hixie: Make 'Referer' work correctly for scripts in shared workers. (For some definition of 'correctly' -- it uses the URL of the document that actually created the script. Arguably it should use the URL of the script itself. However, this doesn't change that, it just makes it not leak the URL of documents that that document's browsing context is navigated to.) (whatwg r4789)

hixie: Make 'Referer' work correctly for scripts in shared workers. (For
some definition of 'correctly' -- it uses the URL of the document that
actually created the script. Arguably it should use the URL of the
script itself. However, this doesn't change that, it just makes it not
leak the URL of documents that that document's browsing context is
navigated to.) (whatwg r4789)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3836&r2=1.3837&f=h
http://html5.org/tools/web-apps-tracker?from=4788&to=4789

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3836
retrieving revision 1.3837
diff -u -d -r1.3836 -r1.3837
--- Overview.html 22 Feb 2010 23:54:31 -0000 1.3836
+++ Overview.html 23 Feb 2010 01:53:11 -0000 1.3837
@@ -4540,9 +4540,8 @@
 
      <dt>When fetching resources in response to a call to an API</dt>
 
-     <dd>The <a href="#active-document">active document</a> of the <a href="#script-s-browsing-context" title="script's
-     browsing context">browsing context</a> of the <a href="#entry-script">entry
-     script</a>.</dd>
+     <dd>The <a href="#entry-script">entry script</a>'s <a href="#script-s-document" title="script's
+     document">document</a>.</dd>
 
     </dl><p>Remove any <a href="#url-fragment" title="url-fragment">&lt;fragment&gt;</a>
     component from the generated <i>address of the resource from which
@@ -5862,8 +5861,7 @@
   document's current address</a> in their user interface.<p>When a <code><a href="#document">Document</a></code> is created by a <a href="#concept-script" title="concept-script">script</a> using the <code title="dom-DOMImplementation-createDocument">createDocument()</code>
   or <code title="dom-DOMHTMLImplementation-createHTMLDocument"><a href="#dom-domhtmlimplementation-createhtmldocument">createHTMLDocument()</a></code>
   APIs, <a href="#the-document-s-address">the document's address</a> is the same as <a href="#the-document-s-address">the
-  document's address</a> of the <a href="#active-document">active document</a> of the
-  <a href="#script-s-browsing-context">script's browsing context</a>.<p><code><a href="#document">Document</a></code> objects are assumed to be <dfn id="xml-documents">XML
+  document's address</a> of the <a href="#script-s-document">script's document</a>.<p><code><a href="#document">Document</a></code> objects are assumed to be <dfn id="xml-documents">XML
   documents</dfn> unless they are flagged as being <dfn id="html-documents">HTML
   documents</dfn> when they are created. Whether a document is an
   <a href="#html-documents" title="HTML documents">HTML document</a> or an <a href="#xml-documents" title="XML documents">XML document</a> affects the behavior of
@@ -8607,9 +8605,9 @@
    UTF-16.</li>
 
    <li><p>Change <a href="#the-document-s-address">the document's address</a> to the
-   <a href="#entry-script">entry script</a>'s <a href="#script-s-browsing-context" title="script's browsing
-   context">browsing context</a>'s <a href="#active-document">active document</a>'s
-   <a href="#the-document-s-address" title="the document's address">address</a>.</li>
+   <a href="#entry-script">entry script</a>'s <a href="#script-s-document" title="script's
+   document">document</a>'s <a href="#the-document-s-address" title="the document's
+   address">address</a>.</li>
 
    <li><p>Create a new <a href="#html-parser">HTML parser</a> and associate it with
    the document. This is a <dfn id="script-created-parser">script-created parser</dfn> (meaning
@@ -40134,6 +40132,11 @@
   <a href="#view" title="view">views</a> and their <code>AbstractView</code>
   objects.</p>
 
+  <p>Each <a href="#concept-script" title="concept-script">script</a> has a strong
+  reference to its <a href="#script-s-browsing-context" title="script's browsing context">browsing
+  context</a> and its <a href="#script-s-document" title="script's
+  document">document</a>.</p>
+
   <p>When a <a href="#browsing-context">browsing context</a> is to <dfn id="discard-a-document">discard a
   <code>Document</code></dfn>, the user agent must run the following
   steps:</p>
@@ -41051,11 +41054,9 @@
 
      <li>If the <a href="#origin">origin</a> of the resulting <a href="#absolute-url">absolute
      URL</a> is not the same as the <a href="#origin">origin</a> of the
-     <a href="#entry-script">entry script</a>'s <a href="#script-s-browsing-context" title="script's browsing
-     context">browsing context</a>'s <a href="#active-document">active document</a>,
-     and either the <a href="#url-path" title="url-path">&lt;path&gt;</a> or
-     <a href="#url-query" title="url-query">&lt;query&gt;</a> components of the
-     two <a href="#url" title="URL">URLs</a> compared in the previous step
+     <a href="#entry-script">entry script</a>'s <a href="#script-s-document" title="script's
+     document">document</a>, and either the <a href="#url-path" title="url-path">&lt;path&gt;</a> or <a href="#url-query" title="url-query">&lt;query&gt;</a> components of the two
+     <a href="#url" title="URL">URLs</a> compared in the previous step
      differ, raise a <code><a href="#security_err">SECURITY_ERR</a></code> exception and abort
      these steps. (This prevents sandboxed content from spoofing other
      pages on the same origin.)</li>
@@ -44717,6 +44718,19 @@
 
    </dd>
 
+   <dt>A relationship with the <dfn id="script-s-document">script's document</dfn></dt>
+
+   <dd>
+
+    <p>A <code><a href="#document">Document</a></code> that is assigned responsibility for
+    actions taken by the script.</p>
+
+    <p class="example">When a script <a href="#fetch" title="fetch">fetches</a> a resource, the <a href="#the-document-s-current-address" title="the
+    document's current address">current address</a> of the
+    <a href="#script-s-document">script's document</a> will be used to set the <code title="http-referer">Referer</code> (sic) header.</p>
+
+   </dd>
+
    <dt>A <dfn id="script-s-url-character-encoding" title="script's URL character encoding">URL character encoding</dfn></dt>
 
    <dd>
@@ -44795,9 +44809,10 @@
    entry-point</a></i> is the entry-point for that code.</li>
 
    <li><p>Set up the <a href="#script-s-global-object">script's global object</a>, the
-   <a href="#script-s-browsing-context">script's browsing context</a>, the <a href="#script-s-url-character-encoding">script's URL
-   character encoding</a>, and the <a href="#script-s-base-url">script's base URL</a>
-   from the settings passed to this algorithm.</li>
+   <a href="#script-s-browsing-context">script's browsing context</a>, the <a href="#script-s-document">script's
+   document</a>, the <a href="#script-s-url-character-encoding">script's URL character encoding</a>,
+   and the <a href="#script-s-base-url">script's base URL</a> from the settings passed to
+   this algorithm.</li>
 
    <li><p><a href="#jump-to-a-code-entry-point" title="jump to a code entry-point">Jump</a> to the
    <a href="#concept-script" title="concept-script">script</a>'s <i><a href="#initial-code-entry-point">initial code
@@ -44963,8 +44978,7 @@
   <a href="#browsing-context">browsing context</a>, then it is the <a href="#browsing-context">browsing
   context</a>'s <a href="#active-document">active document</a> at the time the task
   was queued; if the task was queued by or for a <a href="#concept-script" title="concept-script">script</a> then the document is the
-  <a href="#script-s-browsing-context">script's browsing context</a>'s <a href="#active-document">active
-  document</a> at the time the task was queued.</p>
+  <a href="#script-s-document">script's document</a>.</p>
 
   <p>A user agent is required to have one <dfn id="storage-mutex">storage
   mutex</dfn>. This mutex is used to control access to shared state
@@ -45343,10 +45357,11 @@
    to null and abort these steps.</li>
 
    <li><p>Set up the <a href="#script-s-global-object">script's global object</a>, the
-   <a href="#script-s-browsing-context">script's browsing context</a>, the <a href="#script-s-url-character-encoding">script's URL
-   character encoding</a>, and the <a href="#script-s-base-url">script's base URL</a>
-   from <a href="#the-script-settings-determined-from-the-node">the script settings determined from the node</a> on
-   which the attribute is being set.</li>
+   <a href="#script-s-browsing-context">script's browsing context</a>, the <a href="#script-s-document">script's
+   document</a>, the <a href="#script-s-url-character-encoding">script's URL character encoding</a>,
+   and the <a href="#script-s-base-url">script's base URL</a> from <a href="#the-script-settings-determined-from-the-node">the script
+   settings determined from the node</a> on which the attribute is
+   being set.</li>
 
    <li><p>Set the corresponding <a href="#event-handlers" title="event handlers">event
    handler</a> to the aforementioned function.</li>
@@ -45911,13 +45926,14 @@
 
     <p>Otherwise, if the <a href="#method-context">method context</a> is a
     <code>WorkerUtils</code> object, let <var title="">global
-    object</var>, <var title="">browsing context</var>, <var title="">character encoding</var>, and <var title="">base
-    URL</var> be the <a href="#script-s-global-object">script's global object</a>,
-    <a href="#script-s-browsing-context">script's browsing context</a>, <a href="#script-s-url-character-encoding">script's URL
-    character encoding</a>, and <a href="#script-s-base-url">script's base URL</a>
-    (respectively) of the <a href="#concept-script" title="concept-script">script</a>
-    that the <span>run a worker</span> algorithm created when it
-    created the <a href="#method-context">method context</a>.</p>
+    object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">character encoding</var>,
+    and <var title="">base URL</var> be the <a href="#script-s-global-object">script's global
+    object</a>, <a href="#script-s-browsing-context">script's browsing context</a>,
+    <a href="#script-s-document">script's document</a>, <a href="#script-s-url-character-encoding">script's URL character
+    encoding</a>, and <a href="#script-s-base-url">script's base URL</a> (respectively)
+    of the <a href="#concept-script" title="concept-script">script</a> that the
+    <span>run a worker</span> algorithm created when it created the
+    <a href="#method-context">method context</a>.</p>
 
     <p>Otherwise, act as described in the specification that defines
     that the <code><a href="#windowtimers">WindowTimers</a></code> interface is implemented by
@@ -45926,13 +45942,7 @@
    </li>
 
    <li><p>Return a <a href="#concept-task" title="concept-task">task</a> that checks
-   if the entry for <var title="">handle</var> in <var title="">list</var>
-   has been cleared, and if it has not, <a href="#create-a-script" title="create a
-   script">creates a script</a> using <var title="">script
-   source</var> as the script source, <var title="">scripting
-   language</var> as the scripting language, <var title="">global
-   object</var> as the global object, <var title="">browsing
-   context</var> as the browsing context, <var title="">character
+   if the entry for <var title="">handle</var> in <var title="">list</var> has been cleared, and if it has not, <a href="#create-a-script" title="create a script">creates a script</a> using <var title="">script source</var> as the script source, <var title="">scripting language</var> as the scripting language, <var title="">global object</var> as the global object, <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">character
    encoding</var> as the URL character encoding, and <var title="">base URL</var> as the base URL.</li>
 
   </ol><p>When the above methods are to <dfn id="get-the-timeout">get the timeout</dfn>, they

Received on Tuesday, 23 February 2010 01:54:10 UTC