[giow] (0) Make data: URLs officially work in Workers.

Affected topics: Security, Web Workers git-svn-id: http://svn.whatwg.org/webapps@7180 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jul 17, 2012 · e69ad5a · e69ad5a
1 parent 0cfa743
commit e69ad5a
Show file tree

Hide file tree

Showing 3 changed files with 139 additions and 39 deletions.
diff --git a/complete.html b/complete.html
@@ -66674,11 +66674,29 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
 
    <dd>
 
-    <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
-    origin</a> of the <a href=#url>URL</a> are the origin defined in
-    <cite>The Web Origin Concept</cite>. <a href=#refsORIGIN>[ORIGIN]</a></p>
+    <dl class=switch><dt>If the URL is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> used in a <code title=dom-Worker><a href=#dom-worker>Worker()</a></code> or <code title=dom-SharedWorker><a href=#dom-sharedworker>SharedWorker()</a></code> constructor</dt>
 
-   </dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
+      origin</a> of the <a href=#url>URL</a> are the
+      <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a> of
+      the <a href=#entry-script>entry script</a> at the time that the constructor
+      is invoked. (They are not <a href=#concept-origin-alias title=concept-origin-alias>aliases</a>.)</p>
+
+     </dd>
+
+     <dt>Otherwise</dt>
+
+     <dd>
+
+      <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
+      origin</a> of the <a href=#url>URL</a> are the origin defined in
+      <cite>The Web Origin Concept</cite>. <a href=#refsORIGIN>[ORIGIN]</a></p>
+
+     </dd>
+
+    </dl></dd>
 
 
    <dt>For <code><a href=#document>Document</a></code> objects</dt>
@@ -80605,10 +80623,18 @@ <h5 id=shared-workers-and-the-sharedworkerglobalscope-interface><span class=secn
   <h4 id=origins-of-workers><span class=secno>9.2.2 </span>Origins of workers</h4>
 
   <p>Both the <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
-  origin</a> of scripts running in workers are the
-  <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> given in that
-  the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location>location</a></code> attribute
-  represents.</p>
+  origin</a> of scripts running in a worker are the
+  <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> that was
+  obtained after <a href=#resolve-a-url title="resolve a URL">resolving</a> the
+  argument to the <code title=dom-Worker><a href=#dom-worker>Worker()</a></code> or <code title=dom-SharedWorker><a href=#dom-sharedworker>SharedWorker()</a></code> constructor that
+  initially created the worker, in the algorithm for that
+  constructor.</p>
+
+  <p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is the <a href=#origin>origin</a>
+  of the <a href=#entry-script>entry script</a> that called the constructor. For
+  other <a href=#url title=URL>URLs</a>, this is the
+  <a href=#origin>origin</a> of the value of the <a href=#absolute-url>absolute URL</a>
+  given in the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location></a></code> attribute.</p>
 
 
 
@@ -81147,8 +81173,10 @@ <h5 id=the-abstractworker-abstract-interface><span class=secno>9.2.7.1 </span>Th
     origin of the <a href=#entry-script>entry script</a>, then throw a
     <code><a href=#securityerror>SecurityError</a></code> exception.</p>
 
-    <p class=note>Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> or
+    <p class=note>Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a> (the
+    latter are special-cases in the definition of
+    <a href=#origin>origin</a>). For example, you can't load a script from a
     <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>
     URLs.</p>
@@ -81272,8 +81300,10 @@ <h5 id=shared-workers-and-the-sharedworker-interface><span class=secno>9.2.7.3 <
     <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code>
     exception.</p>
 
-    <p class=note>Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> or
+    <p class=note>Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a> (the
+    latter are special-cases in the definition of
+    <a href=#origin>origin</a>). For example, you can't load a script from a
     <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>
     URLs.</p>

diff --git a/index b/index
@@ -66674,11 +66674,29 @@ x === this; // true</pre>
 
    <dd>
 
-    <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
-    origin</a> of the <a href=#url>URL</a> are the origin defined in
-    <cite>The Web Origin Concept</cite>. <a href=#refsORIGIN>[ORIGIN]</a></p>
+    <dl class=switch><dt>If the URL is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> used in a <code title=dom-Worker><a href=#dom-worker>Worker()</a></code> or <code title=dom-SharedWorker><a href=#dom-sharedworker>SharedWorker()</a></code> constructor</dt>
 
-   </dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
+      origin</a> of the <a href=#url>URL</a> are the
+      <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a> of
+      the <a href=#entry-script>entry script</a> at the time that the constructor
+      is invoked. (They are not <a href=#concept-origin-alias title=concept-origin-alias>aliases</a>.)</p>
+
+     </dd>
+
+     <dt>Otherwise</dt>
+
+     <dd>
+
+      <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
+      origin</a> of the <a href=#url>URL</a> are the origin defined in
+      <cite>The Web Origin Concept</cite>. <a href=#refsORIGIN>[ORIGIN]</a></p>
+
+     </dd>
+
+    </dl></dd>
 
 
    <dt>For <code><a href=#document>Document</a></code> objects</dt>
@@ -80605,10 +80623,18 @@ worker.port.postMessage({ foo: 'structured', bar: ['data', 'also', 'possible']})
   <h4 id=origins-of-workers><span class=secno>9.2.2 </span>Origins of workers</h4>
 
   <p>Both the <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
-  origin</a> of scripts running in workers are the
-  <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> given in that
-  the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location>location</a></code> attribute
-  represents.</p>
+  origin</a> of scripts running in a worker are the
+  <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> that was
+  obtained after <a href=#resolve-a-url title="resolve a URL">resolving</a> the
+  argument to the <code title=dom-Worker><a href=#dom-worker>Worker()</a></code> or <code title=dom-SharedWorker><a href=#dom-sharedworker>SharedWorker()</a></code> constructor that
+  initially created the worker, in the algorithm for that
+  constructor.</p>
+
+  <p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is the <a href=#origin>origin</a>
+  of the <a href=#entry-script>entry script</a> that called the constructor. For
+  other <a href=#url title=URL>URLs</a>, this is the
+  <a href=#origin>origin</a> of the value of the <a href=#absolute-url>absolute URL</a>
+  given in the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location></a></code> attribute.</p>
 
 
 
@@ -81147,8 +81173,10 @@ interface <dfn id=worker>Worker</dfn> : <a href=#eventtarget>EventTarget</a> {
     origin of the <a href=#entry-script>entry script</a>, then throw a
     <code><a href=#securityerror>SecurityError</a></code> exception.</p>
 
-    <p class=note>Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> or
+    <p class=note>Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a> (the
+    latter are special-cases in the definition of
+    <a href=#origin>origin</a>). For example, you can't load a script from a
     <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>
     URLs.</p>
@@ -81272,8 +81300,10 @@ interface <dfn id=sharedworker>SharedWorker</dfn> : <a href=#eventtarget>EventTa
     <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code>
     exception.</p>
 
-    <p class=note>Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> or
+    <p class=note>Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a> (the
+    latter are special-cases in the definition of
+    <a href=#origin>origin</a>). For example, you can't load a script from a
     <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>
     URLs.</p>

diff --git a/source b/source
@@ -78140,10 +78140,36 @@ x === this; // true</pre>
 
    <dd>
 
-    <p>The <span>origin</span> and <span>effective script
-    origin</span> of the <span>URL</span> are the origin defined in
-    <cite>The Web Origin Concept</cite>. <a
-    href="#refsORIGIN">[ORIGIN]</a></p>
+    <dl class="switch">
+
+     <dt>If the URL is a <span title="data protocol"><code
+     title="">data:</code> URL</span> used in a <code
+     title="dom-Worker">Worker()</code> or <code
+     title="dom-SharedWorker">SharedWorker()</code> constructor</dt>
+
+     <dd>
+
+      <p>The <span>origin</span> and <span>effective script
+      origin</span> of the <span>URL</span> are the
+      <span>origin</span> and <span>effective script origin</span> of
+      the <span>entry script</span> at the time that the constructor
+      is invoked. (They are not <span
+      title="concept-origin-alias">aliases</span>.)</p>
+
+     </dd>
+
+     <dt>Otherwise</dt>
+
+     <dd>
+
+      <p>The <span>origin</span> and <span>effective script
+      origin</span> of the <span>URL</span> are the origin defined in
+      <cite>The Web Origin Concept</cite>. <a
+      href="#refsORIGIN">[ORIGIN]</a></p>
+
+     </dd>
+
+    </dl>
 
    </dd>
 
@@ -93658,11 +93684,21 @@ worker.port.postMessage({ foo: 'structured', bar: ['data', 'also', 'possible']})
   <h4>Origins of workers</h4>
 
   <p>Both the <span>origin</span> and <span>effective script
-  origin</span> of scripts running in workers are the
-  <span>origin</span> of the <span>absolute URL</span> given in that
-  the worker's <code
-  title="dom-WorkerGlobalScope-location">location</code> attribute
-  represents.</p>
+  origin</span> of scripts running in a worker are the
+  <span>origin</span> of the <span>absolute URL</span> that was
+  obtained after <span title="resolve a URL">resolving</span> the
+  argument to the <code title="dom-Worker">Worker()</code> or <code
+  title="dom-SharedWorker">SharedWorker()</code> constructor that
+  initially created the worker, in the algorithm for that
+  constructor.</p>
+
+  <p class="note">For <span title="data protocol"><code
+  title="">data:</code> URLs</span>, this is the <span>origin</span>
+  of the <span>entry script</span> that called the constructor. For
+  other <span title="URL">URLs</span>, this is the
+  <span>origin</span> of the value of the <span>absolute URL</span>
+  given in the worker's <code
+  title="dom-WorkerGlobalScope-location"></code> attribute.</p>
 
 
 
@@ -94298,9 +94334,11 @@ interface <dfn>Worker</dfn> : <span>EventTarget</span> {
     origin of the <span>entry script</span>, then throw a
     <code>SecurityError</code> exception.</p>
 
-    <p class="note">Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <span
-    title="data protocol"><code title="">data:</code> URL</span> or
+    <p class="note">Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <span
+    title="data protocol"><code title="">data:</code> URLs</span> (the
+    latter are special-cases in the definition of
+    <span>origin</span>). For example, you can't load a script from a
     <span title="javascript protocol"><code
     title="">javascript:</code> URL</span>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>
@@ -94439,9 +94477,11 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
     <span>entry script</span>, then throw a <code>SecurityError</code>
     exception.</p>
 
-    <p class="note">Thus, scripts must be external files with the same
-    scheme as the original page: you can't load a script from a <span
-    title="data protocol"><code title="">data:</code> URL</span> or
+    <p class="note">Thus, scripts must either be external files with
+    the same scheme, host, and port as the original page, or <span
+    title="data protocol"><code title="">data:</code> URLs</span> (the
+    latter are special-cases in the definition of
+    <span>origin</span>). For example, you can't load a script from a
     <span title="javascript protocol"><code
     title="">javascript:</code> URL</span>, and an <code>https:</code>
     page couldn't start workers using scripts with <code>http:</code>