- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Tue, 06 Apr 2010 00:43:18 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv3846 Modified Files: Overview.html Log Message: Make 'fetch' algorithm have a mode where it doesn't do redirects. Make 'navigate' algorithm block cross-origin non-safe non-POST redirects. (whatwg r4975) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.3997 retrieving revision 1.3998 diff -u -d -r1.3997 -r1.3998 --- Overview.html 6 Apr 2010 00:08:15 -0000 1.3997 +++ Overview.html 6 Apr 2010 00:43:14 -0000 1.3998 @@ -5255,9 +5255,10 @@ <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource or <a href="#url">URL</a>, optionally from an origin <i title="">origin</i>, - and optionally with a <i>synchronous flag</i>, the following steps - must be run. (When a <em>URL</em> is to be fetched, the URL - identifies a resource to be obtained.)</p> + and optionally with a <i>synchronous flag</i> and/or a <i>manual + redirect flag</i>, the following steps must be run. (When a + <em>URL</em> is to be fetched, the URL identifies a resource to be + obtained.)</p> <!-- if invoked with the synchronous flag, make sure to release the storage mutex first --> @@ -5303,6 +5304,8 @@ <li> + <p>This is the <i>main step</i>.</p> + <p>If the resource is identified by an <a href="#absolute-url">absolute URL</a>, and the resource is to be obtained using an idempotent action (such as an HTTP GET <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">or @@ -5316,13 +5319,9 @@ <p>Otherwise, at a time convenient to the user and the user agent, download (or otherwise obtain) the resource, applying the semantics of the relevant specifications (e.g. performing an HTTP - GET or POST operation, or reading the file from disk, following - redirects, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript protocol"><code title="">javascript:</code> - URLs</span></a>, etc).</p> - - <p class="note">The HTTP specification requires that 301, 302, and - 307 redirects, when applied to methods other than the safe - methods, not be followed without user confirmation. <a href="#refsHTTP">[HTTP]</a></p> + GET or POST operation, or reading the file from disk, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript + protocol"><code title="">javascript:</code> URLs</span></a>, + etc).</p> <p>For the purposes of the <code title="http-referer">Referer</code> (sic) header, use the <i>address of the resource from which Request-URIs are @@ -5359,6 +5358,39 @@ <li> + <p>If the fetched resource is an HTTP redirect <a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>, + then:</p> + + <dl class="switch"><dt>If the <i>manual redirect flag</i> is set</dt> + + <dd> + + <p>Continue, using the fetched resource (the redirect) as the + result of the algorithm.</p> + + </dd> + + <dt>Otherwise</dt> + + <dd> + + <p>First, apply any relevant requirements for redirects (such as + showing any appropriate prompts). Then, redo <i>main step</i>, + but using the target of the redirect as the resource to fetch, + rather than the original resource.</p> + + <p class="note">The HTTP specification requires that 301, 302, + and 307 redirects, when applied to methods other than the safe + methods, not be followed without user confirmation. That would + be an appropriate prompt for the purposes of the requirement in + the paragraph above. <a href="#refsHTTP">[HTTP]</a></p> + + </dd> + + </dl></li> + + <li> + <p>If the algorithm was not invoked with the <i>synchronous flag</i>: When the resource is available, or if there is an error of some description, <a href="#queue-a-task">queue a task</a> that uses the @@ -42614,9 +42646,9 @@ application cache at all; the submission will be made to the network.</p> - <p>Otherwise, <a href="#fetch">fetch</a> the new resource, if it has not - already been obtained<!-- it's obtained by <object>, for instance - -->.</p> + <p>Otherwise, unless it has already been obtained<!-- it's + obtained by <object>, for instance -->, <a href="#fetch">fetch</a> the new + resource, with the <i>manual redirect flag</i> set.</p> <p>If the resource is being fetched using a method other than one <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">equivalent to</a> @@ -42641,16 +42673,29 @@ <li> - <p>At this point the user agents must return to whatever algorithm - invoked the navigation steps and must continue these steps - asynchronously.</p> + <p>At this point, unless this step has already been reached once + before in the execution of this instance of the algorithm, the + user agents must return to whatever algorithm invoked the + navigation steps and must continue these steps asynchronously.</p> </li> <li> - <p>If fetching the resource results in a redirect, return to <a href="#navigate-fragid-step">the step labeled "fragment - identifiers"</a> with the new resource.</p> + <p>If fetching the resource results in a redirect, and either the + <a href="#url">URL</a> of the target of the redirect has the <a href="#same-origin">same + origin</a> as the original resource, or the resource is being + obtained using the POST method or a safe method (in HTTP terms), + return to <a href="#navigate-fragid-step">the step labeled + "fragment identifiers"</a> with the new resource.</p> + + <p>Otherwise, if fetching the resource results in a redirect but + the <a href="#url">URL</a> of the target of the redirect does not have + the <a href="#same-origin">same origin</a> as the original resource and the + resource is being obtained using a method that is neither the POST + method nor a safe method (in HTTP terms), then abort these + steps. The user agent may indicate to the user that the navigation + has been aborted for security reasons.</p> </li> @@ -67801,6 +67846,7 @@ Dean Edwards, Debi Orton, Derek Featherstone, + Devdatta, Dimitri Glazkov, Dimitry Golubovsky, Divya Manian,
Received on Tuesday, 6 April 2010 00:43:19 UTC