- From: poot <cvsmail@w3.org>
- Date: Tue, 2 Dec 2008 08:55:10 +0900 (JST)
- To: public-html-diffs@w3.org
Always put javascript: into the online whitelist. Make some comments
about HTML and HTTPS security. Vaguely define 'or equivalent' for HTTP
concepts. (whatwg r2499)
5.3 Origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#origin
5.11.3.11 Link type "noreferrer"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-noreferrer
cache attempt
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-appcache-cache
Index
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#index
5.11.3.10 Link type "nofollow"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-nofollow
If a Document is in a browsing context whose sandboxed origin browsing context flag is set
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#sandboxOrigin
2.6.1 Protocol concepts
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent
add(url)
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#dom-appcache-add
5.11.3.13 Link type "prefetch"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-prefetch
type of the content
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-embed-type
about:blank
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#about:blank
Fragment identifiers: If the absolute URL of the new resource is the same as the address of the active document of the browsing context being navigated, ignoring any <fragment> components of those URLs, and the new resource is to be fetched using HTTP GET or equivalent, then navigate to that fragment identifier and abort these steps.
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#navigate-fragid-step
alt
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#attr-img-alt
HTTP response codes
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-codes
HTTP headers
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-headers
5.7.5.1 Changes to the networking model
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#changesToNetworkingModel
HTTP GET method
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-http-equivalent-get
application cache selection algorithm
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#concept-appcache-init-with-attribute
5.11.3.12 Link type "pingback"
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#link-type-pingback
registerContentHandler()
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#dom-navigator-registercontenthandler
2.6.2 Encrypted HTTP and related security concerns
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#encrypted-http-and-related-security-concerns
2.7 Determining the type of a resource
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1670.html#content-type-sniffing
http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1669&r2=1.1670&f=h
http://html5.org/tools/web-apps-tracker?from=2498&to=2499
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1669
retrieving revision 1.1670
diff -u -d -r1.1669 -r1.1670
--- Overview.html 1 Dec 2008 12:31:25 -0000 1.1669
+++ Overview.html 1 Dec 2008 23:52:20 -0000 1.1670
@@ -185,7 +185,10 @@
<li><a href=#resolving-urls><span class=secno>2.5.3 </span>Resolving URLs</a></li>
<li><a href=#dynamic-changes-to-base-urls><span class=secno>2.5.4 </span>Dynamic changes to base URLs</a></li>
<li><a href=#interfaces-for-url-manipulation><span class=secno>2.5.5 </span>Interfaces for URL manipulation</a></ol></li>
- <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a></li>
+ <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a>
+ <ol>
+ <li><a href=#concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</a></li>
+ <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</a></ol></li>
<li><a href=#content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</a>
<ol>
<li><a href=#content-type><span class=secno>2.7.1 </span>Content-Type metadata</a></li>
@@ -445,7 +448,7 @@
<li><a href=#states-of-the-type-attribute><span class=secno>4.10.4.1 </span>States of the <code title=attr-input-type>type</code> attribute</a>
<ol>
<li><a href=#hidden-state><span class=secno>4.10.4.1.1 </span>Hidden state</a></li>
- <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and </a></li>
+ <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and Search state</a></li>
<li><a href=#url-state><span class=secno>4.10.4.1.3 </span>URL state</a></li>
<li><a href=#e-mail-state><span class=secno>4.10.4.1.4 </span>E-mail state</a></li>
<li><a href=#password-state><span class=secno>4.10.4.1.5 </span>Password state</a></li>
@@ -3644,11 +3647,12 @@
<p>If the resource identified by the resulting <a href=#absolute-url>absolute
URL</a> is already being downloaded for other reasons
(e.g. another invocation of this algorithm), and the resource is
- to be obtained using a idempotent action (such as an HTTP GET or
- equivalent), and the user agent is configured such that it is to
- reuse the data from the existing download instead of initiating a
- new one, then use the results of the existing download instead of
- starting a new one.</p>
+ to be obtained using a idempotent action (such as an HTTP GET
+ <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>),
+ and the user agent is configured such that it is to reuse the data
+ from the existing download instead of initiating a new one, then
+ use the results of the existing download instead of starting a new
+ one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download the resource, applying the semantics of the relevant
@@ -3676,7 +3680,45 @@
algorithm.<p class=note>Whether the <a href=#content-type-sniffing>type
sniffing rules</a> apply to the fetched resource depends on the
algorithm that invokes the rules — they are not always
- applicable.<h3 id=content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</h3><p class=warning>It is imperative that the rules in this section
+ applicable.<h4 id=concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</h4><p>User agents can implement a variety of transfer protocols, but
+ this specification mostly defines behavior in terms of HTTP. <a href=#references>[HTTP]</a><p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.<p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.<p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.<p class=XXX>If there are any specific questions with what should
+ be considered equivalent to what, let me know, and I'll make it more
+ explicit for those cases.<h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</h4><p>Anything in this specification that refers to HTTP also applies
+ to HTTP-over-TLS, as represented by <a href=#url title=url>URLs</a>
+ representing the <code title="">https</code> scheme.<p class=warning>User agents should report certificate errors to
+ the user and must either refuse to download resources sent with
+ erroneous certificates or must act as if such resources were in fact
+ served with no encryption.<p>Not doing so can result in users not noticing man-in-the-middle
+ attacks.<div class=example>
+
+ <p>If a user connects to a server with a self-signed certificate,
+ the user agent could allow the connection but just act as if there
+ had been no encryption. If the user agent instead allowed the user
+ to override the problem and then displayed the page as if it was
+ fully and safely encrypted, the user could be easily tricked into
+ accepting man-in-the-middle connections.</p>
+
+ <p>If a user connects to a server with full encryption, but the
+ page then refers to an external resource that has an expired
+ certificate, then the user agent will act as if the resource was
+ unavailable, possibly also reporting the problem to the user. If
+ the user agent instead allowed the resource to be used, then an
+ attacker could just look for "secure" sites that used resources
+ from a different host and only apply man-in-the-middle attacks to
+ that host, for example taking over scripts in the page.</p>
+
+ </div><h3 id=content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</h3><p class=warning>It is imperative that the rules in this section
be followed exactly. When a user agent uses different heuristics for
content type detection than the server expects, security problems
can occur. For example, if a server believes that the client will
@@ -11624,8 +11666,9 @@
task">queued</a> by the <a href=#networking-task-source>networking task source</a> while
the image is being <a href=#fetch title=fetch>fetched</a> must update
the presentation of the image appropriately.<p>Whether the image is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the image's type and whether it is a valid image.<p class=note>This allows servers to return images with error
+ the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+ ignored when determining the image's type and whether it is a valid
+ image.<p class=note>This allows servers to return images with error
responses, and have them displayed.<p>The user agents should apply the <a href=#content-type-sniffing:-image title="Content-Type
sniffing: image">image sniffing rules</a> to determine the type
of the image, with the image's <a href=#content-type-0 title=Content-Type>associated
@@ -13007,9 +13050,9 @@
<!-- This algorithm is a monument to bad design. Go legacy! -->
</ol><p>Whether the resource is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the resource's type and when handing the resource to the
- plugin.<p class=note>This allows servers to return data for plugins even
+ the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+ ignored when determining the resource's type and when handing the
+ resource to the plugin.<p class=note>This allows servers to return data for plugins even
with error responses (e.g. HTTP 500 Internal Server Error codes can
still contain plugin data).<p>When the element is created with a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute and no <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute, and whenever the <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute is subsequently set,
so long as no <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is
@@ -26597,8 +26640,8 @@
<dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a> that was returned as the
- location of an HTTP redirect (or equivalent in other
- protocols)</dt>
+ location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The owner is the <a href=#url>URL</a> that redirected to the
<a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>.</dd>
@@ -26693,7 +26736,8 @@
<dt>If a <code>Document</code> or image was generated from a
<code title="">data:</code> URL that was returned as the location
- of an HTTP redirect (or equivalent in other protocols)</dt>
+ of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The <a href=#origin-0>origin</a> is the <a href=#origin-0>origin</a> of the
<a href=#url>URL</a> that redirected to the <code title="">data:</code> URL.</dd>
@@ -28005,7 +28049,8 @@
invoked the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
method), and then <a href=#fetch>fetch</a> the resulting URL using the
- GET method (or equivalent for non-HTTP URLs).</p>
+ GET method (<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a> for non-HTTP URLs).</p>
<p>To get the escaped version of the URL of the content in
question, the user agent must <a href=#resolve-a-url title="resolve a
@@ -28729,16 +28774,17 @@
<li>
- <p>If the previous step fails due to a 404 or 410 response or
- equivalent, then run the <a href=#cache-removal-steps>cache removal steps</a></p>
+ <p>If the previous step fails due to a 404 or 410 response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+ run the <a href=#cache-removal-steps>cache removal steps</a></p>
<p>If the previous step fails in some other way (e.g. the server
- returns another 4xx or 5xx response or equivalent, or there is a
- DNS error, or the connection times out, or the user cancels the
- download, or the parser for manifests fails when checking the
- magic signature), or if the server returned a redirect, or if the
- resource is labeled with a MIME type other than <code title="">text/cache-manifest</code>, then run the <a href=#cache-failure-steps>cache
- failure steps</a>.</p>
+ returns another 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download, or the parser for manifests fails when
+ checking the magic signature), or if the server returned a
+ redirect, or if the resource is labeled with a MIME type other
+ than <code title="">text/cache-manifest</code>, then run the
+ <a href=#cache-failure-steps>cache failure steps</a>.</p>
</li>
@@ -28747,7 +28793,8 @@
<p>If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade
attempt</a> and the newly downloaded <var title="">manifest</var> is byte-for-byte identical to the manifest
found in <var title="">cache</var>, or if the server reported it
- as "304 Not Modified" or equivalent, then run these substeps:</p>
+ as "304 Not Modified" <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+ run these substeps:</p>
<ol><li><p><a href=#fire-a-simple-event>Fire a simple event</a> called <code title=event-noupdate>noupdate</code> at the
<code><a href=#applicationcache>ApplicationCache</a></code> singleton of each <a href=#browsing-context>browsing
@@ -28760,9 +28807,9 @@
<li><p>If there are any pending downloads of <a href=#concept-appcache-master title=concept-appcache-master>master entries</a> that are
being stored in the cache, then wait for all of them to have
completed. If any of these downloads fail (e.g. the server
- returns a 4xx or 5xx response or equivalent, or there is a DNS
- error, or the connection times out, or the user cancels the
- download), then run the <a href=#cache-failure-steps>cache failure
+ returns a 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download), then run the <a href=#cache-failure-steps>cache failure
steps</a>.</li>
<li><p>Let the <a href=#concept-appcache-status title=concept-appcache-status>status</a> of the group of
@@ -28869,10 +28916,11 @@
<li>
<p>If the previous step fails (e.g. the server returns a 4xx or
- 5xx response or equivalent, or there is a DNS error, or the
- connection times out, or the user cancels the download), or if
- the server returned a redirect, then run the first appropriate
- step from the following list:</p>
+ 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or
+ equivalent</a>, or there is a DNS error, or the connection
+ times out, or the user cancels the download), or if the server
+ returned a redirect, then run the first appropriate step from
+ the following list:</p>
<dl class=switch><dt>If the URL being processed was flagged as an "explicit
entry" or a "fallback entry"</dt>
@@ -28891,8 +28939,7 @@
</dd>
- <dt>If the error was a 404 or 410 HTTP response or
- equivalent</dt>
+ <dt>If the error was a 404 or 410 HTTP response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a></dt>
<dd>
@@ -29169,8 +29216,7 @@
<dt>If the resource being loaded was not loaded from an application
- cache, but it was loaded using HTTP GET or equivalent</dt>
- <dd>
+ cache, but it was loaded using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a></dt> <dd>
<ol><li><p>If the manifest URL does not have the <a href=#same-origin>same
origin</a> as the resource's own URL, then invoke the <a href=#concept-appcache-init-no-attribute title=concept-appcache-init-no-attribute>application cache
@@ -29205,8 +29251,11 @@
that <a href=#browsing-context>browsing context</a> other than those for <a href=#child-browsing-context title="child browsing context">child browsing contexts</a> must
go through the following steps instead of immediately invoking the
mechanisms appropriate to that resource's scheme:<ol><li><p>If the resource is not to be fetched using the HTTP GET
- mechanism or equivalent, then <a href=#fetch>fetch</a> the resource
- normally and abort these steps.</li>
+ mechanism <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a>, or if it has a <a href=#javascript-protocol title="javascript
+ protocol"><code title="">javascript:</code> URL</a>, then
+ <a href=#fetch>fetch</a> the resource normally and abort these
+ steps.</li>
<li><p>If the resource's URL is <a href=#concept-appcache-master title=concept-appcache-master>an master entry</a>, <a href=#concept-appcache-manifest title=concept-appcache-manifest>the manifest</a>, <a href=#concept-appcache-explicit title=concept-appcache-explicit>an explicit entry</a>, <a href=#concept-appcache-fallback title=concept-appcache-fallback>a fallback entry</a>, or a
<a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a> in the
@@ -29222,12 +29271,12 @@
<p><a href=#fetch>Fetch</a> the resource normally. If this results in a
redirect to a resource with another <a href=#origin-0>origin</a>
- (indicative of a captive portal), or a 4xx or 5xx status code or
- equivalent, or if there were network errors (but not if the user
- canceled the download), then instead get, from the cache, the
- resource of the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback
- entry</a> corresponding to the matched namespace. Abort these
- steps.</p>
+ (indicative of a captive portal), or a 4xx or 5xx status code
+ <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ or if there were network errors (but not if the user canceled the
+ download), then instead get, from the cache, the resource of the
+ <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback entry</a>
+ corresponding to the matched namespace. Abort these steps.</p>
</li>
@@ -29389,8 +29438,9 @@
<li><p><a href=#fetch>Fetch</a> the resource referenced by <var title="">url</var>.</li>
<li><p>If this results in a redirect, or a 4xx or 5xx status code
- or equivalent, or if there were network errors, or if the user
- canceled the download, then abort these steps.</li>
+ <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ or if there were network errors, or if the user canceled the
+ download, then abort these steps.</li>
<li><p>Add the fetched resource to the <a href=#application-cache>application
cache</a> and categorize it as a <a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a>.</li>
@@ -29855,8 +29905,9 @@
<a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a>
being navigated, ignoring any <a href=#url-fragment title=url-fragment><fragment></a> components of those
<a href=#url title=URL>URLs</a>, and the new resource is to be
- fetched using HTTP GET or equivalent, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to that fragment identifier</a>
- and abort these steps.</li>
+ fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a>, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to
+ that fragment identifier</a> and abort these steps.</li>
<li><p>If the new resource is to be handled by displaying some sort
of inline content, e.g. an error message because the specified
@@ -29873,12 +29924,12 @@
<li>
- <p>If the new resource is to be fetched using HTTP GET or
- equivalent, then check if there are any <a href=#relevant-application-cache title="relevant
- application cache">relevant application caches</a> that are
- identified by a URL with the <a href=#same-origin>same origin</a> as the URL
- in question, and that have this URL as one of their entries,
- excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
+ <p>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, then
+ check if there are any <a href=#relevant-application-cache title="relevant application
+ cache">relevant application caches</a> that are identified by a
+ URL with the <a href=#same-origin>same origin</a> as the URL in question, and
+ that have this URL as one of their entries, excluding entries
+ marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
user agent must then get the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most appropriate application
cache</a> of those that match.</p>
@@ -29920,17 +29971,18 @@
<li>
<p>If the resource was not fetched from an <a href=#application-cache>application
- cache</a>, and was to be fetched using HTTP GET or equivalent,
- and its URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the fallback
- namespace</a> of one or more <a href=#relevant-application-cache title="relevant application
- cache">relevant application caches</a>, and the user didn't
- cancel the navigation attempt during the previous step, and the
- navigation attempt failed (e.g. the server returned a 4xx or 5xx
- status code or equivalent, or there was a DNS error), then:</p>
- <!-- note that a redirect can never reach this point as it is
- handled earlier, meaning that a captive portal captures URLs in
- fallback namespaces and you can't ever get to the fallback file of
- a resource if you have a captive portal -->
+ cache</a>, and was to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and its
+ URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the
+ fallback namespace</a> of one or more <a href=#relevant-application-cache title="relevant
+ application cache">relevant application caches</a>, and the
+ user didn't cancel the navigation attempt during the previous
+ step, and the navigation attempt failed (e.g. the server returned
+ a 4xx or 5xx status code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there was a DNS error), then:</p> <!-- note that a redirect can
+ never reach this point as it is handled earlier, meaning that a
+ captive portal captures URLs in fallback namespaces and you can't
+ ever get to the fallback file of a resource if you have a captive
+ portal -->
<p>Let <var title="">candidate</var> be the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback resource</a>
specified for the <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespace</a> in
@@ -31752,9 +31804,9 @@
primarily because of a commercial relationship between people
affiliated with the two pages.<h5 id=link-type-noreferrer><span class=secno>5.11.3.11 </span>Link type "<dfn title=rel-noreferrer><code>noreferrer</code></dfn>"</h5><p>The <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword may be
used with <code><a href=#the-a-element>a</a></code> and <code><a href=#the-area-element>area</a></code> elements.<p>If a user agent follows a link defined by an <code><a href=#the-a-element>a</a></code> or
- <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent must
- not include a <code title="">Referer</code> HTTP header (or
- equivalent for other protocols) in the request.<p>This keyword also <a href=#noopener>causes the <code title=dom-opener>opener</code> attribute to remain null</a> if the
+ <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent
+ must not include a <code title="">Referer</code> HTTP header (<a href=#concept-http-equivalent-headers title=concept-http-equivalent-headers>or equivalent</a> for
+ other protocols) in the request.<p>This keyword also <a href=#noopener>causes the <code title=dom-opener>opener</code> attribute to remain null</a> if the
hyperlink creates a new <a href=#browsing-context>browsing context</a>.<h5 id=link-type-pingback><span class=secno>5.11.3.12 </span>Link type "<dfn title=rel-pingback><code>pingback</code></dfn>"</h5><p>The <code title=rel-pingback><a href=#link-type-pingback>pingback</a></code> keyword may be
used with <code><a href=#the-link-element>link</a></code> elements, for which it creates an <a href=#external-resource-link title="external resource link">external resource link</a>.<p>For the semantics of the <code title=rel-pingback><a href=#link-type-pingback>pingback</a></code> keyword, see the Pingback 1.0
specification. <a href=#references>[PINGBACK]</a><h5 id=link-type-prefetch><span class=secno>5.11.3.13 </span>Link type "<dfn title=rel-prefetch><code>prefetch</code></dfn>"</h5><p>The <code title=rel-prefetch><a href=#link-type-prefetch>prefetch</a></code> keyword may be
@@ -44099,41 +44151,42 @@
way currently to enumerate all the views.</p><!-- XXX examples! --><h2 class=no-num id=index>Index</h2><p><em>This section is non-normative.</em><p class=XXX>List of elements<p class=XXX>List of attributes<p class=XXX>List of interfaces<p class=XXX>List of events<h2 class=no-num id=references>References</h2><p class=XXX>This section will be written in a future draft.</p><!-- XXX check that #references is always for [RFC\1] --><h2 class=no-num id=acknowledgements>Acknowledgements</h2><!-- ACKS --><p>Thanks to Aankhen, Aaron Boodman, Aaron Leventhal, Adam Barth,
Adam Roben, Addison Phillips, Adele Peterson, Adrian Sutton,
Agustín Fernández, Ajai Tirumali, Alastair Campbell,
- Alexey Feldgendler, Anders Carlsson, Andrew Gove, Andrew Sidwell,
- Anne van Kesteren, Anthony Hickson, Anthony Ricaud, Antti Koivisto,
- Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan, Aurelien Levy,
- Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard, Benjamin
- Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern Hoehrmann,
- Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson, Brendan Eich,
- Brett Wilson, Brian Campbell, Brian Smith, Bruce Miller, Cameron
- McCormack, Cao Yipeng, Carlos Perelló Marín, Chao Cai,
- 윤석찬 (Channy Yun), Charl van Niekerk, Charles
- Iliya Krempeaux, Charles McCathieNevile, Christian Biesinger,
- Christian Johansen, Christian Schmidt, Chriswa, Cole Robison, Collin
- Jackson, Daniel Barclay, Daniel Brumbaugh Keeney, Daniel Glazman,
- Daniel Peng, Daniel Spång, Daniel Steinberg, Danny Sullivan,
- Darin Adler, Darin Fisher, Dave Camp, Dave Singer, Dave Townsend<!--
- Mossop on moz irc -->, David Baron, David Bloom, David Carlisle,
- David Flanagan, David Håsäther, David Hyatt, David Smith,
- David Woolley, Dean Edridge, Debi Orton, Derek Featherstone, DeWitt
- Clinton, Dimitri Glazkov, dolphinling, Doron Rosenberg, Doug Kramer,
- Edward O'Connor, Eira Monstad, Elliotte Harold, Eric Carlson, Eric
- Law, Erik Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix
- Sasaki, Franck 'Shift' Quélain, Garrett Smith, Geoffrey
- Garen, Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri
- Sivonen, Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo
- Emanuel Gonçalves, J. King, Jacques Distler, James Graham,
- James Justin Harrell, James M Snell, James Perrett, Jan-Klaas
- Kollhof, Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff
- Schiller, Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der
- Meer, Jim Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph
- Kesselman, Jjgod Jiang, Joel Spolsky, Johan Herland, John Boyer,
- John Bussjaeger, John Harding, Johnny Stenback, Jon Gibbins, Jon
- Perlow, Jonathan Worent, Jorgen Horstink, Josh Levenberg, Joshua
- Randall, Jukka K. Korpela, Jules Clément-Ripoche, Julian
- Reschke, Kai Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel
- Lesinski, 黒澤剛志 (KUROSAWA Takeshi),
- Kristof Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
+ Alex Nicolaou, Alexey Feldgendler, Anders Carlsson, Andrew Gove,
+ Andrew Sidwell, Anne van Kesteren, Anthony Hickson, Anthony Ricaud,
+ Antti Koivisto, Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan,
+ Aurelien Levy, Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard,
+ Benjamin Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern
+ Hoehrmann, Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson,
+ Brendan Eich, Brett Wilson, Brian Campbell, Brian Smith, Bruce
+ Miller, Cameron McCormack, Cao Yipeng, Carlos Perelló
+ Marín, Chao Cai, 윤석찬 (Channy Yun), Charl
+ van Niekerk, Charles Iliya Krempeaux, Charles McCathieNevile,
+ Christian Biesinger, Christian Johansen, Christian Schmidt, Chriswa,
+ Cole Robison, Collin Jackson, Daniel Barclay, Daniel Brumbaugh
+ Keeney, Daniel Glazman, Daniel Peng, Daniel Spång, Daniel
+ Steinberg, Danny Sullivan, Darin Adler, Darin Fisher, Dave Camp,
+ Dave Singer, Dave Townsend<!-- Mossop on moz irc -->, David Baron,
+ David Bloom, David Carlisle, David Flanagan, David
+ Håsäther, David Hyatt, David Smith, David Woolley, Dean
+ Edridge, Debi Orton, Derek Featherstone, DeWitt Clinton, Dimitri
+ Glazkov, dolphinling, Doron Rosenberg, Doug Kramer, Edward O'Connor,
+ Eira Monstad, Elliotte Harold, Eric Carlson, Eric Law, Erik
+ Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix Sasaki,
+ Franck 'Shift' Quélain, Garrett Smith, Geoffrey Garen,
+ Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri Sivonen,
+ Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo Emanuel
+ Gonçalves, J. King, Jacques Distler, James Graham, James
+ Justin Harrell, James M Snell, James Perrett, Jan-Klaas Kollhof,
+ Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff Schiller,
+ Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der Meer, Jim
+ Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph Kesselman, Jjgod
+ Jiang, Joel Spolsky, Johan Herland, John Boyer, John Bussjaeger,
+ John Harding, Johnny Stenback, Jon Gibbins, Jon Perlow, Jonathan
+ Worent, Jorgen Horstink, Josh Levenberg, Joshua Randall, Jukka
+ K. Korpela, Jules Clément-Ripoche, Julian Reschke, Kai
+ Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel Lesinski,
+ 黒澤剛志 (KUROSAWA Takeshi), Kristof
+ Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
L. Carlson, Laura Wisewell, Laurens Holst, Lee Kowalkowski, Leif
Halvard Silli, Lenny Domnitser, Léonard Bouchet, Leons
Petrazickis, Logan<!-- on moz irc -->, Loune, Maciej Stachowiak,
Received on Monday, 1 December 2008 23:55:50 UTC