[giow] (0) Make 'Referer' work correctly for scripts in shared worker…

…s. (For some definition of 'correctly' -- it uses the URL of the document that actually created the script. Arguably it should use the URL of the script itself. However, this doesn't change that, it just makes it not leak the URL of documents that that document's browsing context is navigated to.) git-svn-id: http://svn.whatwg.org/webapps@4789 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Feb 23, 2010 · 979baee · 979baee
1 parent f5c6d52
commit 979baee
Show file tree

Hide file tree

Showing 3 changed files with 193 additions and 139 deletions.
diff --git a/complete.html b/complete.html
@@ -157,7 +157,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Draft Standard &mdash; 22 February 2010</h2>
+    <h2 class="no-num no-toc">Draft Standard &mdash; 23 February 2010</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -5247,9 +5247,8 @@ <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>
 
      <dt>When fetching resources in response to a call to an API</dt>
 
-     <dd>The <a href=#active-document>active document</a> of the <a href="#script's-browsing-context" title="script's
-     browsing context">browsing context</a> of the <a href=#entry-script>entry
-     script</a>.</dd>
+     <dd>The <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
+     document">document</a>.</dd>
 
     </dl><p>Remove any <a href=#url-fragment title=url-fragment>&lt;fragment&gt;</a>
     component from the generated <i>address of the resource from which
@@ -6801,8 +6800,7 @@ <h3 id=documents><span class=secno>3.1 </span>Documents</h3>
   <p>When a <code><a href=#document>Document</a></code> is created by a <a href=#concept-script title=concept-script>script</a> using the <code title=dom-DOMImplementation-createDocument>createDocument()</code>
   or <code title=dom-DOMHTMLImplementation-createHTMLDocument><a href=#dom-domhtmlimplementation-createhtmldocument>createHTMLDocument()</a></code>
   APIs, <a href="#the-document's-address">the document's address</a> is the same as <a href="#the-document's-address">the
-  document's address</a> of the <a href=#active-document>active document</a> of the
-  <a href="#script's-browsing-context">script's browsing context</a>.</p>
+  document's address</a> of the <a href="#script's-document">script's document</a>.</p>
 
   <p><code><a href=#document>Document</a></code> objects are assumed to be <dfn id=xml-documents>XML
   documents</dfn> unless they are flagged as being <dfn id=html-documents>HTML
@@ -10020,9 +10018,9 @@ <h4 id=opening-the-input-stream><span class=secno>3.5.1 </span>Opening the input
    UTF-16.</li>
 
    <li><p>Change <a href="#the-document's-address">the document's address</a> to the
-   <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
-   context">browsing context</a>'s <a href=#active-document>active document</a>'s
-   <a href="#the-document's-address" title="the document's address">address</a>.</li>
+   <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
+   document">document</a>'s <a href="#the-document's-address" title="the document's
+   address">address</a>.</li>
 
    <li><p>Create a new <a href=#html-parser>HTML parser</a> and associate it with
    the document. This is a <dfn id=script-created-parser>script-created parser</dfn> (meaning
@@ -52905,6 +52903,11 @@ <h4 id=garbage-collection-and-browsing-contexts><span class=secno>6.2.5 </span>G
   <a href=#view title=view>views</a> and their <code>AbstractView</code>
   objects.</p>
 
+  <p>Each <a href=#concept-script title=concept-script>script</a> has a strong
+  reference to its <a href="#script's-browsing-context" title="script's browsing context">browsing
+  context</a> and its <a href="#script's-document" title="script's
+  document">document</a>.</p>
+
   <p>When a <a href=#browsing-context>browsing context</a> is to <dfn id=discard-a-document>discard a
   <code>Document</code></dfn>, the user agent must run the following
   steps:</p>
@@ -53907,11 +53910,9 @@ <h4 id=the-history-interface><span class=secno>6.4.2 </span>The <code><a href=#h
 
      <li>If the <a href=#origin>origin</a> of the resulting <a href=#absolute-url>absolute
      URL</a> is not the same as the <a href=#origin>origin</a> of the
-     <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
-     context">browsing context</a>'s <a href=#active-document>active document</a>,
-     and either the <a href=#url-path title=url-path>&lt;path&gt;</a> or
-     <a href=#url-query title=url-query>&lt;query&gt;</a> components of the
-     two <a href=#url title=URL>URLs</a> compared in the previous step
+     <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
+     document">document</a>, and either the <a href=#url-path title=url-path>&lt;path&gt;</a> or <a href=#url-query title=url-query>&lt;query&gt;</a> components of the two
+     <a href=#url title=URL>URLs</a> compared in the previous step
      differ, raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception and abort
      these steps. (This prevents sandboxed content from spoofing other
      pages on the same origin.)</li>
@@ -57773,6 +57774,19 @@ <h5 id=definitions-0><span class=secno>7.1.3.1 </span>Definitions</h5>
 
    </dd>
 
+   <dt>A relationship with the <dfn id="script's-document">script's document</dfn></dt>
+
+   <dd>
+
+    <p>A <code><a href=#document>Document</a></code> that is assigned responsibility for
+    actions taken by the script.</p>
+
+    <p class=example>When a script <a href=#fetch title=fetch>fetches</a> a resource, the <a href="#the-document's-current-address" title="the
+    document's current address">current address</a> of the
+    <a href="#script's-document">script's document</a> will be used to set the <code title=http-referer>Referer</code> (sic) header.</p>
+
+   </dd>
+
    <dt>A <dfn id="script's-url-character-encoding" title="script's URL character encoding">URL character encoding</dfn></dt>
 
    <dd>
@@ -57857,9 +57871,10 @@ <h5 id=creating-scripts><span class=secno>7.1.3.3 </span>Creating scripts</h5>
    entry-point</a></i> is the entry-point for that code.</li>
 
    <li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
-   <a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-url-character-encoding">script's URL
-   character encoding</a>, and the <a href="#script's-base-url">script's base URL</a>
-   from the settings passed to this algorithm.</li>
+   <a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
+   document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
+   and the <a href="#script's-base-url">script's base URL</a> from the settings passed to
+   this algorithm.</li>
 
    <li><p><a href=#jump-to-a-code-entry-point title="jump to a code entry-point">Jump</a> to the
    <a href=#concept-script title=concept-script>script</a>'s <i><a href=#initial-code-entry-point>initial code
@@ -58026,8 +58041,7 @@ <h5 id=definitions-1><span class=secno>7.1.4.1 </span>Definitions</h5>
   <a href=#browsing-context>browsing context</a>, then it is the <a href=#browsing-context>browsing
   context</a>'s <a href=#active-document>active document</a> at the time the task
   was queued; if the task was queued by or for a <a href=#concept-script title=concept-script>script</a> then the document is the
-  <a href="#script's-browsing-context">script's browsing context</a>'s <a href=#active-document>active
-  document</a> at the time the task was queued.</p>
+  <a href="#script's-document">script's document</a>.</p>
 
   <p>A user agent is required to have one <dfn id=storage-mutex>storage
   mutex</dfn>. This mutex is used to control access to shared state
@@ -58437,10 +58451,11 @@ <h5 id=event-handler-attributes><span class=secno>7.1.6.1 </span>Event handlers<
    to null and abort these steps.</li>
 
    <li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
-   <a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-url-character-encoding">script's URL
-   character encoding</a>, and the <a href="#script's-base-url">script's base URL</a>
-   from <a href=#the-script-settings-determined-from-the-node>the script settings determined from the node</a> on
-   which the attribute is being set.</li>
+   <a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
+   document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
+   and the <a href="#script's-base-url">script's base URL</a> from <a href=#the-script-settings-determined-from-the-node>the script
+   settings determined from the node</a> on which the attribute is
+   being set.</li>
 
    <li><p>Set the corresponding <a href=#event-handlers title="event handlers">event
    handler</a> to the aforementioned function.</li>
@@ -59054,13 +59069,14 @@ <h3 id=timers><span class=secno>7.2 </span>Timers</h3>
 
     <p>Otherwise, if the <a href=#method-context>method context</a> is a
     <code><a href=#workerutils>WorkerUtils</a></code> object, let <var title="">global
-    object</var>, <var title="">browsing context</var>, <var title="">character encoding</var>, and <var title="">base
-    URL</var> be the <a href="#script's-global-object">script's global object</a>,
-    <a href="#script's-browsing-context">script's browsing context</a>, <a href="#script's-url-character-encoding">script's URL
-    character encoding</a>, and <a href="#script's-base-url">script's base URL</a>
-    (respectively) of the <a href=#concept-script title=concept-script>script</a>
-    that the <a href=#run-a-worker>run a worker</a> algorithm created when it
-    created the <a href=#method-context>method context</a>.</p>
+    object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">character encoding</var>,
+    and <var title="">base URL</var> be the <a href="#script's-global-object">script's global
+    object</a>, <a href="#script's-browsing-context">script's browsing context</a>,
+    <a href="#script's-document">script's document</a>, <a href="#script's-url-character-encoding">script's URL character
+    encoding</a>, and <a href="#script's-base-url">script's base URL</a> (respectively)
+    of the <a href=#concept-script title=concept-script>script</a> that the
+    <a href=#run-a-worker>run a worker</a> algorithm created when it created the
+    <a href=#method-context>method context</a>.</p>
 
     <p>Otherwise, act as described in the specification that defines
     that the <code><a href=#windowtimers>WindowTimers</a></code> interface is implemented by
@@ -59069,13 +59085,7 @@ <h3 id=timers><span class=secno>7.2 </span>Timers</h3>
    </li>
 
    <li><p>Return a <a href=#concept-task title=concept-task>task</a> that checks
-   if the entry for <var title="">handle</var> in <var title="">list</var>
-   has been cleared, and if it has not, <a href=#create-a-script title="create a
-   script">creates a script</a> using <var title="">script
-   source</var> as the script source, <var title="">scripting
-   language</var> as the scripting language, <var title="">global
-   object</var> as the global object, <var title="">browsing
-   context</var> as the browsing context, <var title="">character
+   if the entry for <var title="">handle</var> in <var title="">list</var> has been cleared, and if it has not, <a href=#create-a-script title="create a script">creates a script</a> using <var title="">script source</var> as the script source, <var title="">scripting language</var> as the scripting language, <var title="">global object</var> as the global object, <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">character
    encoding</var> as the URL character encoding, and <var title="">base URL</var> as the base URL.</li>
 
   </ol><p>When the above methods are to <dfn id=get-the-timeout>get the timeout</dfn>, they
@@ -64972,9 +64982,12 @@ <h4 id="the-worker's-lifetime"><span class=secno>9.2.4 </span>The worker's lifet
   <h4 id=processing-model-3><span class=secno>9.2.5 </span>Processing model</h4>
 
   <p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with
-  <a href=#url>URL</a> <var title="">url</var>, a browsing context <var title="">owner browsing context</var>, an origin <var title="">owner
-  origin</var>, and with global scope <var title="">worker global
-  scope</var>, it must run the following steps:</p>
+  <a href=#url>URL</a> <var title="">url</var>, a <a href=#browsing-context>browsing
+  context</a> <var title="">owner browsing context</var>, a
+  <code><a href=#document>Document</a></code> <var title="">owner document</var>, an
+  <a href=#origin>origin</a> <var title="">owner origin</var>, and with
+  global scope <var title="">worker global scope</var>, it must run
+  the following steps:</p>
 
   <ol><li>
 
@@ -65036,6 +65049,9 @@ <h4 id=processing-model-3><span class=secno>9.2.5 </span>Processing model</h4>
 
     <p>Set the <a href="#script's-browsing-context">script's browsing context</a> to <var title="">owner browsing context</var>.</p>
 
+    <p>Set the <a href="#script's-document">script's document</a> to <var title="">owner
+    document</var>.</p>
+
     <p>Set the <a href="#script's-url-character-encoding">script's URL character encoding</a> to
     UTF-8. (This is just used for encoding non-ASCII characters in the
     query component of URLs.)</p>
@@ -65446,7 +65462,9 @@ <h5 id=the-abstractworker-abstract-interface><span class=secno>9.2.7.1 </span>Th
     <p><a href=#run-a-worker>Run a worker</a> for the resulting <a href=#absolute-url>absolute
     URL</a>, with the <a href="#script's-browsing-context">script's browsing context</a> of the
     script that invoked the method as the <var title="">owner browsing
-    context</var>, with the <a href=#origin>origin</a> of the <a href=#entry-script>entry
+    context</var>, with the <a href="#script's-document">script's document</a> of the
+    script that invoked the method as the <var title="">owner
+    document</var>, with the <a href=#origin>origin</a> of the <a href=#entry-script>entry
     script</a> as the <var title="">owner origin</var>, and with
     <var title="">worker global scope</var> as the global scope.</p>
 
@@ -65652,7 +65670,9 @@ <h5 id=shared-workers-and-the-sharedworker-interface><span class=secno>9.2.7.3 <
     <p><a href=#run-a-worker>Run a worker</a> for <var title="">scriptURL</var>,
     with the <a href="#script's-browsing-context">script's browsing context</a> of the script that
     invoked the method as the <var title="">owner browsing
-    context</var>, with the <a href=#origin>origin</a> of the <a href=#entry-script>entry
+    context</var>, with the <a href="#script's-document">script's document</a> of the
+    script that invoked the method as the <var title="">owner
+    document</var>, with the <a href=#origin>origin</a> of the <a href=#entry-script>entry
     script</a> as the <var title="">owner origin</var>, and with
     <var title="">worker global scope</var> as the global scope.</p>
 
@@ -69048,9 +69068,8 @@ <h4 id=posting-messages><span class=secno>10.4.3 </span>Posting messages</h4>
     literal U+002F SOLIDUS character (/), and the
     <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
     the method was invoked does not have the <a href=#same-origin>same origin</a>
-    as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
-    context">browsing context</a>'s <a href=#active-document>active document</a>,
-    then abort these steps silently.</p>
+    as the <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
+    document">document</a>, then abort these steps silently.</p>
 
     <p>Otherwise, if the <var title="">targetOrigin</var> argument is
     an <a href=#absolute-url>absolute URL</a>, and the <code><a href=#document>Document</a></code> of the
@@ -69165,9 +69184,8 @@ <h4 id=posting-messages-with-message-ports><span class=secno>10.4.4 </span>Posti
     literal U+002F SOLIDUS character (/), and the
     <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
     the method was invoked does not have the <a href=#same-origin>same origin</a>
-    as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
-    context">browsing context</a>'s <a href=#active-document>active document</a>,
-    then abort these steps silently.</p>
+    as the <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
+    document">document</a>, then abort these steps silently.</p>
 
     <p>Otherwise, if the <var title="">targetOrigin</var> argument is
     an <a href=#absolute-url>absolute URL</a>, and the <code><a href=#document>Document</a></code> of the