Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[giow] (0) Make 'fetch' algorithm have a mode where it doesn't do red…
…irects. Make 'navigate' algorithm block cross-origin non-safe non-POST redirects.

git-svn-id: http://svn.whatwg.org/webapps@4975 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Apr 6, 2010
1 parent befc98c commit 2b730f8
Show file tree
Hide file tree
Showing 3 changed files with 198 additions and 57 deletions.
82 changes: 64 additions & 18 deletions complete.html
Expand Up @@ -6066,9 +6066,10 @@ <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>

<p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
<a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
and optionally with a <i>synchronous flag</i>, the following steps
must be run. (When a <em>URL</em> is to be fetched, the URL
identifies a resource to be obtained.)</p>
and optionally with a <i>synchronous flag</i> and/or a <i>manual
redirect flag</i>, the following steps must be run. (When a
<em>URL</em> is to be fetched, the URL identifies a resource to be
obtained.)</p>

<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
Expand Down Expand Up @@ -6114,6 +6115,8 @@ <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>

<li>

<p>This is the <i>main step</i>.</p>

<p>If the resource is identified by an <a href=#absolute-url>absolute URL</a>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
Expand All @@ -6127,13 +6130,9 @@ <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
GET or POST operation, or reading the file from disk, following
redirects, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code>
URLs</span></a>, etc).</p>

<p class=note>The HTTP specification requires that 301, 302, and
307 redirects, when applied to methods other than the safe
methods, not be followed without user confirmation. <a href=#refsHTTP>[HTTP]</a></p>
GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript
protocol"><code title="">javascript:</code> URLs</span></a>,
etc).</p>

<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
Expand Down Expand Up @@ -6168,6 +6167,39 @@ <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>

</ol></li>

<li>

<p>If the fetched resource is an HTTP redirect <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
then:</p>

<dl class=switch><dt>If the <i>manual redirect flag</i> is set</dt>

<dd>

<p>Continue, using the fetched resource (the redirect) as the
result of the algorithm.</p>

</dd>

<dt>Otherwise</dt>

<dd>

<p>First, apply any relevant requirements for redirects (such as
showing any appropriate prompts). Then, redo <i>main step</i>,
but using the target of the redirect as the resource to fetch,
rather than the original resource.</p>

<p class=note>The HTTP specification requires that 301, 302,
and 307 redirects, when applied to methods other than the safe
methods, not be followed without user confirmation. That would
be an appropriate prompt for the purposes of the requirement in
the paragraph above. <a href=#refsHTTP>[HTTP]</a></p>

</dd>

</dl></li>

<li>

<p>If the algorithm was not invoked with the <i>synchronous
Expand Down Expand Up @@ -55875,9 +55907,9 @@ <h4 id=navigating-across-documents><span class=secno>6.5.1 </span>Navigating acr
application cache at all; the submission will be made to the
network.</p>

<p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
already been obtained<!-- it's obtained by <object>, for instance
-->.</p>
<p>Otherwise, unless it has already been obtained<!-- it's
obtained by <object>, for instance -->, <a href=#fetch>fetch</a> the new
resource, with the <i>manual redirect flag</i> set.</p>

<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
Expand All @@ -55902,16 +55934,29 @@ <h4 id=navigating-across-documents><span class=secno>6.5.1 </span>Navigating acr

<li>

<p>At this point the user agents must return to whatever algorithm
invoked the navigation steps and must continue these steps
asynchronously.</p>
<p>At this point, unless this step has already been reached once
before in the execution of this instance of the algorithm, the
user agents must return to whatever algorithm invoked the
navigation steps and must continue these steps asynchronously.</p>

</li>

<li>

<p>If fetching the resource results in a redirect, return to <a href=#navigate-fragid-step>the step labeled "fragment
identifiers"</a> with the new resource.</p>
<p>If fetching the resource results in a redirect, and either the
<a href=#url>URL</a> of the target of the redirect has the <a href=#same-origin>same
origin</a> as the original resource, or the resource is being
obtained using the POST method or a safe method (in HTTP terms),
return to <a href=#navigate-fragid-step>the step labeled
"fragment identifiers"</a> with the new resource.</p>

<p>Otherwise, if fetching the resource results in a redirect but
the <a href=#url>URL</a> of the target of the redirect does not have
the <a href=#same-origin>same origin</a> as the original resource and the
resource is being obtained using a method that is neither the POST
method nor a safe method (in HTTP terms), then abort these
steps. The user agent may indicate to the user that the navigation
has been aborted for security reasons.</p>

</li>

Expand Down Expand Up @@ -89913,6 +89958,7 @@ <h3 class="no-num">Reflecting IDL attributes</h3>
Dean Edwards,
Debi Orton,
Derek Featherstone,
Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
Expand Down
82 changes: 64 additions & 18 deletions index
Expand Up @@ -5964,9 +5964,10 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d

<p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
<a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
and optionally with a <i>synchronous flag</i>, the following steps
must be run. (When a <em>URL</em> is to be fetched, the URL
identifies a resource to be obtained.)</p>
and optionally with a <i>synchronous flag</i> and/or a <i>manual
redirect flag</i>, the following steps must be run. (When a
<em>URL</em> is to be fetched, the URL identifies a resource to be
obtained.)</p>

<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
Expand Down Expand Up @@ -6012,6 +6013,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d

<li>

<p>This is the <i>main step</i>.</p>

<p>If the resource is identified by an <a href=#absolute-url>absolute URL</a>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
Expand All @@ -6025,13 +6028,9 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
GET or POST operation, or reading the file from disk, following
redirects, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code>
URLs</span></a>, etc).</p>

<p class=note>The HTTP specification requires that 301, 302, and
307 redirects, when applied to methods other than the safe
methods, not be followed without user confirmation. <a href=#refsHTTP>[HTTP]</a></p>
GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript
protocol"><code title="">javascript:</code> URLs</span></a>,
etc).</p>

<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
Expand Down Expand Up @@ -6066,6 +6065,39 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d

</ol></li>

<li>

<p>If the fetched resource is an HTTP redirect <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
then:</p>

<dl class=switch><dt>If the <i>manual redirect flag</i> is set</dt>

<dd>

<p>Continue, using the fetched resource (the redirect) as the
result of the algorithm.</p>

</dd>

<dt>Otherwise</dt>

<dd>

<p>First, apply any relevant requirements for redirects (such as
showing any appropriate prompts). Then, redo <i>main step</i>,
but using the target of the redirect as the resource to fetch,
rather than the original resource.</p>

<p class=note>The HTTP specification requires that 301, 302,
and 307 redirects, when applied to methods other than the safe
methods, not be followed without user confirmation. That would
be an appropriate prompt for the purposes of the requirement in
the paragraph above. <a href=#refsHTTP>[HTTP]</a></p>

</dd>

</dl></li>

<li>

<p>If the algorithm was not invoked with the <i>synchronous
Expand Down Expand Up @@ -55776,9 +55808,9 @@ State: &lt;OUTPUT NAME=I&gt;1&lt;/OUTPUT&gt; &lt;INPUT VALUE="Increment" TYPE=BU
application cache at all; the submission will be made to the
network.</p>

<p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
already been obtained<!-- it's obtained by <object>, for instance
-->.</p>
<p>Otherwise, unless it has already been obtained<!-- it's
obtained by <object>, for instance -->, <a href=#fetch>fetch</a> the new
resource, with the <i>manual redirect flag</i> set.</p>

<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
Expand All @@ -55803,16 +55835,29 @@ State: &lt;OUTPUT NAME=I&gt;1&lt;/OUTPUT&gt; &lt;INPUT VALUE="Increment" TYPE=BU

<li>

<p>At this point the user agents must return to whatever algorithm
invoked the navigation steps and must continue these steps
asynchronously.</p>
<p>At this point, unless this step has already been reached once
before in the execution of this instance of the algorithm, the
user agents must return to whatever algorithm invoked the
navigation steps and must continue these steps asynchronously.</p>

</li>

<li>

<p>If fetching the resource results in a redirect, return to <a href=#navigate-fragid-step>the step labeled "fragment
identifiers"</a> with the new resource.</p>
<p>If fetching the resource results in a redirect, and either the
<a href=#url>URL</a> of the target of the redirect has the <a href=#same-origin>same
origin</a> as the original resource, or the resource is being
obtained using the POST method or a safe method (in HTTP terms),
return to <a href=#navigate-fragid-step>the step labeled
"fragment identifiers"</a> with the new resource.</p>

<p>Otherwise, if fetching the resource results in a redirect but
the <a href=#url>URL</a> of the target of the redirect does not have
the <a href=#same-origin>same origin</a> as the original resource and the
resource is being obtained using a method that is neither the POST
method nor a safe method (in HTTP terms), then abort these
steps. The user agent may indicate to the user that the navigation
has been aborted for security reasons.</p>

</li>

Expand Down Expand Up @@ -83335,6 +83380,7 @@ interface <a href=#htmldocument>HTMLDocument</a> {
Dean Edwards,
Debi Orton,
Derek Featherstone,
Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
Expand Down

0 comments on commit 2b730f8

Please sign in to comment.