixes #1528.
    domenic committed with annevk Jul 18, 2016
Commits on Jul 15, 2016
  1. @sideshowbarker @domenic
  2. @mikewest @domenic

    Add 'creator context security'

    Secure Contexts relied on 'creator Document', which was removed in
    whatwg/html#987. This patch caches the security status of that
    Document for the new browsing context's security checks.
    
    w3c/webappsec-secure-contexts#37
    mikewest committed with domenic Jul 15, 2016
  3. @mikewest @domenic

    Upstream SharedWorker constructor changes from Secure Contexts

    Monkey-patches bad. Upstreaming good. Closes w3c/webappsec-secure-contexts#31.
    mikewest committed with domenic Jul 15, 2016
Commits on Jul 14, 2016
  1. @domenic

    Add the onloadend content and IDL event handler attribute

    Fixes #1551. This was an oversight when adding the loadstart/loadend
    events to the image loading sequence.
    domenic committed on GitHub Jul 14, 2016
  2. @domenic

    Remove unnecessary and unimplemented canvas tainting when painting text

    As discussed in #1540, this check does not give any additional
    protections over those already provided by CORS, which these days fonts
    are subject to.
    
    Fixes #1540. Helps with #1431.
    domenic committed on GitHub Jul 14, 2016
Commits on Jul 13, 2016
  1. @domenic

    Use the Window's associated Document for allow-modals sandbox checks

    This fixes #1206. As noted there, the previous indirections were wacky
    and unnecessary.
    
    Chrome and Firefox nightly implement a slightly different behavior,
    choosing the Window's browsing context's active Document, instead of the
    Window's associated Document. This can be different in edge cases as
    discussed in #1473 (comment).
    However, in Firefox they are not distinguishable, due to another
    security check that prevents these edge cases from being triggered.
    #1548 proposes to add a security check like Firefox's to the spec, which
    would obviate the difference in all cases. In the meantime, the choice
    of associated Document is more straightforward.
    domenic committed on GitHub Jul 13, 2016
  2. @hayatoito @domenic

    Make DragEvents composed events

    Reflect the conclusion of w3c/webcomponents#513.
    hayatoito committed with domenic Jul 14, 2016
Commits on Jul 12, 2016
  1. @foolip

    Editorial: ack Jens Oliver Meiert (was Jens Meiert) (#1536)

    Fixes #1532.
    foolip committed on GitHub Jul 12, 2016
Commits on Jul 7, 2016
  1. @ExplodingCabbage @domenic

    Fix erroroneous categories/parents for <style> in the element index

    These were true when the index of elements was introduced, but obsoleted
    when #1226 removed the scoped
    attribute.
    
    Fixes #1521.
    ExplodingCabbage committed with domenic Jul 7, 2016
  2. @annevk @domenic

    Set current entry earlier in "traverse the history"

    It was inconsistent with pushState() and could actually be observed due
    to synchronous event dispatch.
    
    This also makes a clarifying change to consistently refer to the
    substeps of a particular step.
    
    Fixes #1511.
    annevk committed with domenic Jul 7, 2016
  3. @zcorpan @domenic

    Allow anything in <template> for document conformance

    Anything goes (except parse errors) for things where there is no
    browsing context, in particular for <template> template contents.
    
    Fixes #541.
    zcorpan committed with domenic Jul 7, 2016
  4. @annevk

    Align with vocabulary changes in the DOM Standard

    This commit makes two normative changes:
    
    * It fixes "prepare a script" to not abort inside shadow trees.
    * It makes <img> use "connected" (though further study of <img> is probably warranted).
    
    It also aligns with changes in the DOM Standard that are editorial:
    
    * “in a document” -> “in a document tree” (instances that are still “in a document” require further investigation)
    * “in a shadow-including document” -> “is connected”
    * “node is connected” -> “becomes connected”
    * “node is disconnected” -> “becomes disconnected”
    
    Fixes whatwg/dom#238.
    annevk committed on GitHub Jul 7, 2016