- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 18 Jun 2008 04:59:03 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv14705 Modified Files: Overview.html Log Message: more notes on URLs (whatwg r1786) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.975 retrieving revision 1.976 diff -u -d -r1.975 -r1.976 --- Overview.html 18 Jun 2008 04:30:19 -0000 1.975 +++ Overview.html 18 Jun 2008 04:59:00 -0000 1.976 @@ -27516,7 +27516,6 @@ interface.</p> <!-- XXX update to point to dom-click when we remove dom-command-click --> - <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --> <h3 id=datatemplate><span class=secno>3.16 </span>Data Templates</h3> @@ -27711,12 +27710,13 @@ processing model is to be applied to that element. <p>The <code title=attr-template><a href="#template">template</a></code> - attribute, when specified, must be a URI to an XML or HTML document, or a - fragment identifier pointing at another part of the document. If there is - a fragment identifier present, then the element with that ID in the target - document must be a <code><a href="#datatemplate0">datatemplate</a></code> - element, otherwise, the root element must be a <code><a - href="#datatemplate0">datatemplate</a></code> element. + attribute, when specified, must be a valid URI (or IRI) to an XML or HTML + document, or a fragment identifier pointing at another part of the + document. If there is a fragment identifier present, then the element with + that ID in the target document must be a <code><a + href="#datatemplate0">datatemplate</a></code> element, otherwise, the root + element must be a <code><a href="#datatemplate0">datatemplate</a></code> + element. <p>The <dfn id=template0 title=dom-template><code>template</code></dfn> DOM attribute must <a href="#reflect">reflect</a> the <code @@ -27726,8 +27726,8 @@ <p>The <dfn id=ref title=attr-ref><code>ref</code></dfn> attribute may be specified on any element on which the <code title=attr-template><a href="#template">template</a></code> attribute is specified. If it is - specified, it must be a URI to an XML or HTML document, or a fragment - identifier pointing at another part of the document. + specified, it must be a valid URI (or IRI) to an XML or HTML document, or + a fragment identifier pointing at another part of the document. <p>When an element has a <code title=attr-template><a href="#template">template</a></code> attribute but no <code @@ -27781,6 +27781,7 @@ <h5 id=the-template><span class=secno>3.16.6.2. </span>The <code title=attr-template><a href="#template">template</a></code> attribute</h5> + <!-- XXXURL apply algorithms --> <p><dfn id=setting title=datatemplate-template-set>Setting</dfn>: When an <a href="#html-elements" title="HTML elements">HTML element</a> without a @@ -27790,10 +27791,11 @@ fetch the specified file<!-- XXX or queue it up to be fetched, or something --> and parse it (without a <a href="#browsing1">browsing context</a>) to - obtain a DOM. If the URI is the same as the URI of the current - document<!-- XXX xref -->, then the current document's DOM must be assumed - to be that parsed DOM. While this loading and parsing is in progress, the - element is said to be <em>busy loading the template rules or data</em>. + obtain a DOM. If the URI is the same as <span>the document's + address</span><!-- XXXDOCURL xref -->, then the current document's DOM + must be assumed to be that parsed DOM. While this loading and parsing is + in progress, the element is said to be <em>busy loading the template rules + or data</em>. <p>If the resource specified by the <code title=attr-template><a href="#template">template</a></code> attribute is not the current @@ -27906,6 +27908,7 @@ <h5 id=the-ref><span class=secno>3.16.6.3. </span>The <code title=attr-ref><a href="#ref">ref</a></code> attribute</h5> + <!-- XXXURL apply algorithms --> <p><dfn id=setting0 title=datatemplate-ref-set>Setting</dfn>: When an <a href="#html-elements" title="HTML elements">HTML element</a> without a @@ -27914,10 +27917,11 @@ must fetch the specified file<!-- XXX or queue it up to be fetched, or something --> and parse it (without a <a href="#browsing1">browsing context</a>) to - obtain a DOM. If the URI is the same as the URI of the current - document<!-- XXX xref -->, then the current document's DOM is assumed to - be that parsed DOM. While this loading and parsing is in progress, the - element is said to be <em>busy loading the template rules or data</em>. + obtain a DOM. If the URI is the same as <span>the document's + address</span><!-- XXXDOCURL xref -->, then the current document's DOM is + assumed to be that parsed DOM. While this loading and parsing is in + progress, the element is said to be <em>busy loading the template rules or + data</em>. <p>If the resource specified by the <code title=attr-ref><a href="#ref">ref</a></code> attribute is not the current @@ -29043,7 +29047,7 @@ href="#auxiliary0">auxiliary browsing context</a>. <p>The method has four arguments, though they are all optional.</p> - <!-- XXXURL rfc2119 this paragraph --> + <!-- XXXURL rfc2119 this paragraph, apply algorithms --> <p>The first argument, <var title="">url</var>, gives a valid URI (or IRI) for a page to load in the browsing context. If no arguments are provided, @@ -29085,7 +29089,8 @@ title=dom-open><a href="#open2">window.open()</a></code> API to open a page in an iframe, but, while doing so, holds the control key down, the user agent could override the selection of the target browsing context to - instead target a new tab. + instead target a new tab.</p> + <!-- XXXURL apply algorithms --> <p>Then, the user agent must <a href="#navigate">navigate</a> the selected <a href="#browsing1">browsing context</a> to the URI given in <var @@ -29146,7 +29151,8 @@ <p>These characteristics are defined as follows: - <dl> + <dl><!-- XXXURL change to URL --> + <dt>For URIs <dd> @@ -29154,19 +29160,26 @@ script origin</a> of the URI is whatever is returned by the following algorithm:</p> - <ol> + <ol><!-- XXXURL change to URL --> + <li> <p>Let <var title="">uri</var> be the URI for which the <a href="#origin0">origin</a> is being determined. + </li> + <!-- XXXURL apply algorithms --> <li> <p>Parse <var title="">uri</var> according to the rules described in RFC 3986 and RFC 3987. <a href="#references">[RFC3986]</a> <a href="#references">[RFC3987]</a> + </li> + <!-- XXXURL change to URL --> <li> <p>If <var title="">uri</var> does not use a server-based naming authority, then return a new globally unique identifier. + </li> + <!-- XXXURL use algorithms --> <li> <p>Let <var title="">scheme</var> be the <scheme> component of @@ -29176,10 +29189,14 @@ <li> <p>If the scheme is "<code title="">file</code>", then the user agent may return a UA-specific value. + </li> + <!-- XXXURL use algorithms --> <li> <p>Let <var title="">host</var> be the <host>/<ihost> component of the URI. + </li> + <!-- XXXURL use algorithms --> <li> <p>Apply the IDNA ToASCII algorithm to <var title="">host</var>, with @@ -29194,6 +29211,8 @@ <li> <p>Let <var title="">host</var> be the result of converting <var title="">host</var> to lowercase. + </li> + <!-- XXXURL use algorithms --> <li> <p>If no port is explicitly listed, then let <var title="">port</var> @@ -29223,26 +29242,32 @@ <dt>If a script is a function or other code reference created by another script - <dd>The owner is the script that created it. + <dd>The owner is the script that created it.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript protocol"><code title="">javascript:</code> URI</a> that was returned - as the location of an HTTP redirect (or equivalent in other protocols) + as the location of an HTTP redirect (or equivalent in other protocols)</dt> + <!-- XXXURL JSURL issue --> <dd>The owner is the URI that redirected to the <a href="#the-javascript" title="javascript protocol"><code - title="">javascript:</code> URI</a>. + title="">javascript:</code> URI</a>.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript protocol"><code title="">javascript:</code> URI</a> in an attribute <dd>The owner is the <code>Document</code> of the element on which the - attribute is found. + attribute is found.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript - protocol"><code title="">javascript:</code> URI</a> in a style sheet + protocol"><code title="">javascript:</code> URI</a> in a style sheet</dt> + <!-- XXXURL use url --> - <dd>The owner is the URI of the style sheet. + <dd>The owner is the URI of the style sheet.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript protocol"><code title="">javascript:</code> URI</a> to which a <a @@ -29252,21 +29277,25 @@ <dd>The owner is the <code>Document</code> of the <a href="#browsing1">browsing context</a>'s <a href="#active">active - document</a>. + document</a>.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript protocol"><code title="">javascript:</code> URI</a> to which a <a href="#browsing1">browsing context</a> is being <a href="#navigate" - title=navigate>navigated</a>, the URI having been declared in markup + title=navigate>navigated</a>, the URI having been declared in markup</dt> + <!-- XXXURL use url --> <dd>The owner is the <code>Document</code> of the element (e.g. an <code><a href="#a">a</a></code> or <code><a - href="#area">area</a></code> element) that declared the URI. + href="#area">area</a></code> element) that declared the URI.</dd> + <!-- XXXURL JSURL issue --> <dt>If a script is a <a href="#the-javascript" title="javascript protocol"><code title="">javascript:</code> URI</a> to which a <a href="#browsing1">browsing context</a> is being <a href="#navigate" - title=navigate>navigated</a>, the URI having been provided by script + title=navigate>navigated</a>, the URI having been provided by script</dt> + <!-- XXXURL use url --> <dd>The owner is the script that provided the URI. </dl> @@ -29300,48 +29329,59 @@ track the <code>Document</code> to which the <code>XMLHttpRequest</code> object's <a href="http://dev.w3.org/2006/webapi/XMLHttpRequest-2/Overview.html#document-pointer"><code>Document</code> - pointer</a> pointed when it was created.) <a href="#references">[XHR]</a> + pointer</a> pointed when it was created.) <a href="#references">[XHR]</a></dd> + <!-- XXXURL JSURL issue --> <dt>If a <code>Document</code> or image was generated from a <a href="#the-javascript" title="javascript - protocol"><code>javascript:</code> URI</a> + protocol"><code>javascript:</code> URI</a></dt> + <!-- XXXURL JSURL issue --> <dd>The <a href="#origin0">origin</a> is equal to the <a href="#origin0">origin</a> of the script of that <a href="#the-javascript" title="javascript - protocol"><code>javascript:</code> URI</a>. + protocol"><code>javascript:</code> URI</a>.</dd> + <!-- XXXURL use url --> <dt>If a <code>Document</code> or image was served over the network and has an address that uses a URI scheme with a server-based naming - authority + authority</dt> + <!-- XXXURL use url --> <dd>The <a href="#origin0">origin</a> is the <a href="#origin0">origin</a> of the <span title="the document's address">full URI</span><!-- XXXDOCURL --> of the - <code>Document</code> or image. + <code>Document</code> or image.</dd> + <!-- XXXURL use url --> <dt>If a <code>Document</code> or image was generated from a <code title="">data:</code> URI that was returned as the location of an HTTP - redirect (or equivalent in other protocols) + redirect (or equivalent in other protocols)</dt> + <!-- XXXURL use url --> <dd>The <a href="#origin0">origin</a> is the <a href="#origin0">origin</a> of the URI that redirected to the <code - title="">data:</code> URI. + title="">data:</code> URI.</dd> + <!-- XXXURL use url --> <dt>If a <code>Document</code> or image was generated from a <code title="">data:</code> URI found in another <code>Document</code> or in - a script + a script</dt> + <!-- XXXURL use url --> <dd>The <a href="#origin0">origin</a> is the <a href="#origin0">origin</a> of the <code>Document</code> or script in - which the <code title="">data:</code> URI was found. + which the <code title="">data:</code> URI was found.</dd> + <!-- XXXURL use url --> + <!-- XXXDOCURL use the document's address? --> <dt>If a <code>Document</code> has the URI "<code>about:blank</code>" <dd>The <a href="#origin0">origin</a> of the <code>Document</code> is <a href="#about-blank-origin">the <span>origin</span> it was assigned when - its browsing context was created</a>. + its browsing context was created</a>.</dd> + <!-- XXXURL data: URL issue --> <dt>If a <code>Document</code> or image was obtained in some other manner (e.g. a <code title="">data:</code> URI typed in by the user, a @@ -29515,7 +29555,8 @@ limited to: <ul> - <li>Processing of <code><a href="#script1">script</a></code> elements. + <li>Processing of <code><a href="#script1">script</a></code> elements.</li> + <!-- XXXURL JSURL issue --> <li>Processing of inline <code title="javascript protocol"><a href="#the-javascript">javascript:</a></code> URIs (e.g. the <code @@ -29600,16 +29641,20 @@ <h4 id=javascript-protocol><span class=secno>4.4.3 </span><dfn id=the-javascript title="javascript protocol">The <code title="">javascript:</code> protocol</dfn></h4> + <!-- XXXURL merge into URLs section? (we could define 'fetch'/'download' while we're at it?) --> + <!-- XXXURL JSURL issue --> <p>A URI using the <code title="">javascript:</code> protocol must, if and when dereferenced, be evaluated by executing the script obtained using the content retrieval operation defined for <code title="">javascript:</code> URIs. <a href="#references">[JSURI]</a></p> + <!-- XXXURL JSURL issue --> <!-- JSURI: http://ietfreport.isoc.org/all-ids/draft-hoehrmann-javascript-scheme-00.txt and http://www.websitedev.de/ietf/draft-hoehrmann-javascript-scheme-00.txt should be as stable as it gets, http://ietfreport.isoc.org/idref/draft-hoehrmann-javascript-scheme/ for the latest version --> + <!-- XXXURL JSURL issue --> <p>When a <a href="#browsing1">browsing context</a> is <a href="#navigate" title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a @@ -29617,7 +29662,8 @@ href="#same-origin">same origin</a> as the script given by that URI, the <a href="#script2">script execution context</a> must be the <code><a href="#window">Window</a></code> object of the <a - href="#browsing1">browsing context</a> being navigated. + href="#browsing1">browsing context</a> being navigated.</p> + <!-- XXXURL JSURL issue --> <p>When a browsing context is <a href="#navigate" title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a @@ -29628,18 +29674,21 @@ and the <a href="#script2">script execution context</a>'s associated <a href="#browsing1">browsing context</a> must be the <a href="#browsing1">browsing context</a> being <a href="#navigate" - title=navigate>navigated</a>. + title=navigate>navigated</a>.</p> + <!-- XXXURL JSURL issue --> <p>Otherwise, the <a href="#script2">script execution context</a> must be an empty object, and the <a href="#script2">script execution context</a>'s associated <a href="#browsing1">browsing context</a> must be the <a href="#browsing1">browsing context</a> of the <code>Document</code> object of the element, attribute, or style sheet from which the - <code>javascript:</code> URI was reached. + <code>javascript:</code> URI was reached.</p> + <!-- XXXURL JSURL issue --> <p>If the result of executing the script is void (there is no return value), then the URI must be treated in a manner equivalent to an HTTP - resource with an HTTP 204 No Content response. + resource with an HTTP 204 No Content response.</p> + <!-- XXXURL JSURL issue --> <p>Otherwise, the URI must be treated in a manner equivalent to an HTTP resource with a 200 OK response whose <a href="#content-type8" @@ -29651,13 +29700,13 @@ href="#img">img</a></code> elements, ignore the <a href="#content-type8" title=Content-Type>Content-Type metadata</a>. - <div class=example> + <div class=example> <!-- XXXURL JSURL issue --> <p>So for example a <code title="">javascript:</code> URI for a <code title=attr-img-src><a href="#src">src</a></code> attribute of an <code><a href="#img">img</a></code> element would be evaluated in the context of an empty object as soon as the attribute is set; it would then be sniffed to determine the image type and decoded as an image.</p> - + <!-- XXXURL JSURL issue --> <p>A <code title="">javascript:</code> URI in an <code title=attr-a-href>href</code> attribute of an <code><a href="#a">a</a></code> element would only be evaluated when the link was @@ -30068,6 +30117,7 @@ <code>preventDefault()</code> method must be called when the function returns true instead.</p> <!-- IE actually uncancels the event if the function returns true --> + <!-- XXX update the following to match DOM3 Events --> <p>All event handler attributes on an element, whether set to null or to a function, must be registered as event listeners on the element, as if the @@ -30216,7 +30266,7 @@ <p>The function referenced by the <code title=handler-onerror><a href="#onerror">onerror</a></code> attribute must be invoked with three arguments, before notifying the user of the error.</p> - + <!-- XXXURL use url, or address --> <p>The three arguments passed to the function are all <code>DOMString</code>s; the first must give the message that the UA is considering reporting, the second must give the URI to the resource in @@ -30718,7 +30768,7 @@ href="#registerprotocolhandler">registerProtocolHandler()</a></code> only) - <dd> + <dd> <!-- XXXURL use url --> <p>A scheme, such as <code>ftp</code> or <code>fax</code>. The scheme must be treated case-insensitively by user agents for the purposes of comparing with the scheme part of URIs that they consider against the @@ -30744,16 +30794,18 @@ parameters. Thus, if <var title="">mimeType</var> values passed to this method include characters such as commas or whitespace, or include MIME parameters, then the handler being registered will never be used.</p> + </dd> + <!-- XXXURL use url --> <dt><var title="">uri</var> - <dd> + <dd> <!-- XXXURL use url, algorithms --> <p>The URI of the page that will handle the requests. When the user agent uses this URI, it must replace the first occurrence of the exact literal string "<code>%s</code>" with an escaped version of the URI of the content in question (as defined below), and then fetch the resulting URI using the GET method (or equivalent for non-HTTP URIs).</p> - + <!-- XXXURL use url, algorithms --> <p>To get the escaped version of the URI, first, the domain part of the URI (if any) must be converted to its punycode representation, and then, every character in the URI that is not in the ranges given in the next @@ -30765,7 +30817,7 @@ <p>The ranges of characters that must not be escaped are: U+002D (-), U+002E (.), U+0030 (0) to U+0039 (9), U+0041 (A) to U+005A (Z), U+005F (_), U+0061 (a) to U+007A (z), and U+007E (~).</p> - <!-- XXX move that to a common algorithms section if any other + <!-- XXXURL move that to a common algorithms section if any other part of the spec needs it --> <div class=example> @@ -30776,7 +30828,7 @@ <p>...and then clicked on a link such as:</p> <pre><a href="http://www.example.net/chickenkïwi.soup">Download our Chicken Kiwi soup!</a></pre> - + <!-- XXXURL use url --> <p>...then, assuming this <code>chickenkïwi.soup</code> file was served with the MIME type <code>application/x-soup</code>, the UA might navigate to the following URI:</p> @@ -30794,6 +30846,7 @@ <p>A descriptive title of the handler, which the UA might use to remind the user what the site in question is.</p> </dl> + <!-- XXXURL use url --> <p>User agents should raise <a href="#security9" title="security exception">security exceptions</a> if the methods are called with <var @@ -30860,7 +30913,8 @@ against typical attacks against strings embedded in their interface, for example ensuring that markup or escape characters in such strings are not executed, that null bytes are properly handled, that over-long strings do - not cause crashes or buffer overruns, and so forth. + not cause crashes or buffer overruns, and so forth.</p> + <!-- XXXURL use url --> <p><strong>Leaking Intranet URIs.</strong> The mechanism described in this section can result in secret Intranet URIs being leaked, in the following @@ -30876,6 +30930,7 @@ <li>The user agent contacts the third party and hands the third party the URI to the Intranet content. </ol> + <!-- XXXURL use url --> <p>No actual confidential file data is leaked in this manner, but the URIs themselves could contain confidential information. For example, the URI @@ -30884,12 +30939,14 @@ which might tell the third party that Example Corporation is intending to merge with Samples LLC. Implementors might wish to consider allowing administrators to disable this feature for certain subdomains, content - types, or protocols. + types, or protocols.</p> + <!-- XXXURL use url --> <p><strong>Leaking secure URIs.</strong> User agents should not send HTTPS URIs to third-party sites registered as content handlers, in the same way that user agents do not send <code>Referer</code> headers from secure - sites to third-party sites. + sites to third-party sites.</p> + <!-- XXXURL use url --> <p><strong>Leaking credentials.</strong> User agents must never send username or password information in the URIs that are escaped and included @@ -30931,6 +30988,7 @@ | | | ( Trust kittens.example.org ) (( Cancel )) | |____________________________________________________________|</pre> + <!-- XXXURL use url --> <p>...where "Kittens at work" is the title of the page that invoked the method, "http://kittens.example.org/" is the URI of that page, "x-meow" is @@ -30943,10 +31001,12 @@ argument (<var title="">title</var>). <p>If the user clicks the Cancel button, then nothing further happens. If - the user clicks the "Trust" button, then the handler is remembered. + the user clicks the "Trust" button, then the handler is remembered.</p> + <!-- XXXURL use url --> <p>When the user then attempts to fetch a URI that uses the "x-meow:" - scheme, then it might display a dialog as follows: + scheme, then it might display a dialog as follows:</p> + <!-- XXXURL use url? --> <pre>||[ Unknown Protocol ]|||||||||||||||||||||||||||||||||||||||| | | @@ -30982,7 +31042,8 @@ <p>The <code title=dom-navigator-registerContentHandler><a href="#registercontenthandler">registerContentHandler()</a></code> method would work equivalently, but for unknown MIME types instead of unknown - protocols. + protocols.</p> + <!-- XXXURL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --> <h3 id=offline><span class=secno>4.7 </span>Offline Web applications</h3>
Received on Wednesday, 18 June 2008 04:59:39 UTC