HTML Standard Tracker

Diff (omit for latest revision)
Filter

Short URL: http://html5.org/r/4011

File a bug

SVNBugCommentTime (UTC)
40117599Synchronise with the latest Origin spec rules and semantics.2009-09-28 23:51
Index: source
===================================================================
--- source	(revision 4010)
+++ source	(revision 4011)
@@ -4662,8 +4662,9 @@
 
   <h3>Fetching resources</h3>
 
-  <p>When a user agent is to <dfn>fetch</dfn> a resource, the
-  following steps must be run:</p>
+  <p>When a user agent is to <dfn>fetch</dfn> a resource, optionally
+  from an origin <i title="">origin</i>, the following steps must be
+  run:</p>
 
   <ol>
 
@@ -4679,11 +4680,13 @@
     and the resource is to be obtained using an idempotent action
     (such as an HTTP GET <span title="concept-http-equivalent-get">or
     equivalent</span>), and it is already being downloaded for other
-    reasons (e.g. another invocation of this algorithm), and the user
-    agent is configured such that it is to reuse the data from the
-    existing download instead of initiating a new one, then use the
-    results of the existing download instead of starting a new
-    one.</p>
+    reasons (e.g. another invocation of this algorithm), and this
+    request would be identical to the previous one (e.g. same <code
+    title="http-accept">Accept</code> and <code
+    title="http-origin">Origin</code> headers), and the user agent is
+    configured such that it is to reuse the data from the existing
+    download instead of initiating a new one, then use the results of
+    the existing download instead of starting a new one.</p>
 
     <p>Otherwise, at a time convenient to the user and the user agent,
     download (or otherwise obtain) the resource, applying the
@@ -4719,6 +4722,14 @@
 
     </dl>
 
+    <p>For the purposes of the <code title="http-origin">Origin</code>
+    header, if the <span title="fetch">fetching algorithm</span> was
+    explicitly initiated from an <i title="">origin</i>, then <i
+    title="">the origin that initiated the HTTP request</i> is <i
+    title="">origin</i>. Otherwise, this is <i title="">a request from
+    a "privacy-sensitive" context</i>. <a
+    href="#refsORIGIN">[ORIGIN]</a></p>
+
    </li>
 
    <li>
@@ -11019,14 +11030,15 @@
   applied (as defined below). <span class="impl">For external
   resources that are represented in the DOM (for example, style
   sheets), the DOM representation must be made available even if the
-  resource is not applied. To obtain the resource, the user agent must
-  <span title="resolve a url">resolve</span> the <span>URL</span>
-  given by the <code title="attr-link-href">href</code> attribute,
-  relative to the element, and then <span>fetch</span> the resulting
-  <span>absolute URL</span>. User agents may opt to only
-  <span>fetch</span> such resources when they are needed, instead of
-  pro-actively <span title="fetch">fetching</span> all the external
-  resources that are not applied.</span></p>
+  resource is not applied. To <dfn title="concept-link-obtain">obtain
+  the resource</dfn>, the user agent must <span title="resolve a
+  url">resolve</span> the <span>URL</span> given by the <code
+  title="attr-link-href">href</code> attribute, relative to the
+  element, and then <span>fetch</span> the resulting <span>absolute
+  URL</span>. User agents may opt to only <span>fetch</span> such
+  resources when they are needed, instead of pro-actively <span
+  title="fetch">fetching</span> all the external resources that are
+  not applied.</span></p> <!-- http-origin privacy sensitive -->
 
   <div class="impl">
 
@@ -11161,15 +11173,18 @@
   the given type. If the attribute is omitted, but the external
   resource link type has a default type defined, then the user agent
   must assume that the resource is of that type. If the UA does not
-  support the given <span>MIME type</span> for the given link relationship, then
-  the UA should not fetch the resource; if the UA does support the
-  given <span>MIME type</span> for the given link relationship, then the UA should
-  <span>fetch</span> the resource. If the attribute is omitted, and
-  the external resource link type does not have a default type
-  defined, but the user agent would fetch the resource if the type was
-  known and supported, then the user agent should <span>fetch</span>
-  the resource under the assumption that it will be
-  supported.</span></p>
+  support the given <span>MIME type</span> for the given link
+  relationship, then the UA should not <span
+  title="concept-link-obtain">obtain</span> the resource; if the UA
+  does support the given <span>MIME type</span> for the given link
+  relationship, then the UA should <span
+  title="concept-link-obtain">obtain</span> the resource. If the
+  attribute is omitted, and the external resource link type does not
+  have a default type defined, but the user agent would <span
+  title="concept-link-obtain">obtain</span> the resource if the type
+  was known and supported, then the user agent should <span
+  title="concept-link-obtain">obtain</span> the resource under the
+  assumption that it will be supported.</span></p>
 
   <div class="impl">
 
@@ -12829,7 +12844,9 @@
     attribute, then the value of that attribute must be <span
     title="resolve a url">resolved</span> relative to the element, and
     if that is successful, the specified resource must then be <span
-    title="fetch">fetched</span>.</p>
+    title="fetch">fetched</span>, from the <span>origin</span> of the
+    element's <code>Document</code>.</p> <!-- not http-origin privacy
+    sensitive -->
 
     <p>For historical reasons, if the <span>URL</span> is a <span
     title="javascript protocol"><code title="">javascript:</code>
@@ -19644,7 +19661,8 @@
   user agent must <span title="resolve a url">resolve</span> the value
   of that attribute, relative to the element, and if that is
   successful must then <span>fetch</span> that resource.</p> <!-- Note
-  how this does NOT happen when the base URL changes. -->
+  how this does NOT happen when the base URL changes. --> <!--
+  http-origin privacy sensitive -->
 
   <p>The <code title="attr-img-src">src</code> attribute's value is an
   <i>ignored self-reference</i> if its value is the empty string, and
@@ -21716,7 +21734,9 @@
     the value of the element's <code title="attr-embed-src">src</code>
     attribute, relative to the element. If that is successful, the
     user agent should <span>fetch</span> the resulting <span>absolute
-    URL</span>. The <span title="concept-task">task</span> that is
+    URL</span>, from the element's <span>browsing context scope
+    origin</span> if it has one<!-- potentially http-origin privacy
+    sensitive -->. The <span title="concept-task">task</span> that is
     <span title="queue a task">queued</span> by the <span>networking
     task source</span> once the resource has been <span
     title="fetch">fetched</span> must find and instantiate an
@@ -22048,7 +22068,9 @@
       element.</p>
 
       <p>If that is successful, <span>fetch</span> the resulting
-      <span>absolute URL</span>.</p>
+      <span>absolute URL</span>, from the element's <span>browsing
+      context scope origin</span> if it has one<!-- potentially
+      http-origin privacy sensitive -->.</p>
 
       <!-- similar text in various places -->
       <p>Fetching the resource must <span>delay the load event</span>
@@ -22592,10 +22614,12 @@
   is set, its value must be <span title="resolve a
   url">resolved</span> relative to the element, and if that is
   successful, the resulting <span>absolute URL</span> must be <span
-  title="fetch">fetched</span>; this must <span>delay the load
-  event</span> of the element's document. The <dfn>poster frame</dfn>
-  is then the image obtained from that resource, if any.</span></p>
-  <!-- thus it is unaffected by changes to the base URL. -->
+  title="fetch">fetched</span>, from the element's
+  <code>Document</code>'s <span>origin</span>; this must <span>delay
+  the load event</span> of the element's document. The <dfn>poster
+  frame</dfn> is then the image obtained from that resource, if
+  any.</span></p> <!-- thus it is unaffected by changes to the base
+  URL. -->
 
   <p class="note">The image given by the <code
   title="attr-video-poster">poster</code> attribute, the <i>poster
@@ -24053,7 +24077,9 @@
    <li>
 
     <p>Begin to <span>fetch</span> the <var title="">current media
-    resource</var>.</p>
+    resource</var>, from the <span>media element</span>'s
+    <code>Document</code>'s <span>origin</span>.</p> <!-- not
+    http-origin privacy sensitive (looking forward to CORS here) -->
 
     <p>Every 350ms (&#xB1;200ms) or for every byte received, whichever
     is <em>least</em> frequent, <span>queue a task</span> to
@@ -38564,7 +38590,8 @@
   <code title="attr-input-src">src</code> attribute, relative to the
   element, and if that is successful, must <span>fetch</span> the
   resulting <span>absolute URL</span>:</p> <!-- Note how this does NOT
-  happen when the base URL changes. -->
+  happen when the base URL changes. --> <!-- http-origin privacy
+  sensitive -->
 
   <ul>
 
@@ -47238,14 +47265,15 @@
    title="concept-facet">facets</span><!-- we might need to be
    explicit about what this means for each facet, if testing shows
    this isn't well-implemented. e.g.: If there's an Icon facet for the
-   command, it should be <span title="fetch">fetched</span>, and then
-   that image should be associated with the command, such that each
-   command only has its image fetched once, to prevent changes to the
-   base URL from having effects after the image has been fetched
-   once. (no need to resolve the Icon facet, it's an absolute URL)
-   -->. <!--If the element is a <code>command</code> element with a
-   <code title="attr-command-default">default</code> attribute, mark
-   the command as being a default command.--></dd>
+   command, it should be <span title="fetch">fetched</span> (this
+   would be http-origin privacy-sensitive), and then that image should
+   be associated with the command, such that each command only has its
+   image fetched once, to prevent changes to the base URL from having
+   effects after the image has been fetched once. (no need to resolve
+   the Icon facet, it's an absolute URL) -->. <!--If the element is a
+   <code>command</code> element with a <code
+   title="attr-command-default">default</code> attribute, mark the
+   command as being a default command.--></dd>
 
 
    <dt>An <code>hr</code> element</dt>
@@ -54416,6 +54444,19 @@
 
   </ul>
 
+  <hr>
+
+  <p>An element has a <dfn>browsing context scope origin</dfn> if its
+  <code>Document</code>'s <span>browsing context</span> is a
+  <span>top-level browsing context</span> or if all of its
+  <code>Document</code>'s <span title="ancestor browsing
+  context">ancestor browsing contexts</span> all have <span
+  title="active document">active documents</span> whose
+  <span>origin</span> are the <span>same origin</span> as the
+  element's <code>Document</code>'s <span>origin</span>. If an element
+  has a <span>browsing context scope origin</span>, then its value is
+  the <span>origin</span> of the element's <code>Document</code>.</p>
+
   </div>
 
 
@@ -59591,7 +59632,9 @@
 
     <p><i>Fetching the manifest</i>: <span>Fetch</span> the resource
     from <var title="">manifest URL</var>, and let <var
-    title="">manifest</var> be that resource.</p>
+    title="">manifest</var> be that resource.</p> <!-- http-origin
+    privacy sensitive, though it doesn't matter, since this can never
+    be cross-origin -->
 
     <p>If the resource is labeled with the <span>MIME type</span>
     <code>text/cache-manifest</code>, parse <var
@@ -59850,19 +59893,21 @@
 
      <li>
 
-      <p><span>Fetch</span> the resource. If this is an <span
-      title="concept-appcache-upgrade">upgrade attempt</span>, then
-      use the <span title="concept-appcache-newer">newest</span>
-      <span>application cache</span> in <var title="">cache
-      group</var> as an HTTP cache, and honor HTTP caching semantics
-      (such as expiration, ETags, and so forth) with respect to that
-      cache. User agents may also have other caches in place that are
-      also honored.</p>
+      <p><span>Fetch</span> the resource, from the <span>origin</span>
+      of the <span>URL</span> <var title="">manifest URL</var>. If
+      this is an <span title="concept-appcache-upgrade">upgrade
+      attempt</span>, then use the <span
+      title="concept-appcache-newer">newest</span> <span>application
+      cache</span> in <var title="">cache group</var> as an HTTP
+      cache, and honor HTTP caching semantics (such as expiration,
+      ETags, and so forth) with respect to that cache. User agents may
+      also have other caches in place that are also honored.</p> <!--
+      not http-origin privacy sensitive -->
 
       <p class="note">If the resource in question is already being
       downloaded for other reasons then the existing download process
-      can be used for the purposes of this step, as defined by the
-      <span title="fetch">fetching</span> algorithm.</p>
+      can sometimes be used for the purposes of this step, as defined
+      by the <span title="fetch">fetching</span> algorithm.</p>
 
       <p class="example">An example of a resource that might already
       be being downloaded is a large image on a Web page that is being
@@ -60045,7 +60090,8 @@
 
     <p><span>Fetch</span> the resource from <var title="">manifest
     URL</var> again, and let <var title="">second manifest</var> be
-    that resource.</p>
+    that resource.</p> <!-- http-origin privacy sensitive, though it
+    doesn't matter, since this can never be cross-origin -->
 
    </li>
 
@@ -61662,28 +61708,27 @@
 
     <p>Otherwise, <span>fetch</span> the new resource, if it has not
     already been obtained<!-- it's obtained by <object>, for instance
-    -->. If the resource is being fetched using HTTP, and the method
-    is not GET<!-- or HEAD (but that can't happen) -->, then the user
-    agent must include an <code title="http-origin">Origin</code>
-    header whose value is determined as follows:</p>
+    -->.</p>
 
-    <dl class="switch">
+    <p>If the resource is being fetched using a method other than one
+    <span title="concept-http-equivalent-get">equivalent to</span>
+    HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+    <span title="navigate">navigation algorithm</span> was invoked as
+    a result of the <span title="concept-form-submit">form submission
+    algorithm</span>, then the <span title="fetch">fetching
+    algorithm</span> must be invoked from the <span>origin</span> of
+    the <span>active document</span> of the <span>source browsing
+    context</span>, if any.</p> <!-- potentially http-origin privacy
+    sensitive -->
 
-     <dt>If the <span title="navigate">navigation</span> algorithm has
-     so far contacted more than one <span>origin</span></dt>
-     <dt>If there is no <span>source browsing context</span></dt>
+    <p>If the <span>browsing context</span> being navigated is a
+    <span>child browsing context</span> for an <code>iframe</code> or
+    <code>object</code> element, then the <span title="fetch">fetching
+    algorithm</span> must be invoked from the <code>iframe</code> or
+    <code>object</code> element's <span>browsing context scope
+    origin</span>, if it has one.</p> <!-- potentially http-origin
+    privacy sensitive -->
 
-     <dd>The value must be the string "<code title="">null</code>".</dd>
-
-     <dt>Otherwise</dt>
-
-     <dd>The value must be the <span title="ASCII serialization of an
-     origin">ASCII serialization</span> of the <span>origin</span> of
-     the <span>active document</span> of the <span>source browsing
-     context</span> at the time the navigation was started.</dd>
-
-    </dl>
-
    </li>
 
    <li>
@@ -64644,7 +64689,9 @@
   <span title="fetch">fetching</span> the specified URLs using the
   POST method, with an entity body with the <span>MIME type</span>
   <code>text/ping</code> consisting of the four-character string
-  "<code title="">PING</code>". All relevant cookie and HTTP
+  "<code title="">PING</code>", from the <span>origin</span> of the
+  <code>Document</code> containing the <span>hyperlink</span>. <!--
+  not http-origin privacy sensitive --> All relevant cookie and HTTP
   authentication headers must be included in the request. Which other
   headers are required depends on the URLs involved.</p>
 
@@ -64690,12 +64737,6 @@
 
   </dl>
 
-  <p>In addition, an <code title="http-origin">Origin</code> header
-  must always be included, whose value is the <span title="ASCII
-  serialization of an origin">ASCII serialization</span> of the
-  <span>origin</span> of the <code>Document</code> containing the
-  <span>hyperlink</span>.</p>
-
   <p class="note">To save bandwidth, implementors might also wish to
   consider omitting optional headers such as <code>Accept</code> from
   these requests.</p>
@@ -71065,9 +71106,9 @@
 
   <p>When a user agent is to <dfn>run a worker</dfn> for a script with
   <span>URL</span> <var title="">url</var>, a browsing context <var
-  title="">owner browsing context</var>, and with global scope <var
-  title="">worker global scope</var>, it must run the following
-  steps:</p>
+  title="">owner browsing context</var>, an origin <var title="">owner
+  origin</var>, and with global scope <var title="">worker global
+  scope</var>, it must run the following steps:</p>
 
   <ol>
 
@@ -71094,7 +71135,8 @@
    <li>
 
     <p>Attempt to <span>fetch</span> the resource identified by <var
-    title="">url</var>.</p>
+    title="">url</var>, from the <var title="">owner origin</var>.</p>
+    <!-- not http-origin privacy sensitive -->
 
     <p>If the attempt fails, or if the attempt involves any redirects
     to URIs that do not have the <span>same origin</span> as <var
@@ -71533,9 +71575,8 @@
 
     <p>If the <span>origin</span> of the resulting <span>absolute
     URL</span> is not the <span title="same origin">same</span> as the
-    origin of the <span title="concept-script">script</span> that
-    invoked the constructor, then throw a <span>security
-    exception</span>.</p>
+    origin of the <span>first script</span>, then throw a
+    <span>security exception</span>.</p>
 
     <p class="note">Thus, scripts must be external files with the same
     scheme as the original page: you can't load a script from a <code
@@ -71619,8 +71660,9 @@
     <p><span>Run a worker</span> for the resulting <span>absolute
     URL</span>, with the <span>script browsing context</span> of the
     script that invoked the method as the <var title="">owner browsing
-    context</var>, and with <var title="">worker global scope</var> as
-    the global scope.</p>
+    context</var>, with the <span>origin</span> of the <span>first
+    script</span> as the <var title="">owner origin</var>, and with
+    <var title="">worker global scope</var> as the global scope.</p>
 
    </li>
 
@@ -71667,7 +71709,7 @@
 
     <p>If the <span>origin</span> of <var title="">scriptURL</var> is
     not the <span title="same origin">same</span> as the origin of the
-    script that invoked the constructor, then throw a <span>security
+    <span>first script</span>, then throw a <span>security
     exception</span>.</p>
 
     <p class="note">Thus, scripts must be external files with the same
@@ -71863,8 +71905,9 @@
     <p><span>Run a worker</span> for <var title="">scriptURL</var>,
     with the <span>script browsing context</span> of the script that
     invoked the method as the <var title="">owner browsing
-    context</var>, and with <var title="">worker global scope</var> as
-    the global scope.</p>
+    context</var>, with the <span>origin</span> of the <span>first
+    script</span> as the <var title="">owner origin</var>, and with
+    <var title="">worker global scope</var> as the global scope.</p>
 
    </li>
 
@@ -71923,7 +71966,9 @@
    <li>
 
     <p>Attempt to <span>fetch</span> each resource identified by the
-    resulting <span title="absolute URLs">absolute URL</span>.</p>
+    resulting <span title="absolute URLs">absolute URL</span>, from
+    the <span>first script</span>'s <span>origin</span>.</p> <!-- not
+    http-origin privacy sensitive -->
 
    </li>
 
@@ -72305,7 +72350,9 @@
    <li>
 
     <p><span>Fetch</span> the resource identified by the resulting
-    <span>absolute URL</span>, and process it as described below.</p>
+    <span>absolute URL</span>, from the <span>first script</span>'s
+    <span>origin</span>, and process it as described below.</p> <!--
+    not http-origin privacy sensitive -->
 
     <p class="note">The definition of the <span
     title="fetch">fetching</span> algorithm is such that if the
@@ -72482,6 +72529,10 @@
   the resource at a later point, it must return to the previously
   specified URL for this event source.</p>
 
+  <p class="note">The Origin specification also introduces some
+  relevant requirements when dealing with redirects. <a
+  href="#refsORIGIN">[ORIGIN]</a></p>
+
   <p>HTTP 305 Use Proxy, HTTP 401 Unauthorized, and 407 Proxy
   Authentication Required should be treated transparently as for any
   other subresource.</p>
@@ -72518,9 +72569,12 @@
   <code title="event-error">error</code> at the
   <code>EventSource</code> object, and then <span>fetch</span> the
   event source resource again after a delay equal to the reconnection
-  time of the event source. <strong>Only if the user agent <span
-  title="reset the connection">resets the connection</span> does the
-  connection get opened anew!</strong></p>
+  time of the event source, from the same <span>origin</span> as the
+  original request triggered by the <code
+  title="dom-EventSource">EventSource()</code>
+  constructor. <strong>Only if the user agent <span title="reset the
+  connection">resets the connection</span> does the connection get
+  opened anew!</strong></p>
 
   <p>When a user agent is to <dfn>fail the connection</dfn>, the user
   agent must set the <code
@@ -74166,6 +74220,10 @@
 
     <hr>
 <!--
+redirect support
+we should probably reintroduce this at some point, with the
+multi-origin semantics described in [ORIGIN] applying. (http-origin)
+
     <p>If <var title="">mode</var> is <i title="">redirect</i>, then:
     If there is not exactly one entry in the <var
     title="">headers</var> list whose name is "<code
@@ -87828,8 +87886,10 @@
   its <span>fallback content</span>, the element must be ignored (it
   represents nothing).</p>
 
-  <p>Otherwise, <span class="XXX">define how the element works,
-  if supported</span>.</p> <!-- remember to delay the laod event -->
+  <p>Otherwise, <span class="XXX">define how the element works, if
+  supported</span>.</p> <!-- remember to delay the load event --> <!--
+  remember to include ", from the element's <span>browsing context
+  scope origin</span> if it has one" when fetching -->
 
   <p>The <code>applet</code> element must implement the
   <code>HTMLAppletElement</code> interface.</p>
@@ -88594,7 +88654,8 @@
 
    <li><p>For each token that is successfully resolved,
    <span>fetch</span> the resulting <span>absolute URL</span> and
-   apply the appropriate processing.</p></li>
+   apply the appropriate processing.</p></li> <!-- http-origin privacy
+   sensitive -->
 
   </ol>
 
@@ -90082,6 +90143,12 @@
    in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
    Section 4.6.2. OpenSearch.org.</dd>
 
+   <dt id="refsORIGIN">[ORIGIN]</dt>
+   <dd><cite><a
+   href="http://tools.ietf.org/html/draft-abarth-origin">The HTTP
+   Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+   September 2009.</dd>
+
    <dt id="refsPINGBACK">[PINGBACK]</dt>
    <dd><cite><a
    href="http://www.hixie.ch/specs/pingback/pingback">Pingback

|