- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 28 Sep 2009 23:42:57 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv21864 Modified Files: Overview.html Log Message: Synchronise with the latest Origin spec rules and semantics. (whatwg r4011) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.3172 retrieving revision 1.3173 diff -u -d -r1.3172 -r1.3173 --- Overview.html 28 Sep 2009 20:52:44 -0000 1.3172 +++ Overview.html 28 Sep 2009 23:42:53 -0000 1.3173 @@ -4507,8 +4507,9 @@ <h3 id="fetching-resources"><span class="secno">2.6 </span>Fetching resources</h3><p class="XXX annotation"><b>Status: </b><i>Working draft</i></p> - <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource, the - following steps must be run:</p> + <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource, optionally + from an origin <i title="">origin</i>, the following steps must be + run:</p> <ol><li><p>If the resource is identified by the <a href="#url">URL</a> <dfn id="about:blank"><code>about:blank</code></dfn>, then return the empty string @@ -4522,11 +4523,11 @@ and the resource is to be obtained using an idempotent action (such as an HTTP GET <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">or equivalent</a>), and it is already being downloaded for other - reasons (e.g. another invocation of this algorithm), and the user - agent is configured such that it is to reuse the data from the - existing download instead of initiating a new one, then use the - results of the existing download instead of starting a new - one.</p> + reasons (e.g. another invocation of this algorithm), and this + request would be identical to the previous one (e.g. same <code title="http-accept">Accept</code> and <code title="http-origin">Origin</code> headers), and the user agent is + configured such that it is to reuse the data from the existing + download instead of initiating a new one, then use the results of + the existing download instead of starting a new one.</p> <p>Otherwise, at a time convenient to the user and the user agent, download (or otherwise obtain) the resource, applying the @@ -4556,7 +4557,12 @@ browsing context">browsing context</a> of the <a href="#first-script">first script</a>.</dd> - </dl></li> + </dl><p>For the purposes of the <code title="http-origin">Origin</code> + header, if the <a href="#fetch" title="fetch">fetching algorithm</a> was + explicitly initiated from an <i title="">origin</i>, then <i title="">the origin that initiated the HTTP request</i> is <i title="">origin</i>. Otherwise, this is <i title="">a request from + a "privacy-sensitive" context</i>. <a href="#refsORIGIN">[ORIGIN]</a></p> + + </li> <li> @@ -9375,14 +9381,13 @@ applied (as defined below). <span class="impl">For external resources that are represented in the DOM (for example, style sheets), the DOM representation must be made available even if the - resource is not applied. To obtain the resource, the user agent must - <a href="#resolve-a-url" title="resolve a url">resolve</a> the <a href="#url">URL</a> - given by the <code title="attr-link-href"><a href="#attr-link-href">href</a></code> attribute, - relative to the element, and then <a href="#fetch">fetch</a> the resulting - <a href="#absolute-url">absolute URL</a>. User agents may opt to only - <a href="#fetch">fetch</a> such resources when they are needed, instead of - pro-actively <a href="#fetch" title="fetch">fetching</a> all the external - resources that are not applied.</span><div class="impl"> + resource is not applied. To <dfn id="concept-link-obtain" title="concept-link-obtain">obtain + the resource</dfn>, the user agent must <a href="#resolve-a-url" title="resolve a + url">resolve</a> the <a href="#url">URL</a> given by the <code title="attr-link-href"><a href="#attr-link-href">href</a></code> attribute, relative to the + element, and then <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute + URL</a>. User agents may opt to only <a href="#fetch">fetch</a> such + resources when they are needed, instead of pro-actively <a href="#fetch" title="fetch">fetching</a> all the external resources that are + not applied.</span></p><!-- http-origin privacy sensitive --><div class="impl"> <p>The semantics of the protocol used (e.g. HTTP) must be followed when fetching external resources. (For example, redirects must be @@ -9480,15 +9485,14 @@ the given type. If the attribute is omitted, but the external resource link type has a default type defined, then the user agent must assume that the resource is of that type. If the UA does not - support the given <a href="#mime-type">MIME type</a> for the given link relationship, then - the UA should not fetch the resource; if the UA does support the - given <a href="#mime-type">MIME type</a> for the given link relationship, then the UA should - <a href="#fetch">fetch</a> the resource. If the attribute is omitted, and - the external resource link type does not have a default type - defined, but the user agent would fetch the resource if the type was - known and supported, then the user agent should <a href="#fetch">fetch</a> - the resource under the assumption that it will be - supported.</span><div class="impl"> + support the given <a href="#mime-type">MIME type</a> for the given link + relationship, then the UA should not <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource; if the UA + does support the given <a href="#mime-type">MIME type</a> for the given link + relationship, then the UA should <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource. If the + attribute is omitted, and the external resource link type does not + have a default type defined, but the user agent would <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource if the type + was known and supported, then the user agent should <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource under the + assumption that it will be supported.</span><div class="impl"> <p>User agents must not consider the <code title="attr-link-type"><a href="#attr-link-type">type</a></code> attribute authoritative — upon fetching the resource, user agents must not use the <code title="attr-link-type"><a href="#attr-link-type">type</a></code> attribute to determine its actual @@ -10723,7 +10727,9 @@ <p>If the element has a <code title="attr-script-src"><a href="#attr-script-src">src</a></code> attribute, then the value of that attribute must be <a href="#resolve-a-url" title="resolve a url">resolved</a> relative to the element, and - if that is successful, the specified resource must then be <a href="#fetch" title="fetch">fetched</a>.</p> + if that is successful, the specified resource must then be <a href="#fetch" title="fetch">fetched</a>, from the <a href="#origin">origin</a> of the + element's <code>Document</code>.</p> <!-- not http-origin privacy + sensitive --> <p>For historical reasons, if the <a href="#url">URL</a> is a <a href="#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a>, then the user agent must not, despite the requirements @@ -16017,7 +16023,8 @@ user agent must <a href="#resolve-a-url" title="resolve a url">resolve</a> the value of that attribute, relative to the element, and if that is successful must then <a href="#fetch">fetch</a> that resource.</p> <!-- Note - how this does NOT happen when the base URL changes. --> + how this does NOT happen when the base URL changes. --> <!-- + http-origin privacy sensitive --> <p>The <code title="attr-img-src"><a href="#attr-img-src">src</a></code> attribute's value is an <i>ignored self-reference</i> if its value is the empty string, and @@ -17695,7 +17702,9 @@ the value of the element's <code title="attr-embed-src"><a href="#attr-embed-src">src</a></code> attribute, relative to the element. If that is successful, the user agent should <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute - URL</a>. The <a href="#concept-task" title="concept-task">task</a> that is + URL</a>, from the element's <a href="#browsing-context-scope-origin">browsing context scope + origin</a> if it has one<!-- potentially http-origin privacy + sensitive -->. The <a href="#concept-task" title="concept-task">task</a> that is <a href="#queue-a-task" title="queue a task">queued</a> by the <a href="#networking-task-source">networking task source</a> once the resource has been <a href="#fetch" title="fetch">fetched</a> must find and instantiate an appropriate <a href="#plugin">plugin</a> based on the <a href="#concept-embed-type" title="concept-embed-type">content's type</a>, and hand that @@ -17967,7 +17976,9 @@ element.</p> <p>If that is successful, <a href="#fetch">fetch</a> the resulting - <a href="#absolute-url">absolute URL</a>.</p> + <a href="#absolute-url">absolute URL</a>, from the element's <a href="#browsing-context-scope-origin">browsing + context scope origin</a> if it has one<!-- potentially + http-origin privacy sensitive -->.</p> <!-- similar text in various places --> <p>Fetching the resource must <a href="#delay-the-load-event">delay the load event</a> @@ -18415,9 +18426,12 @@ or when the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute is set, its value must be <a href="#resolve-a-url" title="resolve a url">resolved</a> relative to the element, and if that is - successful, the resulting <a href="#absolute-url">absolute URL</a> must be <a href="#fetch" title="fetch">fetched</a>; this must <a href="#delay-the-load-event">delay the load - event</a> of the element's document. The <dfn id="poster-frame">poster frame</dfn> - is then the image obtained from that resource, if any.</span></p><!-- thus it is unaffected by changes to the base URL. --><p class="note">The image given by the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute, the <i><a href="#poster-frame">poster + successful, the resulting <a href="#absolute-url">absolute URL</a> must be <a href="#fetch" title="fetch">fetched</a>, from the element's + <code>Document</code>'s <a href="#origin">origin</a>; this must <a href="#delay-the-load-event">delay + the load event</a> of the element's document. The <dfn id="poster-frame">poster + frame</dfn> is then the image obtained from that resource, if + any.</span></p><!-- thus it is unaffected by changes to the base + URL. --><p class="note">The image given by the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute, the <i><a href="#poster-frame">poster frame</a></i>, is intended to be a representative frame of the video (typically one of the first non-blank frames) that gives the user an idea of what the video is like.<div class="impl"> @@ -19529,7 +19543,9 @@ <li> <p>Begin to <a href="#fetch">fetch</a> the <var title="">current media - resource</var>.</p> + resource</var>, from the <a href="#media-element">media element</a>'s + <code>Document</code>'s <a href="#origin">origin</a>.</p> <!-- not + http-origin privacy sensitive (looking forward to CORS here) --> <p>Every 350ms (±200ms) or for every byte received, whichever is <em>least</em> frequent, <a href="#queue-a-task">queue a task</a> to @@ -30889,7 +30905,8 @@ <code title="attr-input-src"><a href="#attr-input-src">src</a></code> attribute, relative to the element, and if that is successful, must <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute URL</a>:</p> <!-- Note how this does NOT - happen when the base URL changes. --> + happen when the base URL changes. --> <!-- http-origin privacy + sensitive --> <ul><li>The <code><a href="#the-input-element">input</a></code> element's <code title="attr-input-type"><a href="#attr-input-type">type</a></code> attribute is first set to the <a href="#image-button-state" title="attr-input-type-image">Image Button</a> state @@ -37890,14 +37907,15 @@ <dd>Append the command to the menu, respecting its <a href="#concept-facet" title="concept-facet">facets</a><!-- we might need to be explicit about what this means for each facet, if testing shows this isn't well-implemented. e.g.: If there's an Icon facet for the - command, it should be <span title="fetch">fetched</span>, and then - that image should be associated with the command, such that each - command only has its image fetched once, to prevent changes to the - base URL from having effects after the image has been fetched - once. (no need to resolve the Icon facet, it's an absolute URL) - -->. <!--If the element is a <code>command</code> element with a - <code title="attr-command-default">default</code> attribute, mark - the command as being a default command.--></dd> + command, it should be <span title="fetch">fetched</span> (this + would be http-origin privacy-sensitive), and then that image should + be associated with the command, such that each command only has its + image fetched once, to prevent changes to the base URL from having + effects after the image has been fetched once. (no need to resolve + the Icon facet, it's an absolute URL) -->. <!--If the element is a + <code>command</code> element with a <code + title="attr-command-default">default</code> attribute, mark the + command as being a default command.--></dd> <dt>An <code><a href="#the-hr-element">hr</a></code> element</dt> @@ -43344,7 +43362,17 @@ document</a> of <var title="">A</var> (possibly in fact being <var title="">A</var> itself).</li> - </ul></div><div class="impl"> + </ul><hr><p>An element has a <dfn id="browsing-context-scope-origin">browsing context scope origin</dfn> if its + <code>Document</code>'s <a href="#browsing-context">browsing context</a> is a + <a href="#top-level-browsing-context">top-level browsing context</a> or if all of its + <code>Document</code>'s <a href="#ancestor-browsing-context" title="ancestor browsing + context">ancestor browsing contexts</a> all have <a href="#active-document" title="active document">active documents</a> whose + <a href="#origin">origin</a> are the <a href="#same-origin">same origin</a> as the + element's <code>Document</code>'s <a href="#origin">origin</a>. If an element + has a <a href="#browsing-context-scope-origin">browsing context scope origin</a>, then its value is + the <a href="#origin">origin</a> of the element's <code>Document</code>.</p> + + </div><div class="impl"> <h4 id="groupings-of-browsing-contexts"><span class="secno">6.1.5 </span>Groupings of browsing contexts</h4> @@ -47496,7 +47524,9 @@ <li> <p><i>Fetching the manifest</i>: <a href="#fetch">Fetch</a> the resource - from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> + from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> <!-- http-origin + privacy sensitive, though it doesn't matter, since this can never + be cross-origin --> <p>If the resource is labeled with the <a href="#mime-type">MIME type</a> <code><a href="#text-cache-manifest">text/cache-manifest</a></code>, parse <var title="">manifest</var> according to the <a href="#parse-a-manifest" title="parse a @@ -47709,18 +47739,20 @@ <li> - <p><a href="#fetch">Fetch</a> the resource. If this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade attempt</a>, then - use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a> - <a href="#application-cache">application cache</a> in <var title="">cache - group</var> as an HTTP cache, and honor HTTP caching semantics - (such as expiration, ETags, and so forth) with respect to that - cache. User agents may also have other caches in place that are - also honored.</p> + <p><a href="#fetch">Fetch</a> the resource, from the <a href="#origin">origin</a> + of the <a href="#url">URL</a> <var title="">manifest URL</var>. If + this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade + attempt</a>, then use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a> <a href="#application-cache">application + cache</a> in <var title="">cache group</var> as an HTTP + cache, and honor HTTP caching semantics (such as expiration, + ETags, and so forth) with respect to that cache. User agents may + also have other caches in place that are also honored.</p> <!-- + not http-origin privacy sensitive --> <p class="note">If the resource in question is already being downloaded for other reasons then the existing download process - can be used for the purposes of this step, as defined by the - <a href="#fetch" title="fetch">fetching</a> algorithm.</p> + can sometimes be used for the purposes of this step, as defined + by the <a href="#fetch" title="fetch">fetching</a> algorithm.</p> <p class="example">An example of a resource that might already be being downloaded is a large image on a Web page that is being @@ -47875,7 +47907,8 @@ <p><a href="#fetch">Fetch</a> the resource from <var title="">manifest URL</var> again, and let <var title="">second manifest</var> be - that resource.</p> + that resource.</p> <!-- http-origin privacy sensitive, though it + doesn't matter, since this can never be cross-origin --> </li> @@ -49139,25 +49172,28 @@ <p>Otherwise, <a href="#fetch">fetch</a> the new resource, if it has not already been obtained<!-- it's obtained by <object>, for instance - -->. If the resource is being fetched using HTTP, and the method - is not GET<!-- or HEAD (but that can't happen) -->, then the user - agent must include an <code title="http-origin">Origin</code> - header whose value is determined as follows:</p> - - <dl class="switch"><dt>If the <a href="#navigate" title="navigate">navigation</a> algorithm has - so far contacted more than one <a href="#origin">origin</a></dt> - <dt>If there is no <a href="#source-browsing-context">source browsing context</a></dt> - - <dd>The value must be the string "<code title="">null</code>".</dd> + -->.</p> - <dt>Otherwise</dt> + <p>If the resource is being fetched using a method other than one + <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">equivalent to</a> + HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the + <a href="#navigate" title="navigate">navigation algorithm</a> was invoked as + a result of the <a href="#concept-form-submit" title="concept-form-submit">form submission + algorithm</a>, then the <a href="#fetch" title="fetch">fetching + algorithm</a> must be invoked from the <a href="#origin">origin</a> of + the <a href="#active-document">active document</a> of the <a href="#source-browsing-context">source browsing + context</a>, if any.</p> <!-- potentially http-origin privacy + sensitive --> - <dd>The value must be the <a href="#ascii-serialization-of-an-origin" title="ASCII serialization of an - origin">ASCII serialization</a> of the <a href="#origin">origin</a> of - the <a href="#active-document">active document</a> of the <a href="#source-browsing-context">source browsing - context</a> at the time the navigation was started.</dd> + <p>If the <a href="#browsing-context">browsing context</a> being navigated is a + <a href="#child-browsing-context">child browsing context</a> for an <code><a href="#the-iframe-element">iframe</a></code> or + <code><a href="#the-object-element">object</a></code> element, then the <a href="#fetch" title="fetch">fetching + algorithm</a> must be invoked from the <code><a href="#the-iframe-element">iframe</a></code> or + <code><a href="#the-object-element">object</a></code> element's <a href="#browsing-context-scope-origin">browsing context scope + origin</a>, if it has one.</p> <!-- potentially http-origin + privacy sensitive --> - </dl></li> + </li> <li> @@ -50064,7 +50100,9 @@ <a href="#fetch" title="fetch">fetching</a> the specified URLs using the POST method, with an entity body with the <a href="#mime-type">MIME type</a> <code><a href="#text-ping">text/ping</a></code> consisting of the four-character string - "<code title="">PING</code>". All relevant cookie and HTTP + "<code title="">PING</code>", from the <a href="#origin">origin</a> of the + <code>Document</code> containing the <a href="#hyperlink">hyperlink</a>. <!-- + not http-origin privacy sensitive --> All relevant cookie and HTTP authentication headers must be included in the request. Which other headers are required depends on the URLs involved.</p> @@ -50101,13 +50139,7 @@ nor include a <code title="http-ping-from">Ping-From</code> HTTP header.</dd> - </dl><p>In addition, an <code title="http-origin">Origin</code> header - must always be included, whose value is the <a href="#ascii-serialization-of-an-origin" title="ASCII - serialization of an origin">ASCII serialization</a> of the - <a href="#origin">origin</a> of the <code>Document</code> containing the - <a href="#hyperlink">hyperlink</a>.</p> - - <p class="note">To save bandwidth, implementors might also wish to + </dl><p class="note">To save bandwidth, implementors might also wish to consider omitting optional headers such as <code>Accept</code> from these requests.</p> @@ -67547,8 +67579,10 @@ its <a href="#fallback-content">fallback content</a>, the element must be ignored (it represents nothing).</p> - <p>Otherwise, <span class="XXX">define how the element works, - if supported</span>.</p> <!-- remember to delay the laod event --> + <p>Otherwise, <span class="XXX">define how the element works, if + supported</span>.</p> <!-- remember to delay the load event --> <!-- + remember to include ", from the element's <span>browsing context + scope origin</span> if it has one" when fetching --> <p>The <code><a href="#the-applet-element">applet</a></code> element must implement the <code><a href="#htmlappletelement">HTMLAppletElement</a></code> interface.</p> @@ -68145,7 +68179,8 @@ <li><p>For each token that is successfully resolved, <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute URL</a> and - apply the appropriate processing.</li> + apply the appropriate processing.</li> <!-- http-origin privacy + sensitive --> </ol><p>The <dfn id="dom-head-profile" title="dom-head-profile"><code>profile</code></dfn> IDL attribute of the <code><a href="#the-head-element-0">head</a></code> element must <a href="#reflect">reflect</a> @@ -69303,6 +69338,11 @@ in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>, Section 4.6.2. OpenSearch.org.</dd> + <dt id="refsORIGIN">[ORIGIN]</dt> + <dd><cite><a href="http://tools.ietf.org/html/draft-abarth-origin">The HTTP + Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF, + September 2009.</dd> + <dt id="refsPINGBACK">[PINGBACK]</dt> <dd><cite><a href="http://www.hixie.ch/specs/pingback/pingback">Pingback 1.0</a></cite>, S. Langridge, I. Hickson. January 2007.</dd>
Received on Monday, 28 September 2009 23:43:09 UTC