spec/Overview.html 1.1670 2499 Always put javascript: into the online w

Always put javascript: into the online whitelist. Make some comments
about HTML and HTTPS security. Vaguely define 'or equivalent' for HTTP
concepts. (whatwg r2499)

5.3 Origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#origin
5.11.3.11 Link type "noreferrer"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-noreferrer
cache attempt
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-appcache-cache
Index
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#index
5.11.3.10 Link type "nofollow"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-nofollow
If a Document is in a browsing context whose sandboxed origin browsing context flag is set
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#sandboxOrigin
2.6.1 Protocol concepts
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent
add(url)
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#dom-appcache-add
5.11.3.13 Link type "prefetch"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-prefetch
type of the content
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-embed-type
about:blank
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#about:blank
Fragment identifiers: If the absolute URL of the new resource is the same as the address of the active document of the browsing context being navigated, ignoring any <fragment> components of those URLs, and the new resource is to be fetched using HTTP GET or equivalent, then navigate to that fragment identifier and abort these steps.
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#navigate-fragid-step
alt
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#attr-img-alt
HTTP response codes
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-codes
HTTP headers
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-headers
5.7.5.1 Changes to the networking model
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#changesToNetworkingModel
HTTP GET method
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-get
application cache selection algorithm
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-appcache-init-with-attribute
5.11.3.12 Link type "pingback"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-pingback
registerContentHandler()
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#dom-navigator-registercontenthandler
2.6.2 Encrypted HTTP and related security concerns
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#encrypted-http-and-related-security-concerns
2.7 Determining the type of a resource
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#content-type-sniffing

http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1669&r2=1.1670&f=h
http://html5.org/tools/web-apps-tracker?from=2498&to=2499

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1669
retrieving revision 1.1670
diff -u -d -r1.1669 -r1.1670
--- Overview.html 1 Dec 2008 12:31:25 -0000 1.1669
+++ Overview.html 1 Dec 2008 23:52:20 -0000 1.1670
@@ -185,7 +185,10 @@
      <li><a href=#resolving-urls><span class=secno>2.5.3 </span>Resolving URLs</a></li>
      <li><a href=#dynamic-changes-to-base-urls><span class=secno>2.5.4 </span>Dynamic changes to base URLs</a></li>
      <li><a href=#interfaces-for-url-manipulation><span class=secno>2.5.5 </span>Interfaces for URL manipulation</a></ol></li>
-   <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a></li>
+   <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a>
+    <ol>
+     <li><a href=#concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</a></li>
+     <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</a></ol></li>
    <li><a href=#content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</a>
     <ol>
      <li><a href=#content-type><span class=secno>2.7.1 </span>Content-Type metadata</a></li>
@@ -445,7 +448,7 @@
        <li><a href=#states-of-the-type-attribute><span class=secno>4.10.4.1 </span>States of the <code title=attr-input-type>type</code> attribute</a>
         <ol>
          <li><a href=#hidden-state><span class=secno>4.10.4.1.1 </span>Hidden state</a></li>
-         <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and </a></li>
+         <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and Search state</a></li>
          <li><a href=#url-state><span class=secno>4.10.4.1.3 </span>URL state</a></li>
          <li><a href=#e-mail-state><span class=secno>4.10.4.1.4 </span>E-mail state</a></li>
          <li><a href=#password-state><span class=secno>4.10.4.1.5 </span>Password state</a></li>
@@ -3644,11 +3647,12 @@
     <p>If the resource identified by the resulting <a href=#absolute-url>absolute
     URL</a> is already being downloaded for other reasons
     (e.g. another invocation of this algorithm), and the resource is
-    to be obtained using a idempotent action (such as an HTTP GET or
-    equivalent), and the user agent is configured such that it is to
-    reuse the data from the existing download instead of initiating a
-    new one, then use the results of the existing download instead of
-    starting a new one.</p>
+    to be obtained using a idempotent action (such as an HTTP GET
+    <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>),
+    and the user agent is configured such that it is to reuse the data
+    from the existing download instead of initiating a new one, then
+    use the results of the existing download instead of starting a new
+    one.</p>
 
     <p>Otherwise, at a time convenient to the user and the user agent,
     download the resource, applying the semantics of the relevant
@@ -3676,7 +3680,45 @@
   algorithm.<p class=note>Whether the <a href=#content-type-sniffing>type
   sniffing rules</a> apply to the fetched resource depends on the
   algorithm that invokes the rules &mdash; they are not always
-  applicable.<h3 id=content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</h3><p class=warning>It is imperative that the rules in this section
+  applicable.<h4 id=concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</h4><p>User agents can implement a variety of transfer protocols, but
+  this specification mostly defines behavior in terms of HTTP. <a href=#references>[HTTP]</a><p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
+  method</dfn> is equivalent to the default retrieval action of the
+  protocol. For example, RETR in FTP. Such actions are idempotent and
+  safe, in HTTP terms.<p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
+  codes</dfn> are equivalent to statuses in other protocols that have
+  the same basic meanings. For example, a "file not found" error is
+  equivalent to a 404 code, a server error is equivalent to a 5xx
+  code, and so on.<p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
+  headers</dfn> are equivalent to fields in other protocols that have
+  the same basic meaning. For example, the the HTTP authentication
+  headers are equivalent to the authentication aspects of the FTP
+  protocol.<p class=XXX>If there are any specific questions with what should
+  be considered equivalent to what, let me know, and I'll make it more
+  explicit for those cases.<h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</h4><p>Anything in this specification that refers to HTTP also applies
+  to HTTP-over-TLS, as represented by <a href=#url title=url>URLs</a>
+  representing the <code title="">https</code> scheme.<p class=warning>User agents should report certificate errors to
+  the user and must either refuse to download resources sent with
+  erroneous certificates or must act as if such resources were in fact
+  served with no encryption.<p>Not doing so can result in users not noticing man-in-the-middle
+  attacks.<div class=example>
+
+   <p>If a user connects to a server with a self-signed certificate,
+   the user agent could allow the connection but just act as if there
+   had been no encryption. If the user agent instead allowed the user
+   to override the problem and then displayed the page as if it was
+   fully and safely encrypted, the user could be easily tricked into
+   accepting man-in-the-middle connections.</p>
+
+   <p>If a user connects to a server with full encryption, but the
+   page then refers to an external resource that has an expired
+   certificate, then the user agent will act as if the resource was
+   unavailable, possibly also reporting the problem to the user. If
+   the user agent instead allowed the resource to be used, then an
+   attacker could just look for "secure" sites that used resources
+   from a different host and only apply man-in-the-middle attacks to
+   that host, for example taking over scripts in the page.</p>
+
+  </div><h3 id=content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</h3><p class=warning>It is imperative that the rules in this section
   be followed exactly. When a user agent uses different heuristics for
   content type detection than the server expects, security problems
   can occur. For example, if a server believes that the client will
@@ -11624,8 +11666,9 @@
   task">queued</a> by the <a href=#networking-task-source>networking task source</a> while
   the image is being <a href=#fetch title=fetch>fetched</a> must update
   the presentation of the image appropriately.<p>Whether the image is fetched successfully or not (e.g. whether
-  the response code was a 2xx code or equivalent) must be ignored when
-  determining the image's type and whether it is a valid image.<p class=note>This allows servers to return images with error
+  the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+  ignored when determining the image's type and whether it is a valid
+  image.<p class=note>This allows servers to return images with error
   responses, and have them displayed.<p>The user agents should apply the <a href=#content-type-sniffing:-image title="Content-Type
   sniffing: image">image sniffing rules</a> to determine the type
   of the image, with the image's <a href=#content-type-0 title=Content-Type>associated
@@ -13007,9 +13050,9 @@
    <!-- This algorithm is a monument to bad design. Go legacy! -->
 
   </ol><p>Whether the resource is fetched successfully or not (e.g. whether
-  the response code was a 2xx code or equivalent) must be ignored when
-  determining the resource's type and when handing the resource to the
-  plugin.<p class=note>This allows servers to return data for plugins even
+  the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+  ignored when determining the resource's type and when handing the
+  resource to the plugin.<p class=note>This allows servers to return data for plugins even
   with error responses (e.g. HTTP 500 Internal Server Error codes can
   still contain plugin data).<p>When the element is created with a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute and no <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute, and whenever the <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute is subsequently set,
   so long as no <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is
@@ -26597,8 +26640,8 @@
 
 
      <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a> that was returned as the
-     location of an HTTP redirect (or equivalent in other
-     protocols)</dt>
+     location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+     other protocols)</dt>
 
      <dd>The owner is the <a href=#url>URL</a> that redirected to the
      <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>.</dd>
@@ -26693,7 +26736,8 @@
 
      <dt>If a <code>Document</code> or image was generated from a
      <code title="">data:</code> URL that was returned as the location
-     of an HTTP redirect (or equivalent in other protocols)</dt>
+     of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+     other protocols)</dt>
 
      <dd>The <a href=#origin-0>origin</a> is the <a href=#origin-0>origin</a> of the
      <a href=#url>URL</a> that redirected to the <code title="">data:</code> URL.</dd>
@@ -28005,7 +28049,8 @@
     invoked the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
     or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
     method), and then <a href=#fetch>fetch</a> the resulting URL using the
-    GET method (or equivalent for non-HTTP URLs).</p>
+    GET method (<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+    equivalent</a> for non-HTTP URLs).</p>
 
     <p>To get the escaped version of the URL of the content in
     question, the user agent must <a href=#resolve-a-url title="resolve a
@@ -28729,16 +28774,17 @@
 
    <li>
 
-    <p>If the previous step fails due to a 404 or 410 response or
-    equivalent, then run the <a href=#cache-removal-steps>cache removal steps</a></p>
+    <p>If the previous step fails due to a 404 or 410 response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+    run the <a href=#cache-removal-steps>cache removal steps</a></p>
 
     <p>If the previous step fails in some other way (e.g. the server
-    returns another 4xx or 5xx response or equivalent, or there is a
-    DNS error, or the connection times out, or the user cancels the
-    download, or the parser for manifests fails when checking the
-    magic signature), or if the server returned a redirect, or if the
-    resource is labeled with a MIME type other than <code title="">text/cache-manifest</code>, then run the <a href=#cache-failure-steps>cache
-    failure steps</a>.</p>
+    returns another 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+    there is a DNS error, or the connection times out, or the user
+    cancels the download, or the parser for manifests fails when
+    checking the magic signature), or if the server returned a
+    redirect, or if the resource is labeled with a MIME type other
+    than <code title="">text/cache-manifest</code>, then run the
+    <a href=#cache-failure-steps>cache failure steps</a>.</p>
 
    </li>
 
@@ -28747,7 +28793,8 @@
     <p>If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade
     attempt</a> and the newly downloaded <var title="">manifest</var> is byte-for-byte identical to the manifest
     found in <var title="">cache</var>, or if the server reported it
-    as "304 Not Modified" or equivalent, then run these substeps:</p>
+    as "304 Not Modified" <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+    run these substeps:</p>
 
     <ol><li><p><a href=#fire-a-simple-event>Fire a simple event</a> called <code title=event-noupdate>noupdate</code> at the
      <code><a href=#applicationcache>ApplicationCache</a></code> singleton of each <a href=#browsing-context>browsing
@@ -28760,9 +28807,9 @@
      <li><p>If there are any pending downloads of <a href=#concept-appcache-master title=concept-appcache-master>master entries</a> that are
      being stored in the cache, then wait for all of them to have
      completed. If any of these downloads fail (e.g. the server
-     returns a 4xx or 5xx response or equivalent, or there is a DNS
-     error, or the connection times out, or the user cancels the
-     download), then run the <a href=#cache-failure-steps>cache failure
+     returns a 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+     there is a DNS error, or the connection times out, or the user
+     cancels the download), then run the <a href=#cache-failure-steps>cache failure
      steps</a>.</li>
 
      <li><p>Let the <a href=#concept-appcache-status title=concept-appcache-status>status</a> of the group of
@@ -28869,10 +28916,11 @@
      <li>
 
       <p>If the previous step fails (e.g. the server returns a 4xx or
-      5xx response or equivalent, or there is a DNS error, or the
-      connection times out, or the user cancels the download), or if
-      the server returned a redirect, then run the first appropriate
-      step from the following list:</p>
+      5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or
+      equivalent</a>, or there is a DNS error, or the connection
+      times out, or the user cancels the download), or if the server
+      returned a redirect, then run the first appropriate step from
+      the following list:</p>
 
       <dl class=switch><dt>If the URL being processed was flagged as an "explicit
        entry" or a "fallback entry"</dt>
@@ -28891,8 +28939,7 @@
 
        </dd>
 
-       <dt>If the error was a 404 or 410 HTTP response or
-       equivalent</dt>
+       <dt>If the error was a 404 or 410 HTTP response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a></dt>
 
        <dd>
 
@@ -29169,8 +29216,7 @@
 
 
    <dt>If the resource being loaded was not loaded from an application
-   cache, but it was loaded using HTTP GET or equivalent</dt>
-   <dd>
+   cache, but it was loaded using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a></dt> <dd>
 
     <ol><li><p>If the manifest URL does not have the <a href=#same-origin>same
      origin</a> as the resource's own URL, then invoke the <a href=#concept-appcache-init-no-attribute title=concept-appcache-init-no-attribute>application cache
@@ -29205,8 +29251,11 @@
   that <a href=#browsing-context>browsing context</a> other than those for <a href=#child-browsing-context title="child browsing context">child browsing contexts</a> must
   go through the following steps instead of immediately invoking the
   mechanisms appropriate to that resource's scheme:<ol><li><p>If the resource is not to be fetched using the HTTP GET
-   mechanism or equivalent, then <a href=#fetch>fetch</a> the resource
-   normally and abort these steps.</li>
+   mechanism <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+   equivalent</a>, or if it has a <a href=#javascript-protocol title="javascript
+   protocol"><code title="">javascript:</code> URL</a>, then
+   <a href=#fetch>fetch</a> the resource normally and abort these
+   steps.</li>
 
    <li><p>If the resource's URL is <a href=#concept-appcache-master title=concept-appcache-master>an master entry</a>, <a href=#concept-appcache-manifest title=concept-appcache-manifest>the manifest</a>, <a href=#concept-appcache-explicit title=concept-appcache-explicit>an explicit entry</a>, <a href=#concept-appcache-fallback title=concept-appcache-fallback>a fallback entry</a>, or a
    <a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a> in the
@@ -29222,12 +29271,12 @@
 
     <p><a href=#fetch>Fetch</a> the resource normally. If this results in a
     redirect to a resource with another <a href=#origin-0>origin</a>
-    (indicative of a captive portal), or a 4xx or 5xx status code or
-    equivalent, or if there were network errors (but not if the user
-    canceled the download), then instead get, from the cache, the
-    resource of the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback
-    entry</a> corresponding to the matched namespace. Abort these
-    steps.</p>
+    (indicative of a captive portal), or a 4xx or 5xx status code
+    <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+    or if there were network errors (but not if the user canceled the
+    download), then instead get, from the cache, the resource of the
+    <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback entry</a>
+    corresponding to the matched namespace. Abort these steps.</p>
 
    </li>
 
@@ -29389,8 +29438,9 @@
    <li><p><a href=#fetch>Fetch</a> the resource referenced by <var title="">url</var>.</li>
 
    <li><p>If this results in a redirect, or a 4xx or 5xx status code
-   or equivalent, or if there were network errors, or if the user
-   canceled the download, then abort these steps.</li>
+   <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+   or if there were network errors, or if the user canceled the
+   download, then abort these steps.</li>
 
    <li><p>Add the fetched resource to the <a href=#application-cache>application
    cache</a> and categorize it as a <a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a>.</li>
@@ -29855,8 +29905,9 @@
    <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a>
    being navigated, ignoring any <a href=#url-fragment title=url-fragment>&lt;fragment&gt;</a> components of those
    <a href=#url title=URL>URLs</a>, and the new resource is to be
-   fetched using HTTP GET or equivalent, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to that fragment identifier</a>
-   and abort these steps.</li>
+   fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+   equivalent</a>, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to
+   that fragment identifier</a> and abort these steps.</li>
 
    <li><p>If the new resource is to be handled by displaying some sort
    of inline content, e.g. an error message because the specified
@@ -29873,12 +29924,12 @@
 
    <li>
 
-    <p>If the new resource is to be fetched using HTTP GET or
-    equivalent, then check if there are any <a href=#relevant-application-cache title="relevant
-    application cache">relevant application caches</a> that are
-    identified by a URL with the <a href=#same-origin>same origin</a> as the URL
-    in question, and that have this URL as one of their entries,
-    excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
+    <p>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, then
+    check if there are any <a href=#relevant-application-cache title="relevant application
+    cache">relevant application caches</a> that are identified by a
+    URL with the <a href=#same-origin>same origin</a> as the URL in question, and
+    that have this URL as one of their entries, excluding entries
+    marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
     user agent must then get the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most appropriate application
     cache</a> of those that match.</p>
 
@@ -29920,17 +29971,18 @@
    <li>
 
     <p>If the resource was not fetched from an <a href=#application-cache>application
-    cache</a>, and was to be fetched using HTTP GET or equivalent,
-    and its URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the fallback
-    namespace</a> of one or more <a href=#relevant-application-cache title="relevant application
-    cache">relevant application caches</a>, and the user didn't
-    cancel the navigation attempt during the previous step, and the
-    navigation attempt failed (e.g. the server returned a 4xx or 5xx
-    status code or equivalent, or there was a DNS error), then:</p>
-    <!-- note that a redirect can never reach this point as it is
-    handled earlier, meaning that a captive portal captures URLs in
-    fallback namespaces and you can't ever get to the fallback file of
-    a resource if you have a captive portal -->
+    cache</a>, and was to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and its
+    URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the
+    fallback namespace</a> of one or more <a href=#relevant-application-cache title="relevant
+    application cache">relevant application caches</a>, and the
+    user didn't cancel the navigation attempt during the previous
+    step, and the navigation attempt failed (e.g. the server returned
+    a 4xx or 5xx status code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+    there was a DNS error), then:</p> <!-- note that a redirect can
+    never reach this point as it is handled earlier, meaning that a
+    captive portal captures URLs in fallback namespaces and you can't
+    ever get to the fallback file of a resource if you have a captive
+    portal -->
 
     <p>Let <var title="">candidate</var> be the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback resource</a>
     specified for the <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespace</a> in
@@ -31752,9 +31804,9 @@
   primarily because of a commercial relationship between people
   affiliated with the two pages.<h5 id=link-type-noreferrer><span class=secno>5.11.3.11 </span>Link type "<dfn title=rel-noreferrer><code>noreferrer</code></dfn>"</h5><p>The <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword may be
   used with <code><a href=#the-a-element>a</a></code> and <code><a href=#the-area-element>area</a></code> elements.<p>If a user agent follows a link defined by an <code><a href=#the-a-element>a</a></code> or
-  <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent must
-  not include a <code title="">Referer</code> HTTP header (or
-  equivalent for other protocols) in the request.<p>This keyword also <a href=#noopener>causes the <code title=dom-opener>opener</code> attribute to remain null</a> if the
+  <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent
+  must not include a <code title="">Referer</code> HTTP header (<a href=#concept-http-equivalent-headers title=concept-http-equivalent-headers>or equivalent</a> for
+  other protocols) in the request.<p>This keyword also <a href=#noopener>causes the <code title=dom-opener>opener</code> attribute to remain null</a> if the
   hyperlink creates a new <a href=#browsing-context>browsing context</a>.<h5 id=link-type-pingback><span class=secno>5.11.3.12 </span>Link type "<dfn title=rel-pingback><code>pingback</code></dfn>"</h5><p>The <code title=rel-pingback><a href=#link-type-pingback>pingback</a></code> keyword may be
   used with <code><a href=#the-link-element>link</a></code> elements, for which it creates an <a href=#external-resource-link title="external resource link">external resource link</a>.<p>For the semantics of the <code title=rel-pingback><a href=#link-type-pingback>pingback</a></code> keyword, see the Pingback 1.0
   specification. <a href=#references>[PINGBACK]</a><h5 id=link-type-prefetch><span class=secno>5.11.3.13 </span>Link type "<dfn title=rel-prefetch><code>prefetch</code></dfn>"</h5><p>The <code title=rel-prefetch><a href=#link-type-prefetch>prefetch</a></code> keyword may be
@@ -44099,41 +44151,42 @@
   way currently to enumerate all the views.</p><!-- XXX examples! --><h2 class=no-num id=index>Index</h2><p><em>This section is non-normative.</em><p class=XXX>List of elements<p class=XXX>List of attributes<p class=XXX>List of interfaces<p class=XXX>List of events<h2 class=no-num id=references>References</h2><p class=XXX>This section will be written in a future draft.</p><!-- XXX check that #references is always for [RFC\1] --><h2 class=no-num id=acknowledgements>Acknowledgements</h2><!-- ACKS --><p>Thanks to Aankhen, Aaron Boodman, Aaron Leventhal, Adam Barth,
   Adam Roben, Addison Phillips, Adele Peterson, Adrian Sutton,
   Agust&iacute;n Fern&aacute;ndez, Ajai Tirumali, Alastair Campbell,
-  Alexey Feldgendler, Anders Carlsson, Andrew Gove, Andrew Sidwell,
-  Anne van Kesteren, Anthony Hickson, Anthony Ricaud, Antti Koivisto,
-  Arphen Lin, Asbj&oslash;rn Ulsberg, Ashley Sheridan, Aurelien Levy,
-  Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard, Benjamin
-  Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern Hoehrmann,
-  Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson, Brendan Eich,
-  Brett Wilson, Brian Campbell, Brian Smith, Bruce Miller, Cameron
-  McCormack, Cao Yipeng, Carlos Perell&oacute; Mar&iacute;n, Chao Cai,
-  &#50980;&#49437;&#52268; (Channy Yun), Charl van Niekerk, Charles
-  Iliya Krempeaux, Charles McCathieNevile, Christian Biesinger,
-  Christian Johansen, Christian Schmidt, Chriswa, Cole Robison, Collin
-  Jackson, Daniel Barclay, Daniel Brumbaugh Keeney, Daniel Glazman,
-  Daniel Peng, Daniel Sp&aring;ng, Daniel Steinberg, Danny Sullivan,
-  Darin Adler, Darin Fisher, Dave Camp, Dave Singer, Dave Townsend<!--
-  Mossop on moz irc -->, David Baron, David Bloom, David Carlisle,
-  David Flanagan, David H&aring;s&auml;ther, David Hyatt, David Smith,
-  David Woolley, Dean Edridge, Debi Orton, Derek Featherstone, DeWitt
-  Clinton, Dimitri Glazkov, dolphinling, Doron Rosenberg, Doug Kramer,
-  Edward O'Connor, Eira Monstad, Elliotte Harold, Eric Carlson, Eric
-  Law, Erik Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix
-  Sasaki, Franck 'Shift' Qu&eacute;lain, Garrett Smith, Geoffrey
-  Garen, Geoffrey Sneddon, George Lund, H&aring;kon Wium Lie, Henri
-  Sivonen, Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo
-  Emanuel Gon&ccedil;alves, J. King, Jacques Distler, James Graham,
-  James Justin Harrell, James M Snell, James Perrett, Jan-Klaas
-  Kollhof, Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff
-  Schiller, Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der
-  Meer, Jim Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph
-  Kesselman, Jjgod Jiang, Joel Spolsky, Johan Herland, John Boyer,
-  John Bussjaeger, John Harding, Johnny Stenback, Jon Gibbins, Jon
-  Perlow, Jonathan Worent, Jorgen Horstink, Josh Levenberg, Joshua
-  Randall, Jukka K. Korpela, Jules Cl&eacute;ment-Ripoche, Julian
-  Reschke, Kai Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel
-  Lesinski, &#40658;&#28580;&#21083;&#24535; (KUROSAWA Takeshi),
-  Kristof Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
+  Alex Nicolaou, Alexey Feldgendler, Anders Carlsson, Andrew Gove,
+  Andrew Sidwell, Anne van Kesteren, Anthony Hickson, Anthony Ricaud,
+  Antti Koivisto, Arphen Lin, Asbj&oslash;rn Ulsberg, Ashley Sheridan,
+  Aurelien Levy, Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard,
+  Benjamin Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern
+  Hoehrmann, Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson,
+  Brendan Eich, Brett Wilson, Brian Campbell, Brian Smith, Bruce
+  Miller, Cameron McCormack, Cao Yipeng, Carlos Perell&oacute;
+  Mar&iacute;n, Chao Cai, &#50980;&#49437;&#52268; (Channy Yun), Charl
+  van Niekerk, Charles Iliya Krempeaux, Charles McCathieNevile,
+  Christian Biesinger, Christian Johansen, Christian Schmidt, Chriswa,
+  Cole Robison, Collin Jackson, Daniel Barclay, Daniel Brumbaugh
+  Keeney, Daniel Glazman, Daniel Peng, Daniel Sp&aring;ng, Daniel
+  Steinberg, Danny Sullivan, Darin Adler, Darin Fisher, Dave Camp,
+  Dave Singer, Dave Townsend<!-- Mossop on moz irc -->, David Baron,
+  David Bloom, David Carlisle, David Flanagan, David
+  H&aring;s&auml;ther, David Hyatt, David Smith, David Woolley, Dean
+  Edridge, Debi Orton, Derek Featherstone, DeWitt Clinton, Dimitri
+  Glazkov, dolphinling, Doron Rosenberg, Doug Kramer, Edward O'Connor,
+  Eira Monstad, Elliotte Harold, Eric Carlson, Eric Law, Erik
+  Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix Sasaki,
+  Franck 'Shift' Qu&eacute;lain, Garrett Smith, Geoffrey Garen,
+  Geoffrey Sneddon, George Lund, H&aring;kon Wium Lie, Henri Sivonen,
+  Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo Emanuel
+  Gon&ccedil;alves, J. King, Jacques Distler, James Graham, James
+  Justin Harrell, James M Snell, James Perrett, Jan-Klaas Kollhof,
+  Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff Schiller,
+  Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der Meer, Jim
+  Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph Kesselman, Jjgod
+  Jiang, Joel Spolsky, Johan Herland, John Boyer, John Bussjaeger,
+  John Harding, Johnny Stenback, Jon Gibbins, Jon Perlow, Jonathan
+  Worent, Jorgen Horstink, Josh Levenberg, Joshua Randall, Jukka
+  K. Korpela, Jules Cl&eacute;ment-Ripoche, Julian Reschke, Kai
+  Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel Lesinski,
+  &#40658;&#28580;&#21083;&#24535; (KUROSAWA Takeshi), Kristof
+  Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
   L. Carlson, Laura Wisewell, Laurens Holst, Lee Kowalkowski, Leif
   Halvard Silli, Lenny Domnitser, L&eacute;onard Bouchet, Leons
   Petrazickis, Logan<!-- on moz irc -->, Loune, Maciej Stachowiak,

Received on Monday, 1 December 2008 23:55:50 UTC