- From: poot <cvsmail@w3.org>
- Date: Tue, 6 Apr 2010 09:43:31 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Make 'fetch' algorithm have a mode where it doesn't do redirects.
Make 'navigate' algorithm block cross-origin non-safe non-POST
redirects. (whatwg r4975)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3997&r2=1.3998&f=h
http://html5.org/tools/web-apps-tracker?from=4974&to=4975
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3997
retrieving revision 1.3998
diff -u -d -r1.3997 -r1.3998
--- Overview.html 6 Apr 2010 00:08:15 -0000 1.3997
+++ Overview.html 6 Apr 2010 00:43:14 -0000 1.3998
@@ -5255,9 +5255,10 @@
<p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource or
<a href="#url">URL</a>, optionally from an origin <i title="">origin</i>,
- and optionally with a <i>synchronous flag</i>, the following steps
- must be run. (When a <em>URL</em> is to be fetched, the URL
- identifies a resource to be obtained.)</p>
+ and optionally with a <i>synchronous flag</i> and/or a <i>manual
+ redirect flag</i>, the following steps must be run. (When a
+ <em>URL</em> is to be fetched, the URL identifies a resource to be
+ obtained.)</p>
<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
@@ -5303,6 +5304,8 @@
<li>
+ <p>This is the <i>main step</i>.</p>
+
<p>If the resource is identified by an <a href="#absolute-url">absolute URL</a>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">or
@@ -5316,13 +5319,9 @@
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
- GET or POST operation, or reading the file from disk, following
- redirects, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript protocol"><code title="">javascript:</code>
- URLs</span></a>, etc).</p>
-
- <p class="note">The HTTP specification requires that 301, 302, and
- 307 redirects, when applied to methods other than the safe
- methods, not be followed without user confirmation. <a href="#refsHTTP">[HTTP]</a></p>
+ GET or POST operation, or reading the file from disk, <a href="#concept-js-deref" title="concept-js-deref">dereferencing <span title="javascript
+ protocol"><code title="">javascript:</code> URLs</span></a>,
+ etc).</p>
<p>For the purposes of the <code title="http-referer">Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
@@ -5359,6 +5358,39 @@
<li>
+ <p>If the fetched resource is an HTTP redirect <a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>,
+ then:</p>
+
+ <dl class="switch"><dt>If the <i>manual redirect flag</i> is set</dt>
+
+ <dd>
+
+ <p>Continue, using the fetched resource (the redirect) as the
+ result of the algorithm.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p>First, apply any relevant requirements for redirects (such as
+ showing any appropriate prompts). Then, redo <i>main step</i>,
+ but using the target of the redirect as the resource to fetch,
+ rather than the original resource.</p>
+
+ <p class="note">The HTTP specification requires that 301, 302,
+ and 307 redirects, when applied to methods other than the safe
+ methods, not be followed without user confirmation. That would
+ be an appropriate prompt for the purposes of the requirement in
+ the paragraph above. <a href="#refsHTTP">[HTTP]</a></p>
+
+ </dd>
+
+ </dl></li>
+
+ <li>
+
<p>If the algorithm was not invoked with the <i>synchronous
flag</i>: When the resource is available, or if there is an error
of some description, <a href="#queue-a-task">queue a task</a> that uses the
@@ -42614,9 +42646,9 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <a href="#fetch">fetch</a> the new resource, if it has not
- already been obtained<!-- it's obtained by <object>, for instance
- -->.</p>
+ <p>Otherwise, unless it has already been obtained<!-- it's
+ obtained by <object>, for instance -->, <a href="#fetch">fetch</a> the new
+ resource, with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<a href="#concept-http-equivalent-get" title="concept-http-equivalent-get">equivalent to</a>
@@ -42641,16 +42673,29 @@
<li>
- <p>At this point the user agents must return to whatever algorithm
- invoked the navigation steps and must continue these steps
- asynchronously.</p>
+ <p>At this point, unless this step has already been reached once
+ before in the execution of this instance of the algorithm, the
+ user agents must return to whatever algorithm invoked the
+ navigation steps and must continue these steps asynchronously.</p>
</li>
<li>
- <p>If fetching the resource results in a redirect, return to <a href="#navigate-fragid-step">the step labeled "fragment
- identifiers"</a> with the new resource.</p>
+ <p>If fetching the resource results in a redirect, and either the
+ <a href="#url">URL</a> of the target of the redirect has the <a href="#same-origin">same
+ origin</a> as the original resource, or the resource is being
+ obtained using the POST method or a safe method (in HTTP terms),
+ return to <a href="#navigate-fragid-step">the step labeled
+ "fragment identifiers"</a> with the new resource.</p>
+
+ <p>Otherwise, if fetching the resource results in a redirect but
+ the <a href="#url">URL</a> of the target of the redirect does not have
+ the <a href="#same-origin">same origin</a> as the original resource and the
+ resource is being obtained using a method that is neither the POST
+ method nor a safe method (in HTTP terms), then abort these
+ steps. The user agent may indicate to the user that the navigation
+ has been aborted for security reasons.</p>
</li>
@@ -67801,6 +67846,7 @@
Dean Edwards,
Debi Orton,
Derek Featherstone,
+ Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
Received on Tuesday, 6 April 2010 00:44:01 UTC