hixie: Block cross-origin PUT and DELETE from <form>s for now. (whatwg r4042) from poot on 2009-09-29 (public-html-diffs@w3.org from September 2009)

From: poot <cvsmail@w3.org>
Date: Tue, 29 Sep 2009 18:29:23 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090929092923.4D76F2BC86@toro.w3.mag.keio.ac.jp>

hixie: Block cross-origin PUT and DELETE from <form>s for now. (whatwg
r4042)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3203&r2=1.3204&f=h
http://html5.org/tools/web-apps-tracker?from=4041&to=4042

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3203
retrieving revision 1.3204
diff -u -d -r1.3203 -r1.3204
--- Overview.html 29 Sep 2009 09:22:46 -0000 1.3203
+++ Overview.html 29 Sep 2009 09:29:04 -0000 1.3204
@@ -34663,9 +34663,15 @@
 
        <dd>Let <var title="">MIME type</var> be "<code title="">text/plain</code>".</dd>
 
-      </dl><p><a href="#navigate">Navigate</a> <var title="">target browsing
-      context</var> to <var title="">action</var> using the HTTP
-      method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
+      </dl><p>If <var title="">method</var> is anything but GET or POST,
+      and the <a href="#origin">origin</a> of <var title="">action</var> is not
+      the <a href="#same-origin">same origin</a> as that of the <code><a href="#the-form-element">form</a></code>
+      element's <code>Document</code>, then abort these steps.</p>
+      <!-- CORS, one day -->
+
+      <p>Otherwise, <a href="#navigate">navigate</a> <var title="">target
+      browsing context</var> to <var title="">action</var> using the
+      HTTP method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
       context</var> was newly created for this purpose by the steps
       above, then it must be navigated with <a href="#replacement-enabled">replacement
       enabled</a>.</p>
@@ -34678,11 +34684,16 @@
       <p>Let <var title="">target browsing context</var> be <a href="#the-form-submission-target-browsing-context">the
       form submission target browsing context</a>.</p>
 
-      <p><a href="#navigate">Navigate</a> <var title="">target browsing
-      context</var> to <var title="">action</var> using the DELETE
-      method. If <var title="">target browsing context</var> was newly
-      created for this purpose by the steps above, then it must be
-      navigated with <a href="#replacement-enabled">replacement enabled</a>.</p>
+      <p>If the <a href="#origin">origin</a> of <var title="">action</var> is
+      not the <a href="#same-origin">same origin</a> as that of the
+      <code><a href="#the-form-element">form</a></code> element's <code>Document</code>, then abort
+      these steps.</p> <!-- CORS, one day -->
+
+      <p>Otherwise, <a href="#navigate">navigate</a> <var title="">target
+      browsing context</var> to <var title="">action</var> using the
+      DELETE method. If <var title="">target browsing context</var>
+      was newly created for this purpose by the steps above, then it
+      must be navigated with <a href="#replacement-enabled">replacement enabled</a>.</p>
 
      </dd>

Received on Tuesday, 29 September 2009 09:29:59 UTC