HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
2469Clear up document.cookie; make document.open() update the doc address.2008-11-27 02:20
@@ -5709,45 +5709,49 @@ http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20html%3E..
   referrers in the case where the referrer uses an encrypted protocol
   and the current page does not (e.g. when navigating from an <code
   title="">https:</code> page to an <code title="">http:</code>
   page).</p>
 
   <hr>
 
   <p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
   attribute represents the cookies of the resource.</p>
 
-  <!-- XXX this needs work; e.g. document.open() should return the
-  cookies of the document that called document.open(), not of
-  about:blank or the document that had .open() called on, as I
-  understand it. -->
-
-  <p id="sandboxCookies">On getting, if the <span>sandboxed origin
-  browsing context flag</span> is set on the <span>browsing
-  context</span> of the document, the user agent must raise a
-  <code>SECURITY_ERR</code> exception. Otherwise, it must return the
-  same string as the value of the <code title="">Cookie</code> HTTP
-  header it would include if <span title="fetch">fetching</span> the
-  resource indicated by <span>the document's address</span> over HTTP,
-  as per RFC 2109 section 4.3.4 or later specifications. <a
-  href="#refsRFC2109">[RFC2109]</a> <a
+  <p id="sandboxCookies">On getting, if the document is not associated
+  with a <span>browsing context</span> then the user agent must raise
+  an <code>INVALID_STATE_ERR</code> exception. Otherwise, if the
+  <span>sandboxed origin browsing context flag</span> is set on the
+  <span>browsing context</span> of the document, the user agent must
+  raise a <code>SECURITY_ERR</code> exception. Otherwise, if <span>the
+  document's address</span> does not use a server-based naming
+  authority, it must return the empty string. Otherwise, it must
+  return the same string as the value of the <code
+  title="">Cookie</code> HTTP header it would include if <span
+  title="fetch">fetching</span> the resource indicated by <span>the
+  document's address</span> over HTTP, as per RFC 2109 section 4.3.4
+  or later specifications. <a href="#refsRFC2109">[RFC2109]</a> <a
   href="#refsRFC2965">[RFC2965]</a></p>
 
-  <p>On setting, if the <span>sandboxed origin browsing context
-  flag</span> is set on the <span>browsing context</span> of the
-  document, the user agent must raise a <code>SECURITY_ERR</code>
-  exception. Otherwise, the user agent must act as it would when
-  processing cookies if it had just attempted to <span>fetch</span>
-  <span>the document's address</span> over HTTP, and had received a
-  response with a <code>Set-Cookie</code> header whose value was the
-  specified value, as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3 or
-  later specifications. <a href="#refsRFC2109">[RFC2109]</a> <a
+  <p>On setting, if the document is not associated with a
+  <span>browsing context</span> then the user agent must raise an
+  <code>INVALID_STATE_ERR</code> exception. Otherwise, if the
+  <span>sandboxed origin browsing context flag</span> is set on the
+  <span>browsing context</span> of the document, the user agent must
+  raise a <code>SECURITY_ERR</code> exception. Otherwise, if <span>the
+  document's address</span> does not use a server-based naming
+  authority, it must do nothing. Otherwise, the user agent must act as
+  it would when processing cookies if it had just attempted to
+  <span>fetch</span> <span>the document's address</span> over HTTP,
+  and had received a response with a <code>Set-Cookie</code> header
+  whose value was the specified value, as per RFC 2109 sections 4.3.1,
+  4.3.2, and 4.3.3 or later specifications. <a
+  href="#refsRFC2109">[RFC2109]</a> <a
   href="#refsRFC2965">[RFC2965]</a></p>
 
   <p class="note">Since the <code
   title="dom-document-cookie">cookie</code> attribute is accessible
   across frames, the path restrictions on cookies are only a tool to
   help manage which cookies are sent to which parts of the site, and
   are not in any way a security feature.</p>
 
   <hr> 
 
@@ -7480,20 +7484,25 @@ http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20HTML%3E%0
    in the input stream. <span class="XXX">what about if it
    doesn't, because it's either like a text/plain, or Atom, or PDF, or
    XHTML, or image document, or something?</span></p></li><!-- XXX see
    also innerHTML in HTML -->
 
    <li><p>Remove all child nodes of the document.</p></li>
 
    <li><p>Change the <span>document's character encoding</span> to
    UTF-16.</p></li>
 
+   <li><p>Change <span>the document's address</span> to the <span
+   title="the document's address">address</span> of the <span>script
+   document context</span> of the script that invoked the <code
+   title="dom-document-open">document.open()</code> method.</p></li>
+
    <li><p>Create a new <span>HTML parser</span> and associate it with
    the document. This is a <dfn>script-created parser</dfn> (meaning
    that it can be closed by the <code
    title="dom-document-open">document.open()</code> and <code
    title="dom-document-close">document.close()</code> methods, and
    that the tokeniser will wait for an explicit call to <code
    title="dom-document-close">document.close()</code> before emitting
    an end-of-file token).</p></li>
 
    <li>Mark the document as being an <span title="HTML documents">HTML

|