W3C home > Mailing lists > Public > public-html-commits@w3.org > April 2010

html5/spec Overview.html,1.3997,1.3998

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 06 Apr 2010 00:43:18 +0000
To: public-html-commits@w3.org
Message-Id: <E1Nywsw-00010P-BB@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv3846

Modified Files:
	Overview.html 
Log Message:
Make 'fetch' algorithm have a mode where it doesn't do redirects. Make 'navigate' algorithm block cross-origin non-safe non-POST redirects. (whatwg r4975)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3997
retrieving revision 1.3998
diff -u -d -r1.3997 -r1.3998
--- Overview.html	6 Apr 2010 00:08:15 -0000	1.3997
+++ Overview.html	6 Apr 2010 00:43:14 -0000	1.3998
@@ -5255,9 +5255,10 @@
 
   <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource or
   <a href="#url">URL</a>, optionally from an origin <i title="">origin</i>,
-  and optionally with a <i>synchronous flag</i>, the following steps
-  must be run. (When a <em>URL</em> is to be fetched, the URL
-  identifies a resource to be obtained.)</p>
+  and optionally with a <i>synchronous flag</i> and/or a <i>manual
+  redirect flag</i>, the following steps must be run. (When a
+  <em>URL</em> is to be fetched, the URL identifies a resource to be
+  obtained.)</p>
 
   <!-- if invoked with the synchronous flag, make sure to release the
   storage mutex first -->
@@ -5303,6 +5304,8 @@
 
    <li>
 
+    <p>This is the <i>main step</i>.</p>
+
     <p>If the resource is identified by an <a href="#absolute-url">absolute URL</a>,
     and the resource is to be obtained using an idempotent action
     (such as an HTTP GET <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">or
@@ -5316,13 +5319,9 @@
     <p>Otherwise, at a time convenient to the user and the user agent,
     download (or otherwise obtain) the resource, applying the
     semantics of the relevant specifications (e.g. performing an HTTP
-    GET or POST operation, or reading the file from disk, following
-    redirects, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript protocol"><code title="">javascript:</code>
-    URLs</span></a>, etc).</p>
-
-    <p class="note">The HTTP specification requires that 301, 302, and
-    307 redirects, when applied to methods other than the safe
-    methods, not be followed without user confirmation. <a href="#refsHTTP">[HTTP]</a></p>
+    GET or POST operation, or reading the file from disk, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript
+    protocol"><code title="">javascript:</code> URLs</span></a>,
+    etc).</p>
 
     <p>For the purposes of the <code title="http-referer">Referer</code> (sic) header, use the
     <i>address of the resource from which Request-URIs are
@@ -5359,6 +5358,39 @@
 
    <li>
 
+    <p>If the fetched resource is an HTTP redirect <a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>,
+    then:</p>
+
+    <dl class="switch"><dt>If the <i>manual redirect flag</i> is set</dt>
+
+     <dd>
+
+      <p>Continue, using the fetched resource (the redirect) as the
+      result of the algorithm.</p>
+
+     </dd>
+
+     <dt>Otherwise</dt>
+
+     <dd>
+
+      <p>First, apply any relevant requirements for redirects (such as
+      showing any appropriate prompts). Then, redo <i>main step</i>,
+      but using the target of the redirect as the resource to fetch,
+      rather than the original resource.</p>
+
+      <p class="note">The HTTP specification requires that 301, 302,
+      and 307 redirects, when applied to methods other than the safe
+      methods, not be followed without user confirmation. That would
+      be an appropriate prompt for the purposes of the requirement in
+      the paragraph above. <a href="#refsHTTP">[HTTP]</a></p>
+
+     </dd>
+
+    </dl></li>
+
+   <li>
+
     <p>If the algorithm was not invoked with the <i>synchronous
     flag</i>: When the resource is available, or if there is an error
     of some description, <a href="#queue-a-task">queue a task</a> that uses the
@@ -42614,9 +42646,9 @@
     application cache at all; the submission will be made to the
     network.</p>
 
-    <p>Otherwise, <a href="#fetch">fetch</a> the new resource, if it has not
-    already been obtained<!-- it's obtained by <object>, for instance
-    -->.</p>
+    <p>Otherwise, unless it has already been obtained<!-- it's
+    obtained by <object>, for instance -->, <a href="#fetch">fetch</a> the new
+    resource, with the <i>manual redirect flag</i> set.</p>
 
     <p>If the resource is being fetched using a method other than one
     <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">equivalent to</a>
@@ -42641,16 +42673,29 @@
 
    <li>
 
-    <p>At this point the user agents must return to whatever algorithm
-    invoked the navigation steps and must continue these steps
-    asynchronously.</p>
+    <p>At this point, unless this step has already been reached once
+    before in the execution of this instance of the algorithm, the
+    user agents must return to whatever algorithm invoked the
+    navigation steps and must continue these steps asynchronously.</p>
 
    </li>
 
    <li>
 
-    <p>If fetching the resource results in a redirect, return to <a href="#navigate-fragid-step">the step labeled "fragment
-    identifiers"</a> with the new resource.</p>
+    <p>If fetching the resource results in a redirect, and either the
+    <a href="#url">URL</a> of the target of the redirect has the <a href="#same-origin">same
+    origin</a> as the original resource, or the resource is being
+    obtained using the POST method or a safe method (in HTTP terms),
+    return to <a href="#navigate-fragid-step">the step labeled
+    "fragment identifiers"</a> with the new resource.</p>
+
+    <p>Otherwise, if fetching the resource results in a redirect but
+    the <a href="#url">URL</a> of the target of the redirect does not have
+    the <a href="#same-origin">same origin</a> as the original resource and the
+    resource is being obtained using a method that is neither the POST
+    method nor a safe method (in HTTP terms), then abort these
+    steps. The user agent may indicate to the user that the navigation
+    has been aborted for security reasons.</p>
 
    </li>
 
@@ -67801,6 +67846,7 @@
   Dean Edwards,
   Debi Orton,
   Derek Featherstone,
+  Devdatta,
   Dimitri Glazkov,
   Dimitry Golubovsky,
   Divya Manian,
Received on Tuesday, 6 April 2010 00:43:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 April 2010 00:43:24 GMT