[giow] (1) Change crossorigin='' to act like No CORS mode for same-or…

…igin resources, at least until a cross-origin redirect comes along. Affected topics: HTML git-svn-id: http://svn.whatwg.org/webapps@6926 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jan 28, 2012 · 99ed79c · 99ed79c
1 parent 4d2d3f3
commit 99ed79c
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 27 deletions.
diff --git a/complete.html b/complete.html
@@ -240,7 +240,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 27 January 2012</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 28 January 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -8459,7 +8459,9 @@ <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
   resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
   <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
 
-  <dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
+  <dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
+
+   <dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
 
    <dd>
 
@@ -8477,18 +8479,28 @@ <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
      <li>
 
       <p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
-      <var title="">result</var> still has no value, then apply the
-      CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
+      the <var title="">mode</var> is not "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", and the
+      <a href=#origin>origin</a> of the target URL of the redirect is not the
+      <a href=#same-origin>same origin</a> as <var title="">origin</var>, then set
+      <var title="">URL</var> to the the target URL of the redirect
+      and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+      fetch</a> algorithm (this time, the branch below will be
+      taken, resulting in the fetch being done in a CORS-aware
+      fashion).</p>
+
+      <p>Otherwise, if the result of the <a href=#fetch>fetch</a> is a
+      redirect, and <var title="">result</var> still has no value,
+      then apply the CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
       <a href=#credential-flag>credential flag</a> set to true and the <i>request
       rules</i> being that the user agent continue to follow these
       steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
-      return to the <i>loop</i> step. If it failed due to a failure
-      of the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
+      return to the <i>loop</i> step. If it failed due to a failure of
+      the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
       labeled <i>end</i>; if <var title="">default</var> is
       <i>taint</i>, then set <var title="">result</var> to
-      <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a>
-      but with the <i>manual redirect flag</i> no longer set, and
-      jump to the step labeled <i>end</i> below.</p>
+      <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a> but
+      with the <i>manual redirect flag</i> no longer set, and jump to
+      the step labeled <i>end</i> below.</p>
 
       <p>Otherwise, if the resource is not available (e.g. there is
       a network error) then set <var title="">result</var> to the

diff --git a/index b/index
@@ -240,7 +240,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 27 January 2012</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 28 January 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -8459,7 +8459,9 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
   resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
   <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
 
-  <dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
+  <dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
+
+   <dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
 
    <dd>
 
@@ -8477,18 +8479,28 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
      <li>
 
       <p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
-      <var title="">result</var> still has no value, then apply the
-      CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
+      the <var title="">mode</var> is not "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", and the
+      <a href=#origin>origin</a> of the target URL of the redirect is not the
+      <a href=#same-origin>same origin</a> as <var title="">origin</var>, then set
+      <var title="">URL</var> to the the target URL of the redirect
+      and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+      fetch</a> algorithm (this time, the branch below will be
+      taken, resulting in the fetch being done in a CORS-aware
+      fashion).</p>
+
+      <p>Otherwise, if the result of the <a href=#fetch>fetch</a> is a
+      redirect, and <var title="">result</var> still has no value,
+      then apply the CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
       <a href=#credential-flag>credential flag</a> set to true and the <i>request
       rules</i> being that the user agent continue to follow these
       steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
-      return to the <i>loop</i> step. If it failed due to a failure
-      of the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
+      return to the <i>loop</i> step. If it failed due to a failure of
+      the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
       labeled <i>end</i>; if <var title="">default</var> is
       <i>taint</i>, then set <var title="">result</var> to
-      <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a>
-      but with the <i>manual redirect flag</i> no longer set, and
-      jump to the step labeled <i>end</i> below.</p>
+      <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a> but
+      with the <i>manual redirect flag</i> no longer set, and jump to
+      the step labeled <i>end</i> below.</p>
 
       <p>Otherwise, if the resource is not available (e.g. there is
       a network error) then set <var title="">result</var> to the

diff --git a/source b/source
@@ -8432,8 +8432,9 @@ is conforming depends on which specs apply, and leaves it at that. -->
 
   <dl class="switch">
 
-   <dt>If <var title="">mode</var> is "<span
-   title="attr-crossorigin-none">No CORS</span>"</dt>
+   <dt>If the <var title="">URL</var> has the <span>same origin</span> as <var title="">origin</var></dt>
+
+   <dt>If <var title="">mode</var> is "<span title="attr-crossorigin-none">No CORS</span>"</dt>
 
    <dd>
 
@@ -8453,20 +8454,31 @@ is conforming depends on which specs apply, and leaves it at that. -->
      <li>
 
       <p>If the result of the <span>fetch</span> is a redirect, and
-      <var title="">result</var> still has no value, then apply the
-      CORS <span>redirect steps</span>, with the CORS
+      the <var title="">mode</var> is not "<span
+      title="attr-crossorigin-none">No CORS</span>", and the
+      <span>origin</span> of the target URL of the redirect is not the
+      <span>same origin</span> as <var title="">origin</var>, then set
+      <var title="">URL</var> to the the target URL of the redirect
+      and return to the top of the <span>potentially CORS-enabled
+      fetch</span> algorithm (this time, the branch below will be
+      taken, resulting in the fetch being done in a CORS-aware
+      fashion).</p>
+
+      <p>Otherwise, if the result of the <span>fetch</span> is a
+      redirect, and <var title="">result</var> still has no value,
+      then apply the CORS <span>redirect steps</span>, with the CORS
       <span>credential flag</span> set to true and the <i>request
       rules</i> being that the user agent continue to follow these
       steps. If this resumes the <span>fetch</span> algorithm, then
-      return to the <i>loop</i> step. If it failed due to a failure
-      of the CORS <span>resource sharing check</span>, then: if <var
+      return to the <i>loop</i> step. If it failed due to a failure of
+      the CORS <span>resource sharing check</span>, then: if <var
       title="">default</var> is <i>fail</i>, then set <var
       title="">result</var> to <i>fail</i> and jump to the step
       labeled <i>end</i>; if <var title="">default</var> is
       <i>taint</i>, then set <var title="">result</var> to
-      <i>taint</i>, <span>transparently follow the redirect</span>
-      but with the <i>manual redirect flag</i> no longer set, and
-      jump to the step labeled <i>end</i> below.</p>
+      <i>taint</i>, <span>transparently follow the redirect</span> but
+      with the <i>manual redirect flag</i> no longer set, and jump to
+      the step labeled <i>end</i> below.</p>
 
       <p>Otherwise, if the resource is not available (e.g. there is
       a network error) then set <var title="">result</var> to the