HTML Standard Tracker

Diff (omit for latest revision)
Filter

Short URL: http://html5.org/r/2342

File a bug

SVNBugCommentTime (UTC)
2342[Gecko] [Webkit] [Google Gears] there's a security risk if we allow pages in one domain to fallback to pages in another domain.2008-10-16 00:54
Index: source
===================================================================
--- source	(revision 2341)
+++ source	(revision 2342)
@@ -38867,18 +38867,12 @@
       <p>If either fails, then jump back to the step labeled "start of
       line".</p>
 
-      <p>If the <span>absolute URL</span> corresponding to <var
-      title="">part one</var> does not have the <span>same
-      origin</span> as the manifest's URL, then jump back to the step
-      labeled "start of line".</p> <!-- SECURITY -->
+      <p>If the <span>absolute URL</span> corresponding to either <var
+      title="">part one</var> or <var title="">part two</var> does not
+      have the <span>same origin</span> as the manifest's URL, then
+      jump back to the step labeled "start of line".</p> <!-- SECURITY
+      -->
 
-      <p>If the resulting <span>absolute URL</span> for <var
-      title="">part two</var> has a different <span
-      title="url-scheme">&lt;scheme&gt;</span> component than the
-      manifest's URL (compared in an <span>ASCII
-      case-insensitive</span> manner), then jump back to the step
-      labeled "start of line".</p>
-
       <p>Drop any the <span
       title="url-fragment">&lt;fragment&gt;</span> components of the
       resulting <span title="absolute URL">absolute URLs</span>.</p>

|