html5/spec Overview.html,1.3203,1.3204 from Ian Hickson via cvs-syncmail on 2009-09-29 (public-html-commits@w3.org from September 2009)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 29 Sep 2009 09:29:07 +0000
To: public-html-commits@w3.org
Message-Id: <E1MsZ19-0004NY-8l@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv16818

Modified Files:
	Overview.html 
Log Message:
Block cross-origin PUT and DELETE from <form>s for now. (whatwg r4042)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3203
retrieving revision 1.3204
diff -u -d -r1.3203 -r1.3204
--- Overview.html	29 Sep 2009 09:22:46 -0000	1.3203
+++ Overview.html	29 Sep 2009 09:29:04 -0000	1.3204
@@ -34663,9 +34663,15 @@
 
        <dd>Let <var title="">MIME type</var> be "<code title="">text/plain</code>".</dd>
 
-      </dl><p><a href="#navigate">Navigate</a> <var title="">target browsing
-      context</var> to <var title="">action</var> using the HTTP
-      method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
+      </dl><p>If <var title="">method</var> is anything but GET or POST,
+      and the <a href="#origin">origin</a> of <var title="">action</var> is not
+      the <a href="#same-origin">same origin</a> as that of the <code><a href="#the-form-element">form</a></code>
+      element's <code>Document</code>, then abort these steps.</p>
+      <!-- CORS, one day -->
+
+      <p>Otherwise, <a href="#navigate">navigate</a> <var title="">target
+      browsing context</var> to <var title="">action</var> using the
+      HTTP method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
       context</var> was newly created for this purpose by the steps
       above, then it must be navigated with <a href="#replacement-enabled">replacement
       enabled</a>.</p>
@@ -34678,11 +34684,16 @@
       <p>Let <var title="">target browsing context</var> be <a href="#the-form-submission-target-browsing-context">the
       form submission target browsing context</a>.</p>
 
-      <p><a href="#navigate">Navigate</a> <var title="">target browsing
-      context</var> to <var title="">action</var> using the DELETE
-      method. If <var title="">target browsing context</var> was newly
-      created for this purpose by the steps above, then it must be
-      navigated with <a href="#replacement-enabled">replacement enabled</a>.</p>
+      <p>If the <a href="#origin">origin</a> of <var title="">action</var> is
+      not the <a href="#same-origin">same origin</a> as that of the
+      <code><a href="#the-form-element">form</a></code> element's <code>Document</code>, then abort
+      these steps.</p> <!-- CORS, one day -->
+
+      <p>Otherwise, <a href="#navigate">navigate</a> <var title="">target
+      browsing context</var> to <var title="">action</var> using the
+      DELETE method. If <var title="">target browsing context</var>
+      was newly created for this purpose by the steps above, then it
+      must be navigated with <a href="#replacement-enabled">replacement enabled</a>.</p>
 
      </dd>

Received on Tuesday, 29 September 2009 09:29:16 UTC