- From: poot <cvsmail@w3.org>
- Date: Sat, 26 Jun 2010 04:22:42 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Captions - Stage 11.3: completed the external timed track
download processing model, and did some more work on parsing WebSRT.
Also: Update the 'fetch' algorithm to support doing same-origin
enforcing, and made various parts of the spec use it; also made parts of
the spec that acted like the algorith was sync actually invoke it that
way. (whatwg r5111)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4104&r2=1.4105&f=h
http://html5.org/tools/web-apps-tracker?from=5110&to=5111
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4104
retrieving revision 1.4105
diff -u -d -r1.4104 -r1.4105
--- Overview.html 24 Jun 2010 22:18:15 -0000 1.4104
+++ Overview.html 25 Jun 2010 19:22:23 -0000 1.4105
@@ -5316,16 +5316,23 @@
<p>When a user agent is to <dfn id="fetch">fetch</dfn> a resource or
<a href="#url">URL</a>, optionally from an origin <i title="">origin</i>,
- and optionally with a <i>synchronous flag</i> and/or a <i>manual
- redirect flag</i>, the following steps must be run. (When a
- <em>URL</em> is to be fetched, the URL identifies a resource to be
- obtained.)</p>
+ and optionally with a <i>synchronous flag</i>, a <i>manual redirect
+ flag</i>, and/or a <i>force same-origin flag</i>, the following
+ steps must be run. (When a <em>URL</em> is to be fetched, the URL
+ identifies a resource to be obtained.)</p>
<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
- <!-- synchronous flag is only used by sync-XHR, for legacy reasons;
- don't use it in new features! -->
+ <!-- synchronous flag is only to be used in algorithms that are
+ themselves asynchronous! Only sync-XHR is allowed to make the
+ mistake of screwing that up. :-P -->
+
+ <!-- the force same-origin flag is for use in places where we'll be
+ moving to CORS one day; when used, the algorithm must be invoked
+ with a URL (not something else, like a POST request) whose origin is
+ the same as the /origin/, which must also be present, and the
+ algorithm must not be invoked with the manual redirect flag. -->
<ol><li>
@@ -5422,7 +5429,19 @@
<p>If the fetched resource is an HTTP redirect <a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>,
then:</p>
- <dl class="switch"><dt>If the <i>manual redirect flag</i> is set</dt>
+ <dl class="switch"><dt>If the <i>force same-origin flag</i> is set and the
+ <a href="#url">URL</a> of the target of the redirect does not have the
+ <a href="#same-origin">same origin</a> as the <a href="#url">URL</a> for which the
+ <a href="#fetch">fetch</a> algorithm was invoked</dt>
+
+ <dd>
+
+ <p>Abort these steps and return failure from this algorithm, as
+ if the remote host could not be contacted.</p>
+
+ </dd>
+
+ <dt>If the <i>manual redirect flag</i> is set</dt>
<dd>
@@ -16957,7 +16976,7 @@
<p>If the image was not fetched (e.g. because the UA's image support
is disabled, or because the <code title="attr-img-src"><a href="#attr-img-src">src</a></code>
attribute's value is the empty string, or if the conditions in the
- previous paragraph are not met, then the image is <em>not</em> <i title="img-available"><a href="#img-available">available</a></i>.</p>
+ previous paragraph are not met), then the image is <em>not</em> <i title="img-available"><a href="#img-available">available</a></i>.</p>
<p>Whether the image is fetched successfully or not (e.g. whether
the response code was a 2xx code <a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>) must be
@@ -20988,8 +21007,9 @@
<p>Begin to <a href="#fetch">fetch</a> the <var title="">current media
resource</var>, from the <a href="#media-element">media element</a>'s
- <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>.</p> <!-- not
- http-origin privacy sensitive (looking forward to CORS here) -->
+ <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, with the <i>force
+ same-origin flag</i> set.</p> <!-- not http-origin privacy
+ sensitive (looking forward to CORS here) -->
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href="#queue-a-task">queue a task</a> to
@@ -44468,9 +44488,10 @@
<li>
<p><i>Fetching the manifest</i>: <a href="#fetch">Fetch</a> the resource
- from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> <!-- http-origin
- privacy sensitive, though it doesn't matter, since this can never
- be cross-origin -->
+ from <var title="">manifest URL</var> with the <i>synchronous
+ flag</i> set, and let <var title="">manifest</var> be that
+ resource.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
<p>If the resource is labeled with the <a href="#mime-type">MIME type</a>
<code><a href="#text-cache-manifest">text/cache-manifest</a></code>, parse <var title="">manifest</var> according to the <a href="#parse-a-manifest" title="parse a
@@ -44707,14 +44728,15 @@
<li>
<p><a href="#fetch">Fetch</a> the resource, from the <a href="#origin">origin</a>
- of the <a href="#url">URL</a> <var title="">manifest URL</var>. If
- this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade
- attempt</a>, then use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a> <a href="#application-cache">application
- cache</a> in <var title="">cache group</var> as an HTTP
- cache, and honor HTTP caching semantics (such as expiration,
- ETags, and so forth) with respect to that cache. User agents may
- also have other caches in place that are also honored.</p> <!--
- not http-origin privacy sensitive -->
+ of the <a href="#url">URL</a> <var title="">manifest URL</var>, with
+ the <i>synchronous flag</i> set and the <i>manual redirect
+ flag</i> set. If this is an <a href="#concept-appcache-upgrade" title="concept-appcache-upgrade">upgrade attempt</a>, then
+ use the <a href="#concept-appcache-newer" title="concept-appcache-newer">newest</a>
+ <a href="#application-cache">application cache</a> in <var title="">cache
+ group</var> as an HTTP cache, and honor HTTP caching semantics
+ (such as expiration, ETags, and so forth) with respect to that
+ cache. User agents may also have other caches in place that are
+ also honored.</p> <!-- not http-origin privacy sensitive -->
<p class="note">If the resource in question is already being
downloaded for other reasons then the existing download process
@@ -44890,9 +44912,10 @@
<li>
<p><a href="#fetch">Fetch</a> the resource from <var title="">manifest
- URL</var> again, and let <var title="">second manifest</var> be
- that resource.</p> <!-- http-origin privacy sensitive, though it
- doesn't matter, since this can never be cross-origin -->
+ URL</var> again, with the <i>synchronous flag</i> set, and let
+ <var title="">second manifest</var> be that resource.</p> <!--
+ http-origin privacy sensitive, though it doesn't matter, since
+ this can never be cross-origin -->
</li>
Received on Friday, 25 June 2010 19:23:12 UTC