[giow] (0) Fix the usage of CORS with <img> to support redirects and …

…to support an unprompted CORS response. git-svn-id: http://svn.whatwg.org/webapps@6143 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · May 20, 2011 · 4e538ca · 4e538ca
1 parent e5e941b
commit 4e538ca
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 45 deletions.
diff --git a/complete.html b/complete.html
@@ -239,7 +239,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 18 May 2011</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 20 May 2011</h2>
    </hgroup><dl><dt>Multiple-page version:</dt>
     <dd><a href=http://www.whatwg.org/specs/web-apps/current-work/complete/>http://www.whatwg.org/specs/web-apps/current-work/complete/</a></dd>
     <dt>One-page version:</dt>
@@ -7224,6 +7224,7 @@ <h4 id=cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings att
 
 
 
+
   <h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
 
   <h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
@@ -22152,25 +22153,28 @@ <h4 id=the-img-element><span class=secno>4.8.1 </span>The <dfn><code>img</code><
 
     <p>If that is not successful, abort these steps.</p>
 
-    <p>Otherwise, if the <a href=#origin>origin</a> of the resulting
-    <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same origin</a> as
-    the <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
-    <a href=#origin>origin</a>, and the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
+    <p>Otherwise, if the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
     perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
     URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
     <i>source origin</i> set to the <a href=#origin>origin</a> of the
     <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
     <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
     the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
     state. Discard any data fetched in this way unless the
-    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
-    If the <a href=#cross-origin-request-status>cross-origin request status</a> is set to
-    <i>success</i>, then the element's image data's
-    <a href=#origin>origin</a> is forced to be the <code><a href=#the-img-element>img</a></code> element's
-    <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>
+    by the <a href=#cross-origin-request>cross-origin request</a> algorithm. If the
+    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>,
+    then the element's image data's <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
+    <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+    <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!--
+    http-origin CORS -->
 
     <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
-    URL</a>.</p> <!-- http-origin privacy sensitive -->
+    URL</a>. If the returned resource has an <code title=http-Access-Control-Allow-Origin>Access-Control-Allow-Origin</code>
+    response header, and its value is the literal "<code title="">*</code>" character, then the element's image data's
+    <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
+    <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+    <a href=#origin>origin</a>.</p> <!-- http-origin privacy sensitive -->
 
     <p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
     element's image data.</p>
@@ -61779,11 +61783,10 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
    <dd>
 
     <dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
-     its image data has a forced origin</dt>
+     its image data has a <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced origin</a></dt>
 
-     <dd>The <a href=#origin>origin</a> is the image data's forced origin.
-     (This occurs when the image was successfully obtained using
-     CORS.)</dd>
+     <dd>The <a href=#origin>origin</a> is the image data's <dfn id=concept-origin-forced-img title=concept-origin-forced-img>forced origin</dfn>. (This
+     occurs when the image was successfully obtained using CORS.)</dd>
 
 
      <dt>If an image was served over the network and has an address

diff --git a/index b/index
@@ -243,7 +243,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 18 May 2011</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 20 May 2011</h2>
    </hgroup><dl><dt><strong>Web developer edition</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -7241,6 +7241,7 @@ explained in the previous section, which talks about RFC 2119. -->
 
 
 
+
   <h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
 
   <h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
@@ -22169,25 +22170,28 @@ interface <dfn id=htmlimageelement>HTMLImageElement</dfn> : <a href=#htmlelement
 
     <p>If that is not successful, abort these steps.</p>
 
-    <p>Otherwise, if the <a href=#origin>origin</a> of the resulting
-    <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same origin</a> as
-    the <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
-    <a href=#origin>origin</a>, and the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
+    <p>Otherwise, if the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
     perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
     URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
     <i>source origin</i> set to the <a href=#origin>origin</a> of the
     <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
     <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
     the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
     state. Discard any data fetched in this way unless the
-    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
-    If the <a href=#cross-origin-request-status>cross-origin request status</a> is set to
-    <i>success</i>, then the element's image data's
-    <a href=#origin>origin</a> is forced to be the <code><a href=#the-img-element>img</a></code> element's
-    <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>
+    by the <a href=#cross-origin-request>cross-origin request</a> algorithm. If the
+    <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>,
+    then the element's image data's <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
+    <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+    <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!--
+    http-origin CORS -->
 
     <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
-    URL</a>.</p> <!-- http-origin privacy sensitive -->
+    URL</a>. If the returned resource has an <code title=http-Access-Control-Allow-Origin>Access-Control-Allow-Origin</code>
+    response header, and its value is the literal "<code title="">*</code>" character, then the element's image data's
+    <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
+    <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+    <a href=#origin>origin</a>.</p> <!-- http-origin privacy sensitive -->
 
     <p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
     element's image data.</p>
@@ -61799,11 +61803,10 @@ x === this; // true</pre>
    <dd>
 
     <dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
-     its image data has a forced origin</dt>
+     its image data has a <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced origin</a></dt>
 
-     <dd>The <a href=#origin>origin</a> is the image data's forced origin.
-     (This occurs when the image was successfully obtained using
-     CORS.)</dd>
+     <dd>The <a href=#origin>origin</a> is the image data's <dfn id=concept-origin-forced-img title=concept-origin-forced-img>forced origin</dfn>. (This
+     occurs when the image was successfully obtained using CORS.)</dd>
 
 
      <dt>If an image was served over the network and has an address

diff --git a/source b/source
@@ -7081,6 +7081,7 @@ is conforming depends on which specs apply, and leaves it at that. -->
 
 
 
+
   <h3>Common DOM interfaces</h3>
 
   <h4>Reflecting content attributes in IDL attributes</h4>
@@ -23867,10 +23868,7 @@ interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
 
     <p>If that is not successful, abort these steps.</p>
 
-    <p>Otherwise, if the <span>origin</span> of the resulting
-    <span>absolute URL</span> is not the <span>same origin</span> as
-    the <code>img</code> element's <code>Document</code>'s
-    <span>origin</span>, and the <code>img</code> element has a <code
+    <p>Otherwise, if the <code>img</code> element has a <code
     title="attr-img-cross-origin">cross-origin</code> attribute, then
     perform a <span>cross-origin request</span>, with the <i>request
     URL</i> set to the resulting <span>absolute URL</span>, the
@@ -23880,15 +23878,24 @@ interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
     title="attr-img-cross-origin">cross-origin</code> attribute is in
     the <span title="attr-cross-origin-anonymous">Anonymous</span>
     state. Discard any data fetched in this way unless the
-    <span>cross-origin request status</span> is set to <i>success</i>.
-    If the <span>cross-origin request status</span> is set to
-    <i>success</i>, then the element's image data's
-    <span>origin</span> is forced to be the <code>img</code> element's
-    <code>Document</code>'s <span>origin</span>. <a
-    href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+    <span>cross-origin request status</span> is set to <i>success</i>
+    by the <span>cross-origin request</span> algorithm. If the
+    <span>cross-origin request status</span> is set to <i>success</i>,
+    then the element's image data's <span>origin</span> is <span
+    title="concept-origin-forced-img">forced</span> to be the
+    <code>img</code> element's <code>Document</code>'s
+    <span>origin</span>. <a href="#refsCORS">[CORS]</a></p> <!--
+    http-origin CORS -->
 
     <p>Otherwise, <span>fetch</span> the resulting <span>absolute
-    URL</span>.</p> <!-- http-origin privacy sensitive -->
+    URL</span>. If the returned resource has an <code
+    title="http-Access-Control-Allow-Origin">Access-Control-Allow-Origin</code>
+    response header, and its value is the literal "<code
+    title="">*</code>" character, then the element's image data's
+    <span>origin</span> is <span
+    title="concept-origin-forced-img">forced</span> to be the
+    <code>img</code> element's <code>Document</code>'s
+    <span>origin</span>.</p> <!-- http-origin privacy sensitive -->
 
     <p>The resouce obtained in this fashion is the <code>img</code>
     element's image data.</p>
@@ -70386,11 +70393,12 @@ x === this; // true</pre>
     <dl class="switch">
 
      <dt>If an image is the image of an <code>img</code> element and
-     its image data has a forced origin</dt>
+     its image data has a <span
+     title="concept-origin-forced-img">forced origin</span></dt>
 
-     <dd>The <span>origin</span> is the image data's forced origin.
-     (This occurs when the image was successfully obtained using
-     CORS.)</dd>
+     <dd>The <span>origin</span> is the image data's <dfn
+     title="concept-origin-forced-img">forced origin</dfn>. (This
+     occurs when the image was successfully obtained using CORS.)</dd>
 
 
      <dt>If an image was served over the network and has an address