HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
2683[Gecko] [Internet Explorer] [Opera] [Webkit] Prevent cross-origin javascript: navigation of browsing contexts. Define the base URL and document's address of pages generated by javascript: URLs. Minor editorial tweaks.2009-01-21 00:58
@@ -39716,41 +39716,24 @@ JSURL: http://ietfreport.isoc.org/all-ids/draft-hoehrmann-javascript-scheme-00.t
       <p><span title="create a script from a node">Create a
       script</span> from the <code>Document</code> node of the
       <span>active document</span>, using the aforementioned script
       source, and assuming the scripting language is JavaScript.</p>
 
       <p>Let <var title="">result</var> be the return value of the
       <i>initial code entry-point</i> of this <span
       title="concept-script">script</span>. If an exception was
       raised, let <var title="">result</var> be void instead.</p>
 
-     </dd>
-
-     <dt>If a <span>browsing context</span> is being <span
-     title="navigate">navigated</span> to a <code>javascript:</code>
-     URL, and the <span>active document</span> of that browsing
-     context has an <span>origin</span> that is <em>not</em> the <span
-     title="same origin">same</span> as that of the script given by
-     the URL</dt>
-
-     <dd>
-
-      <p><span>Create an impotent script</span> using the
-      aforementioned script source, with the scripting language set to
-      JavaScript, and with the <span>browsing context</span> being
-      <span title="navigate">navigated</span> as the browsing
-      context.</p>
-
-      <p>Let <var title="">result</var> be the return value of the
-      <i>initial code entry-point</i> of this <span
-      title="concept-script">script</span>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      <p>When it comes time to <span>set the document's address</span>
+      in the <span title="navigate">navigation algorithm</span>, use
+      the <span>script's base URL</span> as the <span>override
+      URL</span>.</p>
 
      </dd>
 
      <dt>If the <code>Document</code> object of the element,
      attribute, or style sheet from which the <code>javascript:</code>
      URL was reached has an associated <span>browsing
      context</span></dt>
 
      <dd>
 
@@ -43831,31 +43814,25 @@ user reload must be equivalent to .reload()
     title="concept-appcache-fallback-ns">fallback namespace</span> in
     question. If multiple application caches match, the user agent
     must use the fallback of the <span
     title="concept-appcache-selection">most appropriate application
     cache</span> of those that match.</p>
 
     <p>If <var title="">candidate</var> is not marked as <span
     title="concept-appcache-foreign">foreign</span>, then the user
     agent must discard the failed load and instead continue along
     these steps using <var title="">candidate</var> as the
-    resource.</p>
-
-    <p>For the purposes of session history (and features that depend
-    on session history, e.g. bookmarking) the user agent must use the
-    URL of the resource that was requested (the one that matched the
-    <span title="concept-appcache-fallback-ns">fallback
-    namespace</span>), not the fallback resource, as the resource's
-    <span title="the document's address">address</span>. However, the
-    user agent may indicate to the user that the original page load
-    failed, that the page used was a fallback resource, and what the
-    URL of the fallback resource actually is.</p>
+    resource. <span>The document's address</span>, if appropriate,
+    will still be the originally requested URL, not the fallback URL,
+    but the user agent may indicate to the user that the original page
+    load failed, that the page used was a fallback resource, and what
+    the URL of the fallback resource actually is.</p>
 
    </li>
 
    <li><p>If the document's out-of-band metadata (e.g. HTTP headers),
    not counting any <span title="Content-Type">type information</span>
    (such as the Content-Type HTTP header), requires some sort of
    processing that will not affect the browsing context, then perform
    that processing and abort these steps.</p>
 
    <div class="note">
@@ -43924,31 +43901,40 @@ user reload must be equivalent to .reload()
      steps.</dd>
 
      <dt>A type that will use an external application to render the
      content in the <span>browsing context</span></dt>
      <dd>Follow the steps given in the <span
      title="navigate-plugin">plugin</span> section, and abort these
      steps.</dd>
 
     </dl>
 
-    <p>Any <code>Document</code> created by these steps must have its
-    <span title="the document's address">address</span> set to the
+    <p><dfn title="set the document's address">Setting the document's
+    address</dfn>: If there is no <dfn>override URL</dfn>, then any
+    <code>Document</code> created by these steps must have its <span
+    title="the document's address">address</span> set to the
     <span>URL</span> that was originally to be <span
     title="fetch">fetched</span>, ignoring any other data that was
     used to obtain the resource (e.g. the entity body in the case of a
     POST submission is not part of <span>the document's
     address</span>, nor is the URL of the fallback resource in the
     case of the original load having failed and that URL having been
     found to match a <span
     title="concept-appcache-fallback-ns">fallback
-    namespace</span>).</p>
+    namespace</span>). However, if there <em>is</em> an <span>override
+    URL</span>, then any <code>Document</code> created by these steps
+    must have its <span title="the document's address">address</span>
+    set to that <span>URL</span> instead.</p>
+
+    <p class="note">An <span title="override URL">override URL</span>
+    is set when <span title="concept-js-deref">dereferencing a
+    <code>javascript:</code> URL</span>.</p>
 
    </li>
 
    <li id="navigate-non-Document"><p><i>Non-document content</i>: If,
    given <var title="">type</var>, the new resource is to be handled
    by displaying some sort of inline content, e.g. a native rendering
    of the content, an error message because the specified type is not
    supported, or an inline prompt to allow the user to select <span
    title="dom-navigator-registerContentHandler">a registered
    handler</span> for the given type, then <span
@@ -61462,14 +61448,19 @@ TODO (or delay):
        invoke the JSON serialiser), or in the form of a method on
        HTMLFormElement that returns the form data set serialised
        according to a particular encoding (defaulting to the form's
        enctype="" one, probably). This would allow forms to be used
        with XHR-like systems without having to manually construct the
        form data set the way that is done today.
  XXX * placeholder="" for <textarea>, e.g. as seen on:
        http://code.google.com/p/support/issues/detail?id=1#makechanges
  XXX * become more consistent about what markup we use to mark up
        productions (nothing? <i>? <code>?)
+ XXX * expose the value of a radio button group
+        - either on the NodeList returned by HTMLFormControlCollection
+        - or on the radio button itself
+        - or both, so it works even when the form controls have names
+          that vary more than HTMLFormControlCollection allows?
 -->
 
  </body>
 </html>

|