[agow] (2) Redefine how .cookie is handled.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8822 git-svn-id: http://svn.whatwg.org/webapps@4778 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Feb 18, 2010 · 5118883 · 5118883
1 parent b507eb9
commit 5118883
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 66 deletions.
diff --git a/complete.html b/complete.html
@@ -7021,34 +7021,43 @@ <h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource
   </dl><div class=impl>
 
   <p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn>
-  attribute represents the cookies of the resource.</p>
-
-  <p id=sandboxCookies>On getting, if the document is not associated
-  with a <a href=#browsing-context>browsing context</a> then the user agent must raise
-  an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
+  attribute represents the cookies of the resource from which the
+  <code><a href=#document>Document</a></code> was created.</p>
+
+  <p>Some <code><a href=#document>Document</a></code> objects are <dfn id=cookie-free-document-object title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</dfn>. Any <code><a href=#document>Document</a></code> object created by the <code title="">createDocument()</code> or <code title=dom-DOMHTMLImplementation-createHTMLDocument><a href=#dom-domhtmlimplementation-createhtmldocument>createHTMLDocument()</a></code>
+  factory methods is a <a href=#cookie-free-document-object>cookie-free <code>Document</code>
+  object</a>. Any <code><a href=#document>Document</a></code> whose <a href="#the-document's-address" title="the
+  document's address">address</a> does not use a server-based
+  naming authority is a <a href=#cookie-free-document-object>cookie-free <code>Document</code>
+  object</a>. Other specifications can also define
+  <code><a href=#document>Document</a></code> objects as being <a href=#cookie-free-document-object title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</a>.</p>
+
+  <p id=sandboxCookies>On getting, if the document is a
+  <a href=#cookie-free-document-object>cookie-free <code>Document</code> object</a>, then the user
+  agent must return the empty string. Otherwise, if the
   <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
   <a href=#browsing-context>browsing context</a> of the <code><a href=#document>Document</a></code> when the
   <code><a href=#document>Document</a></code> was created, the user agent must raise a
-  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href="#the-document's-address">the
-  document's address</a> does not use a server-based naming
-  authority, it must return the empty string. Otherwise, it must first
-  <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
+  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, the user agent must
+  first <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
   cookie-string for <a href="#the-document's-address">the document's address</a> for a
   "non-HTTP" API. <a href=#refsCOOKIES>[COOKIES]</a></p>
 
-  <p>On setting, if the document is not associated with a
-  <a href=#browsing-context>browsing context</a> then the user agent must raise an
-  <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
-  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
-  <a href=#browsing-context>browsing context</a> of the <code><a href=#document>Document</a></code> when the
-  <code><a href=#document>Document</a></code> was created, the user agent must raise a
-  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href="#the-document's-address">the
-  document's address</a> does not use a server-based naming
-  authority, it must do nothing. Otherwise, the user agent must
-  <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then act as it would when
-  <span title="receives a set-cookie-string">receiving a
-  set-cookie-string</span> for <a href="#the-document's-address">the document's address</a> via
-  a "non-HTTP" API, consisting of the new value. <a href=#refsCOOKIES>[COOKIES]</a></p>
+  <p>On setting, if the document is a <a href=#cookie-free-document-object>cookie-free
+  <code>Document</code> object</a>, then the user agent must do
+  nothing. Otherwise, if the <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context
+  flag</a> was set on the <a href=#browsing-context>browsing context</a> of the
+  <code><a href=#document>Document</a></code> when the <code><a href=#document>Document</a></code> was created,
+  the user agent must raise a <code><a href=#security_err>SECURITY_ERR</a></code>
+  exception. Otherwise, the user agent must <a href=#obtain-the-storage-mutex>obtain the storage
+  mutex</a> and then act as it would when <span title="receives a
+  set-cookie-string">receiving a set-cookie-string</span> for
+  <a href="#the-document's-address">the document's address</a> via a "non-HTTP" API, consisting
+  of the new value. <a href=#refsCOOKIES>[COOKIES]</a></p>
 
   <p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
   across frames, the path restrictions on cookies are only a tool to

diff --git a/index b/index
@@ -6920,34 +6920,43 @@ interface <dfn id=htmldocument>HTMLDocument</dfn> {
   </dl><div class=impl>
 
   <p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn>
-  attribute represents the cookies of the resource.</p>
-
-  <p id=sandboxCookies>On getting, if the document is not associated
-  with a <a href=#browsing-context>browsing context</a> then the user agent must raise
-  an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
+  attribute represents the cookies of the resource from which the
+  <code><a href=#document>Document</a></code> was created.</p>
+
+  <p>Some <code><a href=#document>Document</a></code> objects are <dfn id=cookie-free-document-object title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</dfn>. Any <code><a href=#document>Document</a></code> object created by the <code title="">createDocument()</code> or <code title=dom-DOMHTMLImplementation-createHTMLDocument><a href=#dom-domhtmlimplementation-createhtmldocument>createHTMLDocument()</a></code>
+  factory methods is a <a href=#cookie-free-document-object>cookie-free <code>Document</code>
+  object</a>. Any <code><a href=#document>Document</a></code> whose <a href="#the-document's-address" title="the
+  document's address">address</a> does not use a server-based
+  naming authority is a <a href=#cookie-free-document-object>cookie-free <code>Document</code>
+  object</a>. Other specifications can also define
+  <code><a href=#document>Document</a></code> objects as being <a href=#cookie-free-document-object title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</a>.</p>
+
+  <p id=sandboxCookies>On getting, if the document is a
+  <a href=#cookie-free-document-object>cookie-free <code>Document</code> object</a>, then the user
+  agent must return the empty string. Otherwise, if the
   <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
   <a href=#browsing-context>browsing context</a> of the <code><a href=#document>Document</a></code> when the
   <code><a href=#document>Document</a></code> was created, the user agent must raise a
-  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href="#the-document's-address">the
-  document's address</a> does not use a server-based naming
-  authority, it must return the empty string. Otherwise, it must first
-  <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
+  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, the user agent must
+  first <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
   cookie-string for <a href="#the-document's-address">the document's address</a> for a
   "non-HTTP" API. <a href=#refsCOOKIES>[COOKIES]</a></p>
 
-  <p>On setting, if the document is not associated with a
-  <a href=#browsing-context>browsing context</a> then the user agent must raise an
-  <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
-  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
-  <a href=#browsing-context>browsing context</a> of the <code><a href=#document>Document</a></code> when the
-  <code><a href=#document>Document</a></code> was created, the user agent must raise a
-  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href="#the-document's-address">the
-  document's address</a> does not use a server-based naming
-  authority, it must do nothing. Otherwise, the user agent must
-  <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then act as it would when
-  <span title="receives a set-cookie-string">receiving a
-  set-cookie-string</span> for <a href="#the-document's-address">the document's address</a> via
-  a "non-HTTP" API, consisting of the new value. <a href=#refsCOOKIES>[COOKIES]</a></p>
+  <p>On setting, if the document is a <a href=#cookie-free-document-object>cookie-free
+  <code>Document</code> object</a>, then the user agent must do
+  nothing. Otherwise, if the <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context
+  flag</a> was set on the <a href=#browsing-context>browsing context</a> of the
+  <code><a href=#document>Document</a></code> when the <code><a href=#document>Document</a></code> was created,
+  the user agent must raise a <code><a href=#security_err>SECURITY_ERR</a></code>
+  exception. Otherwise, the user agent must <a href=#obtain-the-storage-mutex>obtain the storage
+  mutex</a> and then act as it would when <span title="receives a
+  set-cookie-string">receiving a set-cookie-string</span> for
+  <a href="#the-document's-address">the document's address</a> via a "non-HTTP" API, consisting
+  of the new value. <a href=#refsCOOKIES>[COOKIES]</a></p>
 
   <p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
   across frames, the path restrictions on cookies are only a tool to

diff --git a/source b/source
@@ -6808,35 +6808,45 @@ interface <dfn>HTMLDocument</dfn> {
   <div class="impl">
 
   <p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
-  attribute represents the cookies of the resource.</p>
+  attribute represents the cookies of the resource from which the
+  <code>Document</code> was created.</p>
 
-  <p id="sandboxCookies">On getting, if the document is not associated
-  with a <span>browsing context</span> then the user agent must raise
-  an <code>INVALID_STATE_ERR</code> exception. Otherwise, if the
+  <p>Some <code>Document</code> objects are <dfn title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</dfn>. Any <code>Document</code> object created by the <code
+  title="">createDocument()</code> or <code
+  title="dom-DOMHTMLImplementation-createHTMLDocument">createHTMLDocument()</code>
+  factory methods is a <span>cookie-free <code>Document</code>
+  object</span>. Any <code>Document</code> whose <span title="the
+  document's address">address</span> does not use a server-based
+  naming authority is a <span>cookie-free <code>Document</code>
+  object</span>. Other specifications can also define
+  <code>Document</code> objects as being <span title="cookie-free
+  Document object">cookie-free <code>Document</code>
+  objects</span>.</p>
+
+  <p id="sandboxCookies">On getting, if the document is a
+  <span>cookie-free <code>Document</code> object</span>, then the user
+  agent must return the empty string. Otherwise, if the
   <span>sandboxed origin browsing context flag</span> was set on the
   <span>browsing context</span> of the <code>Document</code> when the
   <code>Document</code> was created, the user agent must raise a
-  <code>SECURITY_ERR</code> exception. Otherwise, if <span>the
-  document's address</span> does not use a server-based naming
-  authority, it must return the empty string. Otherwise, it must first
-  <span>obtain the storage mutex</span> and then return the
+  <code>SECURITY_ERR</code> exception. Otherwise, the user agent must
+  first <span>obtain the storage mutex</span> and then return the
   cookie-string for <span>the document's address</span> for a
   "non-HTTP" API. <a href="#refsCOOKIES">[COOKIES]</a></p>
 
-  <p>On setting, if the document is not associated with a
-  <span>browsing context</span> then the user agent must raise an
-  <code>INVALID_STATE_ERR</code> exception. Otherwise, if the
-  <span>sandboxed origin browsing context flag</span> was set on the
-  <span>browsing context</span> of the <code>Document</code> when the
-  <code>Document</code> was created, the user agent must raise a
-  <code>SECURITY_ERR</code> exception. Otherwise, if <span>the
-  document's address</span> does not use a server-based naming
-  authority, it must do nothing. Otherwise, the user agent must
-  <span>obtain the storage mutex</span> and then act as it would when
-  <span title="receives a set-cookie-string">receiving a
-  set-cookie-string</span> for <span>the document's address</span> via
-  a "non-HTTP" API, consisting of the new value. <a
-  href="#refsCOOKIES">[COOKIES]</a></p>
+  <p>On setting, if the document is a <span>cookie-free
+  <code>Document</code> object</span>, then the user agent must do
+  nothing. Otherwise, if the <span>sandboxed origin browsing context
+  flag</span> was set on the <span>browsing context</span> of the
+  <code>Document</code> when the <code>Document</code> was created,
+  the user agent must raise a <code>SECURITY_ERR</code>
+  exception. Otherwise, the user agent must <span>obtain the storage
+  mutex</span> and then act as it would when <span title="receives a
+  set-cookie-string">receiving a set-cookie-string</span> for
+  <span>the document's address</span> via a "non-HTTP" API, consisting
+  of the new value. <a href="#refsCOOKIES">[COOKIES]</a></p>
 
   <p class="note">Since the <code
   title="dom-document-cookie">cookie</code> attribute is accessible