- From: poot <cvsmail@w3.org>
- Date: Tue, 29 Sep 2009 08:43:39 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Synchronise with the latest Origin spec rules and semantics.
(whatwg r4011)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3172&r2=1.3173&f=h
http://html5.org/tools/web-apps-tracker?from=4010&to=4011
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3172
retrieving revision 1.3173
diff -u -d -r1.3172 -r1.3173
--- Overview.html 28 Sep 2009 20:52:44 -0000 1.3172
+++ Overview.html 28 Sep 2009 23:42:53 -0000 1.3173
@@ -4507,8 +4507,9 @@
<h3 id="fetching-resources"><span class="secno">2.6 </span>Fetching resources</h3><p class="XXX annotation"><b>Status: </b><i>Working draft</i></p>
- <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource, the
- following steps must be run:</p>
+ <p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource, optionally
+ from an origin <i title="">origin</i>, the following steps must be
+ run:</p>
<ol><li><p>If the resource is identified by the <a href="#url">URL</a>
<dfn id="about:blank"><code>about:blank</code></dfn>, then return the empty string
@@ -4522,11 +4523,11 @@
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">or
equivalent</a>), and it is already being downloaded for other
- reasons (e.g. another invocation of this algorithm), and the user
- agent is configured such that it is to reuse the data from the
- existing download instead of initiating a new one, then use the
- results of the existing download instead of starting a new
- one.</p>
+ reasons (e.g. another invocation of this algorithm), and this
+ request would be identical to the previous one (e.g. same <code title="http-accept">Accept</code> and <code title="http-origin">Origin</code> headers), and the user agent is
+ configured such that it is to reuse the data from the existing
+ download instead of initiating a new one, then use the results of
+ the existing download instead of starting a new one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
@@ -4556,7 +4557,12 @@
browsing context">browsing context</a> of the <a href="#first-script">first
script</a>.</dd>
- </dl></li>
+ </dl><p>For the purposes of the <code title="http-origin">Origin</code>
+ header, if the <a href="#fetch" title="fetch">fetching algorithm</a> was
+ explicitly initiated from an <i title="">origin</i>, then <i title="">the origin that initiated the HTTP request</i> is <i title="">origin</i>. Otherwise, this is <i title="">a request from
+ a "privacy-sensitive" context</i>. <a href="#refsORIGIN">[ORIGIN]</a></p>
+
+ </li>
<li>
@@ -9375,14 +9381,13 @@
applied (as defined below). <span class="impl">For external
resources that are represented in the DOM (for example, style
sheets), the DOM representation must be made available even if the
- resource is not applied. To obtain the resource, the user agent must
- <a href="#resolve-a-url" title="resolve a url">resolve</a> the <a href="#url">URL</a>
- given by the <code title="attr-link-href"><a href="#attr-link-href">href</a></code> attribute,
- relative to the element, and then <a href="#fetch">fetch</a> the resulting
- <a href="#absolute-url">absolute URL</a>. User agents may opt to only
- <a href="#fetch">fetch</a> such resources when they are needed, instead of
- pro-actively <a href="#fetch" title="fetch">fetching</a> all the external
- resources that are not applied.</span><div class="impl">
+ resource is not applied. To <dfn id="concept-link-obtain" title="concept-link-obtain">obtain
+ the resource</dfn>, the user agent must <a href="#resolve-a-url" title="resolve a
+ url">resolve</a> the <a href="#url">URL</a> given by the <code title="attr-link-href"><a href="#attr-link-href">href</a></code> attribute, relative to the
+ element, and then <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute
+ URL</a>. User agents may opt to only <a href="#fetch">fetch</a> such
+ resources when they are needed, instead of pro-actively <a href="#fetch" title="fetch">fetching</a> all the external resources that are
+ not applied.</span></p><!-- http-origin privacy sensitive --><div class="impl">
<p>The semantics of the protocol used (e.g. HTTP) must be followed
when fetching external resources. (For example, redirects must be
@@ -9480,15 +9485,14 @@
the given type. If the attribute is omitted, but the external
resource link type has a default type defined, then the user agent
must assume that the resource is of that type. If the UA does not
- support the given <a href="#mime-type">MIME type</a> for the given link relationship, then
- the UA should not fetch the resource; if the UA does support the
- given <a href="#mime-type">MIME type</a> for the given link relationship, then the UA should
- <a href="#fetch">fetch</a> the resource. If the attribute is omitted, and
- the external resource link type does not have a default type
- defined, but the user agent would fetch the resource if the type was
- known and supported, then the user agent should <a href="#fetch">fetch</a>
- the resource under the assumption that it will be
- supported.</span><div class="impl">
+ support the given <a href="#mime-type">MIME type</a> for the given link
+ relationship, then the UA should not <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource; if the UA
+ does support the given <a href="#mime-type">MIME type</a> for the given link
+ relationship, then the UA should <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource. If the
+ attribute is omitted, and the external resource link type does not
+ have a default type defined, but the user agent would <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource if the type
+ was known and supported, then the user agent should <a href="#concept-link-obtain" title="concept-link-obtain">obtain</a> the resource under the
+ assumption that it will be supported.</span><div class="impl">
<p>User agents must not consider the <code title="attr-link-type"><a href="#attr-link-type">type</a></code> attribute authoritative —
upon fetching the resource, user agents must not use the <code title="attr-link-type"><a href="#attr-link-type">type</a></code> attribute to determine its actual
@@ -10723,7 +10727,9 @@
<p>If the element has a <code title="attr-script-src"><a href="#attr-script-src">src</a></code>
attribute, then the value of that attribute must be <a href="#resolve-a-url" title="resolve a url">resolved</a> relative to the element, and
- if that is successful, the specified resource must then be <a href="#fetch" title="fetch">fetched</a>.</p>
+ if that is successful, the specified resource must then be <a href="#fetch" title="fetch">fetched</a>, from the <a href="#origin">origin</a> of the
+ element's <code>Document</code>.</p> <!-- not http-origin privacy
+ sensitive -->
<p>For historical reasons, if the <a href="#url">URL</a> is a <a href="#javascript-protocol" title="javascript protocol"><code title="">javascript:</code>
URL</a>, then the user agent must not, despite the requirements
@@ -16017,7 +16023,8 @@
user agent must <a href="#resolve-a-url" title="resolve a url">resolve</a> the value
of that attribute, relative to the element, and if that is
successful must then <a href="#fetch">fetch</a> that resource.</p> <!-- Note
- how this does NOT happen when the base URL changes. -->
+ how this does NOT happen when the base URL changes. --> <!--
+ http-origin privacy sensitive -->
<p>The <code title="attr-img-src"><a href="#attr-img-src">src</a></code> attribute's value is an
<i>ignored self-reference</i> if its value is the empty string, and
@@ -17695,7 +17702,9 @@
the value of the element's <code title="attr-embed-src"><a href="#attr-embed-src">src</a></code>
attribute, relative to the element. If that is successful, the
user agent should <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute
- URL</a>. The <a href="#concept-task" title="concept-task">task</a> that is
+ URL</a>, from the element's <a href="#browsing-context-scope-origin">browsing context scope
+ origin</a> if it has one<!-- potentially http-origin privacy
+ sensitive -->. The <a href="#concept-task" title="concept-task">task</a> that is
<a href="#queue-a-task" title="queue a task">queued</a> by the <a href="#networking-task-source">networking
task source</a> once the resource has been <a href="#fetch" title="fetch">fetched</a> must find and instantiate an
appropriate <a href="#plugin">plugin</a> based on the <a href="#concept-embed-type" title="concept-embed-type">content's type</a>, and hand that
@@ -17967,7 +17976,9 @@
element.</p>
<p>If that is successful, <a href="#fetch">fetch</a> the resulting
- <a href="#absolute-url">absolute URL</a>.</p>
+ <a href="#absolute-url">absolute URL</a>, from the element's <a href="#browsing-context-scope-origin">browsing
+ context scope origin</a> if it has one<!-- potentially
+ http-origin privacy sensitive -->.</p>
<!-- similar text in various places -->
<p>Fetching the resource must <a href="#delay-the-load-event">delay the load event</a>
@@ -18415,9 +18426,12 @@
or when the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute
is set, its value must be <a href="#resolve-a-url" title="resolve a
url">resolved</a> relative to the element, and if that is
- successful, the resulting <a href="#absolute-url">absolute URL</a> must be <a href="#fetch" title="fetch">fetched</a>; this must <a href="#delay-the-load-event">delay the load
- event</a> of the element's document. The <dfn id="poster-frame">poster frame</dfn>
- is then the image obtained from that resource, if any.</span></p><!-- thus it is unaffected by changes to the base URL. --><p class="note">The image given by the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute, the <i><a href="#poster-frame">poster
+ successful, the resulting <a href="#absolute-url">absolute URL</a> must be <a href="#fetch" title="fetch">fetched</a>, from the element's
+ <code>Document</code>'s <a href="#origin">origin</a>; this must <a href="#delay-the-load-event">delay
+ the load event</a> of the element's document. The <dfn id="poster-frame">poster
+ frame</dfn> is then the image obtained from that resource, if
+ any.</span></p><!-- thus it is unaffected by changes to the base
+ URL. --><p class="note">The image given by the <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code> attribute, the <i><a href="#poster-frame">poster
frame</a></i>, is intended to be a representative frame of the video
(typically one of the first non-blank frames) that gives the user an
idea of what the video is like.<div class="impl">
@@ -19529,7 +19543,9 @@
<li>
<p>Begin to <a href="#fetch">fetch</a> the <var title="">current media
- resource</var>.</p>
+ resource</var>, from the <a href="#media-element">media element</a>'s
+ <code>Document</code>'s <a href="#origin">origin</a>.</p> <!-- not
+ http-origin privacy sensitive (looking forward to CORS here) -->
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href="#queue-a-task">queue a task</a> to
@@ -30889,7 +30905,8 @@
<code title="attr-input-src"><a href="#attr-input-src">src</a></code> attribute, relative to the
element, and if that is successful, must <a href="#fetch">fetch</a> the
resulting <a href="#absolute-url">absolute URL</a>:</p> <!-- Note how this does NOT
- happen when the base URL changes. -->
+ happen when the base URL changes. --> <!-- http-origin privacy
+ sensitive -->
<ul><li>The <code><a href="#the-input-element">input</a></code> element's <code title="attr-input-type"><a href="#attr-input-type">type</a></code> attribute is first set to the
<a href="#image-button-state" title="attr-input-type-image">Image Button</a> state
@@ -37890,14 +37907,15 @@
<dd>Append the command to the menu, respecting its <a href="#concept-facet" title="concept-facet">facets</a><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span>, and then
- that image should be associated with the command, such that each
- command only has its image fetched once, to prevent changes to the
- base URL from having effects after the image has been fetched
- once. (no need to resolve the Icon facet, it's an absolute URL)
- -->. <!--If the element is a <code>command</code> element with a
- <code title="attr-command-default">default</code> attribute, mark
- the command as being a default command.--></dd>
+ command, it should be <span title="fetch">fetched</span> (this
+ would be http-origin privacy-sensitive), and then that image should
+ be associated with the command, such that each command only has its
+ image fetched once, to prevent changes to the base URL from having
+ effects after the image has been fetched once. (no need to resolve
+ the Icon facet, it's an absolute URL) -->. <!--If the element is a
+ <code>command</code> element with a <code
+ title="attr-command-default">default</code> attribute, mark the
+ command as being a default command.--></dd>
<dt>An <code><a href="#the-hr-element">hr</a></code> element</dt>
@@ -43344,7 +43362,17 @@
document</a> of <var title="">A</var> (possibly in fact being
<var title="">A</var> itself).</li>
- </ul></div><div class="impl">
+ </ul><hr><p>An element has a <dfn id="browsing-context-scope-origin">browsing context scope origin</dfn> if its
+ <code>Document</code>'s <a href="#browsing-context">browsing context</a> is a
+ <a href="#top-level-browsing-context">top-level browsing context</a> or if all of its
+ <code>Document</code>'s <a href="#ancestor-browsing-context" title="ancestor browsing
+ context">ancestor browsing contexts</a> all have <a href="#active-document" title="active document">active documents</a> whose
+ <a href="#origin">origin</a> are the <a href="#same-origin">same origin</a> as the
+ element's <code>Document</code>'s <a href="#origin">origin</a>. If an element
+ has a <a href="#browsing-context-scope-origin">browsing context scope origin</a>, then its value is
+ the <a href="#origin">origin</a> of the element's <code>Document</code>.</p>
+
+ </div><div class="impl">
<h4 id="groupings-of-browsing-contexts"><span class="secno">6.1.5 </span>Groupings of browsing contexts</h4>
@@ -47496,7 +47524,9 @@
<li>
<p><i>Fetching the manifest</i>: <a href="#fetch">Fetch</a> the resource
- from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p>
+ from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> <!-- http-origin
+ privacy sensitive, though it doesn't matter, since this can never
+ be cross-origin -->
<p>If the resource is labeled with the <a href="#mime-type">MIME type</a>
<code><a href="#text-cache-manifest">text/cache-manifest</a></code>, parse <var title="">manifest</var> according to the <a href="#parse-a-manifest" title="parse a
@@ -47709,18 +47739,20 @@
<li>
- <p><a href="#fetch">Fetch</a> the resource. If this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade attempt</a>, then
- use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a>
- <a href="#application-cache">application cache</a> in <var title="">cache
- group</var> as an HTTP cache, and honor HTTP caching semantics
- (such as expiration, ETags, and so forth) with respect to that
- cache. User agents may also have other caches in place that are
- also honored.</p>
+ <p><a href="#fetch">Fetch</a> the resource, from the <a href="#origin">origin</a>
+ of the <a href="#url">URL</a> <var title="">manifest URL</var>. If
+ this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade
+ attempt</a>, then use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a> <a href="#application-cache">application
+ cache</a> in <var title="">cache group</var> as an HTTP
+ cache, and honor HTTP caching semantics (such as expiration,
+ ETags, and so forth) with respect to that cache. User agents may
+ also have other caches in place that are also honored.</p> <!--
+ not http-origin privacy sensitive -->
<p class="note">If the resource in question is already being
downloaded for other reasons then the existing download process
- can be used for the purposes of this step, as defined by the
- <a href="#fetch" title="fetch">fetching</a> algorithm.</p>
+ can sometimes be used for the purposes of this step, as defined
+ by the <a href="#fetch" title="fetch">fetching</a> algorithm.</p>
<p class="example">An example of a resource that might already
be being downloaded is a large image on a Web page that is being
@@ -47875,7 +47907,8 @@
<p><a href="#fetch">Fetch</a> the resource from <var title="">manifest
URL</var> again, and let <var title="">second manifest</var> be
- that resource.</p>
+ that resource.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
</li>
@@ -49139,25 +49172,28 @@
<p>Otherwise, <a href="#fetch">fetch</a> the new resource, if it has not
already been obtained<!-- it's obtained by <object>, for instance
- -->. If the resource is being fetched using HTTP, and the method
- is not GET<!-- or HEAD (but that can't happen) -->, then the user
- agent must include an <code title="http-origin">Origin</code>
- header whose value is determined as follows:</p>
-
- <dl class="switch"><dt>If the <a href="#navigate" title="navigate">navigation</a> algorithm has
- so far contacted more than one <a href="#origin">origin</a></dt>
- <dt>If there is no <a href="#source-browsing-context">source browsing context</a></dt>
-
- <dd>The value must be the string "<code title="">null</code>".</dd>
+ -->.</p>
- <dt>Otherwise</dt>
+ <p>If the resource is being fetched using a method other than one
+ <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">equivalent to</a>
+ HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+ <a href="#navigate" title="navigate">navigation algorithm</a> was invoked as
+ a result of the <a href="#concept-form-submit" title="concept-form-submit">form submission
+ algorithm</a>, then the <a href="#fetch" title="fetch">fetching
+ algorithm</a> must be invoked from the <a href="#origin">origin</a> of
+ the <a href="#active-document">active document</a> of the <a href="#source-browsing-context">source browsing
+ context</a>, if any.</p> <!-- potentially http-origin privacy
+ sensitive -->
- <dd>The value must be the <a href="#ascii-serialization-of-an-origin" title="ASCII serialization of an
- origin">ASCII serialization</a> of the <a href="#origin">origin</a> of
- the <a href="#active-document">active document</a> of the <a href="#source-browsing-context">source browsing
- context</a> at the time the navigation was started.</dd>
+ <p>If the <a href="#browsing-context">browsing context</a> being navigated is a
+ <a href="#child-browsing-context">child browsing context</a> for an <code><a href="#the-iframe-element">iframe</a></code> or
+ <code><a href="#the-object-element">object</a></code> element, then the <a href="#fetch" title="fetch">fetching
+ algorithm</a> must be invoked from the <code><a href="#the-iframe-element">iframe</a></code> or
+ <code><a href="#the-object-element">object</a></code> element's <a href="#browsing-context-scope-origin">browsing context scope
+ origin</a>, if it has one.</p> <!-- potentially http-origin
+ privacy sensitive -->
- </dl></li>
+ </li>
<li>
@@ -50064,7 +50100,9 @@
<a href="#fetch" title="fetch">fetching</a> the specified URLs using the
POST method, with an entity body with the <a href="#mime-type">MIME type</a>
<code><a href="#text-ping">text/ping</a></code> consisting of the four-character string
- "<code title="">PING</code>". All relevant cookie and HTTP
+ "<code title="">PING</code>", from the <a href="#origin">origin</a> of the
+ <code>Document</code> containing the <a href="#hyperlink">hyperlink</a>. <!--
+ not http-origin privacy sensitive --> All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -50101,13 +50139,7 @@
nor include a <code title="http-ping-from">Ping-From</code> HTTP
header.</dd>
- </dl><p>In addition, an <code title="http-origin">Origin</code> header
- must always be included, whose value is the <a href="#ascii-serialization-of-an-origin" title="ASCII
- serialization of an origin">ASCII serialization</a> of the
- <a href="#origin">origin</a> of the <code>Document</code> containing the
- <a href="#hyperlink">hyperlink</a>.</p>
-
- <p class="note">To save bandwidth, implementors might also wish to
+ </dl><p class="note">To save bandwidth, implementors might also wish to
consider omitting optional headers such as <code>Accept</code> from
these requests.</p>
@@ -67547,8 +67579,10 @@
its <a href="#fallback-content">fallback content</a>, the element must be ignored (it
represents nothing).</p>
- <p>Otherwise, <span class="XXX">define how the element works,
- if supported</span>.</p> <!-- remember to delay the laod event -->
+ <p>Otherwise, <span class="XXX">define how the element works, if
+ supported</span>.</p> <!-- remember to delay the load event --> <!--
+ remember to include ", from the element's <span>browsing context
+ scope origin</span> if it has one" when fetching -->
<p>The <code><a href="#the-applet-element">applet</a></code> element must implement the
<code><a href="#htmlappletelement">HTMLAppletElement</a></code> interface.</p>
@@ -68145,7 +68179,8 @@
<li><p>For each token that is successfully resolved,
<a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute URL</a> and
- apply the appropriate processing.</li>
+ apply the appropriate processing.</li> <!-- http-origin privacy
+ sensitive -->
</ol><p>The <dfn id="dom-head-profile" title="dom-head-profile"><code>profile</code></dfn> IDL
attribute of the <code><a href="#the-head-element-0">head</a></code> element must <a href="#reflect">reflect</a>
@@ -69303,6 +69338,11 @@
in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
Section 4.6.2. OpenSearch.org.</dd>
+ <dt id="refsORIGIN">[ORIGIN]</dt>
+ <dd><cite><a href="http://tools.ietf.org/html/draft-abarth-origin">The HTTP
+ Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+ September 2009.</dd>
+
<dt id="refsPINGBACK">[PINGBACK]</dt>
<dd><cite><a href="http://www.hixie.ch/specs/pingback/pingback">Pingback
1.0</a></cite>, S. Langridge, I. Hickson. January 2007.</dd>
Received on Monday, 28 September 2009 23:44:18 UTC