- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Thu, 27 Nov 2008 02:20:14 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv14538 Modified Files: Overview.html Log Message: Clear up document.cookie; make document.open() update the doc address. (whatwg r2469) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.1639 retrieving revision 1.1640 diff -u -d -r1.1639 -r1.1640 --- Overview.html 27 Nov 2008 02:00:35 -0000 1.1639 +++ Overview.html 27 Nov 2008 02:20:11 -0000 1.1640 @@ -4763,25 +4763,29 @@ referrers in the case where the referrer uses an encrypted protocol and the current page does not (e.g. when navigating from an <code title="">https:</code> page to an <code title="">http:</code> page).</p><hr><p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn> - attribute represents the cookies of the resource.</p><!-- XXX this needs work; e.g. document.open() should return the - cookies of the document that called document.open(), not of - about:blank or the document that had .open() called on, as I - understand it. --><p id=sandboxCookies>On getting, if the <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin - browsing context flag</a> is set on the <a href=#browsing-context>browsing - context</a> of the document, the user agent must raise a - <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, it must return the - same string as the value of the <code title="">Cookie</code> HTTP - header it would include if <a href=#fetch title=fetch>fetching</a> the - resource indicated by <a href=#the-document-s-address>the document's address</a> over HTTP, - as per RFC 2109 section 4.3.4 or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context - flag</a> is set on the <a href=#browsing-context>browsing context</a> of the - document, the user agent must raise a <code><a href=#security_err>SECURITY_ERR</a></code> - exception. Otherwise, the user agent must act as it would when - processing cookies if it had just attempted to <a href=#fetch>fetch</a> - <a href=#the-document-s-address>the document's address</a> over HTTP, and had received a - response with a <code>Set-Cookie</code> header whose value was the - specified value, as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3 or - later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible + attribute represents the cookies of the resource.<p id=sandboxCookies>On getting, if the document is not associated + with a <a href=#browsing-context>browsing context</a> then the user agent must raise + an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the + <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the + <a href=#browsing-context>browsing context</a> of the document, the user agent must + raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the + document's address</a> does not use a server-based naming + authority, it must return the empty string. Otherwise, it must + return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the + document's address</a> over HTTP, as per RFC 2109 section 4.3.4 + or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a + <a href=#browsing-context>browsing context</a> then the user agent must raise an + <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the + <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the + <a href=#browsing-context>browsing context</a> of the document, the user agent must + raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the + document's address</a> does not use a server-based naming + authority, it must do nothing. Otherwise, the user agent must act as + it would when processing cookies if it had just attempted to + <a href=#fetch>fetch</a> <a href=#the-document-s-address>the document's address</a> over HTTP, + and had received a response with a <code>Set-Cookie</code> header + whose value was the specified value, as per RFC 2109 sections 4.3.1, + 4.3.2, and 4.3.3 or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible across frames, the path restrictions on cookies are only a tool to help manage which cookies are sent to which parts of the site, and are not in any way a security feature.</p><hr><p>The <dfn id=dom-document-lastmodified title=dom-document-lastModified><code>lastModified</code></dfn> @@ -5934,6 +5938,9 @@ <li><p>Change the <a href=#document-s-character-encoding>document's character encoding</a> to UTF-16.</li> + <li><p>Change <a href=#the-document-s-address>the document's address</a> to the <a href=#the-document-s-address title="the document's address">address</a> of the <a href=#script-document-context>script + document context</a> of the script that invoked the <code title=dom-document-open><a href=#dom-document-open>document.open()</a></code> method.</li> + <li><p>Create a new <a href=#html-parser>HTML parser</a> and associate it with the document. This is a <dfn id=script-created-parser>script-created parser</dfn> (meaning that it can be closed by the <code title=dom-document-open><a href=#dom-document-open>document.open()</a></code> and <code title=dom-document-close><a href=#dom-document-close>document.close()</a></code> methods, and
Received on Thursday, 27 November 2008 02:20:23 UTC