[giow] (2) Recast how origins are defined to explicitly use the conce…

…pt of an origin 'alias' and fix the definitions for about:blank docs to use this new definition. Affected topics: HTML, Security git-svn-id: http://svn.whatwg.org/webapps@7141 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jun 22, 2012 · 035cff3 · 035cff3
1 parent 1dfe433
commit 035cff3
Show file tree

Hide file tree

Showing 3 changed files with 551 additions and 186 deletions.
diff --git a/complete.html b/complete.html
@@ -64563,16 +64563,23 @@ <h3 id=windows><span class=secno>6.1 </span>Browsing contexts</h3>
   specifically to be immediately navigated, then that initial
   navigation will have <a href=#replacement-enabled>replacement enabled</a>.</p>
 
-  <p id=about-blank-origin>The <a href=#origin>origin</a> of the
-  <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is set when the
-  <code><a href=#document>Document</a></code> is created. If the new <a href=#browsing-context>browsing
-  context</a> has a <a href=#creator-browsing-context>creator browsing context</a>, then the
-  <a href=#origin>origin</a> of the <code><a href=#about:blank>about:blank</a></code>
-  <code><a href=#document>Document</a></code> is the <a href=#origin>origin</a> of the
-  <a href=#creator-document>creator <code>Document</code></a>. Otherwise, the
-  <a href=#origin>origin</a> of the <code><a href=#about:blank>about:blank</a></code>
-  <code><a href=#document>Document</a></code> is a globally unique identifier assigned when
-  the new <a href=#browsing-context>browsing context</a> is created.</p>
+  <p id=about-blank-origin>The <a href=#origin>origin</a> and
+  <a href=#effective-script-origin>effective script origin</a> of the <code><a href=#about:blank>about:blank</a></code>
+  <code><a href=#document>Document</a></code> are set when the <code><a href=#document>Document</a></code> is
+  created. If the new <a href=#browsing-context>browsing context</a> has a
+  <a href=#creator-browsing-context>creator browsing context</a>, then the <a href=#origin>origin</a>
+  of the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a>
+  of the <a href=#creator-document>creator <code>Document</code></a> and the
+  <a href=#effective-script-origin>effective script origin</a> of the <code><a href=#about:blank>about:blank</a></code>
+  <code><a href=#document>Document</a></code> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective
+  script origin</a> of the <a href=#creator-document>creator
+  <code>Document</code></a>. Otherwise, the <a href=#origin>origin</a> of
+  the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is a globally
+  unique identifier assigned when the new <a href=#browsing-context>browsing
+  context</a> is created and the <a href=#effective-script-origin>effective script
+  origin</a> of the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code>
+  is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to
+  its <a href=#origin>origin</a>.</p>
 
   </div>
 
@@ -66052,9 +66059,16 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
   secure certificate changes, the origin is considered to change as
   well.</p>
 
-
   <div class=impl>
 
+  <p>An <a href=#origin>origin</a> or <a href=#effective-script-origin>effective script origin</a>
+  can be defined as an <dfn id=concept-origin-alias title=concept-origin-alias>alias</dfn>
+  to another <a href=#origin>origin</a> or <a href=#effective-script-origin>effective script
+  origin</a>. The value of the <a href=#origin>origin</a> or
+  <a href=#effective-script-origin>effective script origin</a> is then the value of the
+  <a href=#origin>origin</a> or <a href=#effective-script-origin>effective script origin</a> to which
+  it is an alias.</p>
+
   <p>These characteristics are defined as follows:</p>
 
   <dl><dt>For URLs</dt>
@@ -66076,56 +66090,118 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
      sandboxing flag set</a> has its <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
      browsing context flag</a> set</dt>
 
-     <dd>The <a href=#origin>origin</a> is a globally unique identifier
-     assigned when the <code><a href=#document>Document</a></code> is created.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is a globally unique identifier
+      assigned when the <code><a href=#document>Document</a></code> is created.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
      URL</a></dt>
 
-     <dd>The <a href=#origin>origin</a> is equal to the <a href=#origin>origin</a>
-     of the script of that <a href=#javascript-protocol title="javascript
-     protocol"><code>javascript:</code> URL</a>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the script of that <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
+      URL</a>.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> was served over the network and
      has an address that uses a URL scheme with a server-based naming
      authority</dt>
 
-     <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of
-     <a href="#the-document's-address">the <code>Document</code>'s address</a>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of <a href="#the-document's-address">the <code>Document</code>'s
+      address</a>.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> that
      was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
      other protocols)</dt>
 
-     <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
-     <a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
-     protocol"><code title="">data:</code> URL</a>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <a href=#url>URL</a> that redirected to
+      the <a href=#data-protocol title="data protocol"><code title="">data:</code>
+      URL</a>.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
      found in another <code><a href=#document>Document</a></code> or in a script</dt>
 
-     <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
-     <code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> or script that
+      initiated the <a href=#navigate title=navigate>navigation</a> to that
+      <a href=#url>URL</a>.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#effective-script-origin>effective script origin</a> of the
+      <code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> has the <a href="#the-document's-address" title="the
      document's address">address</a>
      "<code><a href=#about:blank>about:blank</a></code>"</dt>
 
-     <dd>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is <a href=#about-blank-origin>the <span>origin</span> it was
-     assigned when its browsing context was created</a>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script
+      origin</a> of the <code><a href=#document>Document</a></code> are <a href=#about-blank-origin>those it was assigned when its
+      browsing context was created</a>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a></dt>
 
-     <dd>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is the
-     <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-     context</a>'s <a href=#browsing-context-container>browsing context container</a>'s
-     <code><a href=#document>Document</a></code>.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> is an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>'s
+      <a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-container>browsing context
+      container</a>'s <code><a href=#document>Document</a></code>.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#effective-script-origin>effective script origin</a> of the
+      <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a>'s
+      <a href=#browsing-context-container>browsing context container</a>'s
+      <code><a href=#document>Document</a></code>.</p>
+
+     </dd>
 
 
      <dt>If a <code><a href=#document>Document</a></code> was obtained in some other manner
@@ -66134,13 +66210,20 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
      using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
      API, etc)</dt>
 
-     <dd>The <a href=#origin>origin</a> is a globally unique identifier
-     assigned when the <code><a href=#document>Document</a></code> is created.</dd>
+     <dd>
+
+      <p>The <a href=#origin>origin</a> is a globally unique identifier
+      assigned when the <code><a href=#document>Document</a></code> is created.</p>
+
+      <p>The <a href=#effective-script-origin>effective script origin</a> is initially an
+      <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+      <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code>.</p>
 
-    </dl><p>When a <code><a href=#document>Document</a></code> is created, its <a href=#effective-script-origin>effective
-    script origin</a> is initialized to the <a href=#origin>origin</a> of
-    the <code><a href=#document>Document</a></code>. However, the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute can
-    be used to change it.</p>
+     </dd>
+
+    </dl><p class=note>The <a href=#effective-script-origin>effective script origin</a> of a
+    <code><a href=#document>Document</a></code> can be manipulated using the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> IDL
+    attribute.</p>
 
    </dd>
 
@@ -66159,14 +66242,17 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
      <dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
      its image data is <a href=#cors-same-origin>CORS-same-origin</a></dt>
 
-     <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
-     <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>.</dd>
+     <dd>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+     <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
+     <code><a href=#document>Document</a></code>.</dd>
 
      <!-- all image loads go through the "potentially CORS-enabled
      fetch" algorithm so they're all either CORS-cross-origin or
      CORS-same-origin if they succeed at all -->
 
-    </dl></dd>
+    </dl><p>Images do not have an <a href=#effective-script-origin>effective script origin</a>.</p>
+
+   </dd>
 
 
    <dt>For <code><a href=#the-audio-element>audio</a></code> and <code><a href=#the-video-element>video</a></code> elements</dt>
@@ -66183,26 +66269,33 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
      <dt>If the <a href=#media-data>media data</a> is
      <a href=#cors-same-origin>CORS-same-origin</a></dt>
 
-     <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
-     <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>.</dd>
+     <dd>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+     <a href=#origin>origin</a> of the <a href=#media-element>media element</a>'s
+     <code><a href=#document>Document</a></code>.</dd>
 
-    </dl></dd>
+    </dl><p><a href=#media-element title="media element">Media elements</a> do not have
+    an <a href=#effective-script-origin>effective script origin</a>.</p>
+
+   </dd>
 
 
    <dt>For fonts</dt>
 
    <dd>
 
-    <p>The <a href=#origin>origin</a> of a downloadable Web font is equal to
-    the <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
+    <p>The <a href=#origin>origin</a> of a downloadable Web font is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+    <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
     obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p> <!-- this means you can
     get data from a remote site if you can make it redirect to your
     own site in some fashion controlled by the data you want to read
     -->
 
     <p>The <a href=#origin>origin</a> of a locally installed system font is
-    equal to the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in
-    which that font is being used.</p>
+    an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+    <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in which that
+    font is being used.</p>
+
+    <p>Fonts do not have an <a href=#effective-script-origin>effective script origin</a>.</p>
 
    </dd>
 
@@ -66277,21 +66370,23 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
 
      <dd>The owner is the script that provided the URL.</dd>
 
-    </dl><p>The <a href=#origin>origin</a> of the script is then equal to the
+    </dl><p>The <a href=#origin>origin</a> of the script is then an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
     <a href=#origin>origin</a> of the owner, and the <a href=#effective-script-origin>effective script
-    origin</a> of the script is equal to the <a href=#effective-script-origin>effective script
-    origin</a> of the owner.</p>
+    origin</a> of the script is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective
+    script origin</a> of the owner.</p>
 
    </dd>
 
   </dl><p>Other specifications can override the above definitions by
-  themselves specifying the origin of a particular URL, script,
-  <code><a href=#document>Document</a></code>, or image.</p>
+  themselves specifying the origin of a particular <a href=#url>URL</a>,
+  <code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, font, or
+  <a href=#concept-script title=concept-script>script</a>.</p>
 
   <!-- e.g.:
 
     <p>The <span>origin</span> of a <code>Document</code> object
-    returned by the <code>XMLHttpRequest</code> API is equal to the
+    returned by the <code>XMLHttpRequest</code> API is an <span
+    title="concept-origin-alias">alias</span> to the
     <span>XMLHttpRequest origin</span> of the
     <code>XMLHttpRequest</code> object.</p>
 
@@ -66459,6 +66554,10 @@ <h4 id=relaxing-the-same-origin-restriction><span class=secno>6.3.1 </span>Relax
       throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
       steps.</p>
 
+      <!-- this is the step that prevents us from ever setting
+      document.domain if the >effective script origin< isn't a
+      scheme/host/port tuple -->
+
      </li>
 
      <li>
@@ -66488,26 +66587,43 @@ <h4 id=relaxing-the-same-origin-restriction><span class=secno>6.3.1 </span>Relax
 
    <li>
 
-    <p>Set the host part of the <a href=#effective-script-origin>effective script origin</a>
-    tuple of the <code><a href=#document>Document</a></code> to <var title="">new
-    value</var>.</p>
+    <p>If the <a href=#effective-script-origin>effective script origin</a> of the
+    <code><a href=#document>Document</a></code> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a>, set it to the value of
+    the <a href=#effective-script-origin>effective script origin</a> (essentially de-aliasing
+    the <a href=#effective-script-origin>effective script origin</a>).</p>
 
    </li>
 
    <li>
 
-    <p>Set the port part of the <a href=#effective-script-origin>effective script origin</a>
-    tuple of the <code><a href=#document>Document</a></code> to "manual override" (a value
-    that, for the purposes of <a href=#same-origin title="same origin">comparing
-    origins</a>, is identical to "manual override" but not
-    identical to any other value).</p>
+    <p>If <var title="">new value</var> is not the empty string, then
+    run these substeps:</p>
 
-   </li>
+    <ol><li>
+
+      <p>Set the host part of the <a href=#effective-script-origin>effective script origin</a>
+      tuple of the <code><a href=#document>Document</a></code> to <var title="">new
+      value</var>.</p>
+
+     </li>
+
+     <li>
+
+      <p>Set the port part of the <a href=#effective-script-origin>effective script origin</a>
+      tuple of the <code><a href=#document>Document</a></code> to "manual override" (a value
+      that, for the purposes of <a href=#same-origin title="same origin">comparing
+      origins</a>, is identical to "manual override" but not
+      identical to any other value).</p>
+
+     </li>
+
+    </ol></li>
 
   </ol><p>The <dfn id="the-document's-domain" title="the document's domain">domain</dfn> of a
   <code><a href=#document>Document</a></code> is the host part of the document's
-  <a href=#origin>origin</a>, if that is a scheme/host/port tuple. If it
-  isn't, then the document does not have a domain.</p>
+  <a href=#origin>origin</a>, if the value of that <a href=#origin>origin</a> is a
+  scheme/host/port tuple. If it isn't, then the document does not have
+  a domain.</p>
 
   </div>