[html5] r4011 - [] (0) Synchronise with the latest Origin spec rules and semantics. Fixing http: [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Sep 28 16:51:10 PDT 2009


Author: ianh
Date: 2009-09-28 16:51:09 -0700 (Mon, 28 Sep 2009)
New Revision: 4011

Modified:
   index
   source
Log:
[] (0) Synchronise with the latest Origin spec rules and semantics.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=7599

Modified: index
===================================================================
--- index	2009-09-28 21:00:58 UTC (rev 4010)
+++ index	2009-09-28 23:51:09 UTC (rev 4011)
@@ -5003,8 +5003,9 @@
 
   <h3 id=fetching-resources><span class=secno>2.6 </span>Fetching resources</h3>
 
-  <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource, the
-  following steps must be run:</p>
+  <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource, optionally
+  from an origin <i title="">origin</i>, the following steps must be
+  run:</p>
 
   <ol><li><p>If the resource is identified by the <a href=#url>URL</a>
    <dfn id=about:blank><code>about:blank</code></dfn>, then return the empty string
@@ -5018,11 +5019,11 @@
     and the resource is to be obtained using an idempotent action
     (such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
     equivalent</a>), and it is already being downloaded for other
-    reasons (e.g. another invocation of this algorithm), and the user
-    agent is configured such that it is to reuse the data from the
-    existing download instead of initiating a new one, then use the
-    results of the existing download instead of starting a new
-    one.</p>
+    reasons (e.g. another invocation of this algorithm), and this
+    request would be identical to the previous one (e.g. same <code title=http-accept>Accept</code> and <code title=http-origin>Origin</code> headers), and the user agent is
+    configured such that it is to reuse the data from the existing
+    download instead of initiating a new one, then use the results of
+    the existing download instead of starting a new one.</p>
 
     <p>Otherwise, at a time convenient to the user and the user agent,
     download (or otherwise obtain) the resource, applying the
@@ -5052,8 +5053,13 @@
      browsing context">browsing context</a> of the <a href=#first-script>first
      script</a>.</dd>
 
-    </dl></li>
+    </dl><p>For the purposes of the <code title=http-origin>Origin</code>
+    header, if the <a href=#fetch title=fetch>fetching algorithm</a> was
+    explicitly initiated from an <i title="">origin</i>, then <i title="">the origin that initiated the HTTP request</i> is <i title="">origin</i>. Otherwise, this is <i title="">a request from
+    a "privacy-sensitive" context</i>. <a href=#refsORIGIN>[ORIGIN]</a></p>
 
+   </li>
+
    <li>
 
     <p>If there are cookies to be set, then the user agent must run
@@ -10550,14 +10556,13 @@
   applied (as defined below). <span class=impl>For external
   resources that are represented in the DOM (for example, style
   sheets), the DOM representation must be made available even if the
-  resource is not applied. To obtain the resource, the user agent must
-  <a href=#resolve-a-url title="resolve a url">resolve</a> the <a href=#url>URL</a>
-  given by the <code title=attr-link-href><a href=#attr-link-href>href</a></code> attribute,
-  relative to the element, and then <a href=#fetch>fetch</a> the resulting
-  <a href=#absolute-url>absolute URL</a>. User agents may opt to only
-  <a href=#fetch>fetch</a> such resources when they are needed, instead of
-  pro-actively <a href=#fetch title=fetch>fetching</a> all the external
-  resources that are not applied.</span></p>
+  resource is not applied. To <dfn id=concept-link-obtain title=concept-link-obtain>obtain
+  the resource</dfn>, the user agent must <a href=#resolve-a-url title="resolve a
+  url">resolve</a> the <a href=#url>URL</a> given by the <code title=attr-link-href><a href=#attr-link-href>href</a></code> attribute, relative to the
+  element, and then <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
+  URL</a>. User agents may opt to only <a href=#fetch>fetch</a> such
+  resources when they are needed, instead of pro-actively <a href=#fetch title=fetch>fetching</a> all the external resources that are
+  not applied.</span></p> <!-- http-origin privacy sensitive -->
 
   <div class=impl>
 
@@ -10671,15 +10676,14 @@
   the given type. If the attribute is omitted, but the external
   resource link type has a default type defined, then the user agent
   must assume that the resource is of that type. If the UA does not
-  support the given <a href=#mime-type>MIME type</a> for the given link relationship, then
-  the UA should not fetch the resource; if the UA does support the
-  given <a href=#mime-type>MIME type</a> for the given link relationship, then the UA should
-  <a href=#fetch>fetch</a> the resource. If the attribute is omitted, and
-  the external resource link type does not have a default type
-  defined, but the user agent would fetch the resource if the type was
-  known and supported, then the user agent should <a href=#fetch>fetch</a>
-  the resource under the assumption that it will be
-  supported.</span></p>
+  support the given <a href=#mime-type>MIME type</a> for the given link
+  relationship, then the UA should not <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource; if the UA
+  does support the given <a href=#mime-type>MIME type</a> for the given link
+  relationship, then the UA should <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource. If the
+  attribute is omitted, and the external resource link type does not
+  have a default type defined, but the user agent would <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource if the type
+  was known and supported, then the user agent should <a href=#concept-link-obtain title=concept-link-obtain>obtain</a> the resource under the
+  assumption that it will be supported.</span></p>
 
   <div class=impl>
 
@@ -12117,7 +12121,9 @@
 
     <p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
     attribute, then the value of that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a> relative to the element, and
-    if that is successful, the specified resource must then be <a href=#fetch title=fetch>fetched</a>.</p>
+    if that is successful, the specified resource must then be <a href=#fetch title=fetch>fetched</a>, from the <a href=#origin>origin</a> of the
+    element's <code>Document</code>.</p> <!-- not http-origin privacy
+    sensitive -->
 
     <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
     URL</a>, then the user agent must not, despite the requirements
@@ -18356,7 +18362,8 @@
   user agent must <a href=#resolve-a-url title="resolve a url">resolve</a> the value
   of that attribute, relative to the element, and if that is
   successful must then <a href=#fetch>fetch</a> that resource.</p> <!-- Note
-  how this does NOT happen when the base URL changes. -->
+  how this does NOT happen when the base URL changes. --> <!--
+  http-origin privacy sensitive -->
 
   <p>The <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute's value is an
   <i>ignored self-reference</i> if its value is the empty string, and
@@ -20257,7 +20264,9 @@
     the value of the element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code>
     attribute, relative to the element. If that is successful, the
     user agent should <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
-    URL</a>. The <a href=#concept-task title=concept-task>task</a> that is
+    URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
+    origin</a> if it has one<!-- potentially http-origin privacy
+    sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is
     <a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking
     task source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> must find and instantiate an
     appropriate <a href=#plugin>plugin</a> based on the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and hand that
@@ -20558,7 +20567,9 @@
       element.</p>
 
       <p>If that is successful, <a href=#fetch>fetch</a> the resulting
-      <a href=#absolute-url>absolute URL</a>.</p>
+      <a href=#absolute-url>absolute URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing
+      context scope origin</a> if it has one<!-- potentially
+      http-origin privacy sensitive -->.</p>
 
       <!-- similar text in various places -->
       <p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a>
@@ -21051,10 +21062,12 @@
   or when the <code title=attr-video-poster><a href=#attr-video-poster>poster</a></code> attribute
   is set, its value must be <a href=#resolve-a-url title="resolve a
   url">resolved</a> relative to the element, and if that is
-  successful, the resulting <a href=#absolute-url>absolute URL</a> must be <a href=#fetch title=fetch>fetched</a>; this must <a href=#delay-the-load-event>delay the load
-  event</a> of the element's document. The <dfn id=poster-frame>poster frame</dfn>
-  is then the image obtained from that resource, if any.</span></p>
-  <!-- thus it is unaffected by changes to the base URL. -->
+  successful, the resulting <a href=#absolute-url>absolute URL</a> must be <a href=#fetch title=fetch>fetched</a>, from the element's
+  <code>Document</code>'s <a href=#origin>origin</a>; this must <a href=#delay-the-load-event>delay
+  the load event</a> of the element's document. The <dfn id=poster-frame>poster
+  frame</dfn> is then the image obtained from that resource, if
+  any.</span></p> <!-- thus it is unaffected by changes to the base
+  URL. -->
 
   <p class=note>The image given by the <code title=attr-video-poster><a href=#attr-video-poster>poster</a></code> attribute, the <i><a href=#poster-frame>poster
   frame</a></i>, is intended to be a representative frame of the video
@@ -22296,7 +22309,9 @@
    <li>
 
     <p>Begin to <a href=#fetch>fetch</a> the <var title="">current media
-    resource</var>.</p>
+    resource</var>, from the <a href=#media-element>media element</a>'s
+    <code>Document</code>'s <a href=#origin>origin</a>.</p> <!-- not
+    http-origin privacy sensitive (looking forward to CORS here) -->
 
     <p>Every 350ms (±200ms) or for every byte received, whichever
     is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -34676,7 +34691,8 @@
   <code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute, relative to the
   element, and if that is successful, must <a href=#fetch>fetch</a> the
   resulting <a href=#absolute-url>absolute URL</a>:</p> <!-- Note how this does NOT
-  happen when the base URL changes. -->
+  happen when the base URL changes. --> <!-- http-origin privacy
+  sensitive -->
 
   <ul><li>The <code><a href=#the-input-element>input</a></code> element's <code title=attr-input-type><a href=#attr-input-type>type</a></code> attribute is first set to the
    <a href=#image-button-state title=attr-input-type-image>Image Button</a> state
@@ -42341,14 +42357,15 @@
    <dd>Append the command to the menu, respecting its <a href=#concept-facet title=concept-facet>facets</a><!-- we might need to be
    explicit about what this means for each facet, if testing shows
    this isn't well-implemented. e.g.: If there's an Icon facet for the
-   command, it should be <span title="fetch">fetched</span>, and then
-   that image should be associated with the command, such that each
-   command only has its image fetched once, to prevent changes to the
-   base URL from having effects after the image has been fetched
-   once. (no need to resolve the Icon facet, it's an absolute URL)
-   -->. <!--If the element is a <code>command</code> element with a
-   <code title="attr-command-default">default</code> attribute, mark
-   the command as being a default command.--></dd>
+   command, it should be <span title="fetch">fetched</span> (this
+   would be http-origin privacy-sensitive), and then that image should
+   be associated with the command, such that each command only has its
+   image fetched once, to prevent changes to the base URL from having
+   effects after the image has been fetched once. (no need to resolve
+   the Icon facet, it's an absolute URL) -->. <!--If the element is a
+   <code>command</code> element with a <code
+   title="attr-command-default">default</code> attribute, mark the
+   command as being a default command.--></dd>
 
 
    <dt>An <code><a href=#the-hr-element>hr</a></code> element</dt>
@@ -48227,9 +48244,19 @@
    document</a> of <var title="">A</var> (possibly in fact being
    <var title="">A</var> itself).</li>
 
-  </ul></div>
+  </ul><hr><p>An element has a <dfn id=browsing-context-scope-origin>browsing context scope origin</dfn> if its
+  <code>Document</code>'s <a href=#browsing-context>browsing context</a> is a
+  <a href=#top-level-browsing-context>top-level browsing context</a> or if all of its
+  <code>Document</code>'s <a href=#ancestor-browsing-context title="ancestor browsing
+  context">ancestor browsing contexts</a> all have <a href=#active-document title="active document">active documents</a> whose
+  <a href=#origin>origin</a> are the <a href=#same-origin>same origin</a> as the
+  element's <code>Document</code>'s <a href=#origin>origin</a>. If an element
+  has a <a href=#browsing-context-scope-origin>browsing context scope origin</a>, then its value is
+  the <a href=#origin>origin</a> of the element's <code>Document</code>.</p>
 
+  </div>
 
+
   <div class=impl>
 
   <h4 id=groupings-of-browsing-contexts><span class=secno>6.1.5 </span>Groupings of browsing contexts</h4>
@@ -52709,7 +52736,9 @@
    <li>
 
     <p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a> the resource
-    from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p>
+    from <var title="">manifest URL</var>, and let <var title="">manifest</var> be that resource.</p> <!-- http-origin
+    privacy sensitive, though it doesn't matter, since this can never
+    be cross-origin -->
 
     <p>If the resource is labeled with the <a href=#mime-type>MIME type</a>
     <code><a href=#text/cache-manifest>text/cache-manifest</a></code>, parse <var title="">manifest</var> according to the <a href=#parse-a-manifest title="parse a
@@ -52922,18 +52951,20 @@
 
      <li>
 
-      <p><a href=#fetch>Fetch</a> the resource. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
-      use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a>
-      <a href=#application-cache>application cache</a> in <var title="">cache
-      group</var> as an HTTP cache, and honor HTTP caching semantics
-      (such as expiration, ETags, and so forth) with respect to that
-      cache. User agents may also have other caches in place that are
-      also honored.</p>
+      <p><a href=#fetch>Fetch</a> the resource, from the <a href=#origin>origin</a>
+      of the <a href=#url>URL</a> <var title="">manifest URL</var>. If
+      this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade
+      attempt</a>, then use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a> <a href=#application-cache>application
+      cache</a> in <var title="">cache group</var> as an HTTP
+      cache, and honor HTTP caching semantics (such as expiration,
+      ETags, and so forth) with respect to that cache. User agents may
+      also have other caches in place that are also honored.</p> <!--
+      not http-origin privacy sensitive -->
 
       <p class=note>If the resource in question is already being
       downloaded for other reasons then the existing download process
-      can be used for the purposes of this step, as defined by the
-      <a href=#fetch title=fetch>fetching</a> algorithm.</p>
+      can sometimes be used for the purposes of this step, as defined
+      by the <a href=#fetch title=fetch>fetching</a> algorithm.</p>
 
       <p class=example>An example of a resource that might already
       be being downloaded is a large image on a Web page that is being
@@ -53088,7 +53119,8 @@
 
     <p><a href=#fetch>Fetch</a> the resource from <var title="">manifest
     URL</var> again, and let <var title="">second manifest</var> be
-    that resource.</p>
+    that resource.</p> <!-- http-origin privacy sensitive, though it
+    doesn't matter, since this can never be cross-origin -->
 
    </li>
 
@@ -54464,26 +54496,29 @@
 
     <p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
     already been obtained<!-- it's obtained by <object>, for instance
-    -->. If the resource is being fetched using HTTP, and the method
-    is not GET<!-- or HEAD (but that can't happen) -->, then the user
-    agent must include an <code title=http-origin>Origin</code>
-    header whose value is determined as follows:</p>
+    -->.</p>
 
-    <dl class=switch><dt>If the <a href=#navigate title=navigate>navigation</a> algorithm has
-     so far contacted more than one <a href=#origin>origin</a></dt>
-     <dt>If there is no <a href=#source-browsing-context>source browsing context</a></dt>
+    <p>If the resource is being fetched using a method other than one
+    <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
+    HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+    <a href=#navigate title=navigate>navigation algorithm</a> was invoked as
+    a result of the <a href=#concept-form-submit title=concept-form-submit>form submission
+    algorithm</a>, then the <a href=#fetch title=fetch>fetching
+    algorithm</a> must be invoked from the <a href=#origin>origin</a> of
+    the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
+    context</a>, if any.</p> <!-- potentially http-origin privacy
+    sensitive -->
 
-     <dd>The value must be the string "<code title="">null</code>".</dd>
+    <p>If the <a href=#browsing-context>browsing context</a> being navigated is a
+    <a href=#child-browsing-context>child browsing context</a> for an <code><a href=#the-iframe-element>iframe</a></code> or
+    <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching
+    algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or
+    <code><a href=#the-object-element>object</a></code> element's <a href=#browsing-context-scope-origin>browsing context scope
+    origin</a>, if it has one.</p> <!-- potentially http-origin
+    privacy sensitive -->
 
-     <dt>Otherwise</dt>
+   </li>
 
-     <dd>The value must be the <a href=#ascii-serialization-of-an-origin title="ASCII serialization of an
-     origin">ASCII serialization</a> of the <a href=#origin>origin</a> of
-     the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
-     context</a> at the time the navigation was started.</dd>
-
-    </dl></li>
-
    <li>
 
     <p>If fetching the resource is synchronous (i.e. for <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
@@ -55429,7 +55464,9 @@
   <a href=#fetch title=fetch>fetching</a> the specified URLs using the
   POST method, with an entity body with the <a href=#mime-type>MIME type</a>
   <code><a href=#text/ping>text/ping</a></code> consisting of the four-character string
-  "<code title="">PING</code>". All relevant cookie and HTTP
+  "<code title="">PING</code>", from the <a href=#origin>origin</a> of the
+  <code>Document</code> containing the <a href=#hyperlink>hyperlink</a>. <!--
+  not http-origin privacy sensitive --> All relevant cookie and HTTP
   authentication headers must be included in the request. Which other
   headers are required depends on the URLs involved.</p>
 
@@ -55466,13 +55503,7 @@
    nor include a <code title=http-ping-from>Ping-From</code> HTTP
    header.</dd>
 
-  </dl><p>In addition, an <code title=http-origin>Origin</code> header
-  must always be included, whose value is the <a href=#ascii-serialization-of-an-origin title="ASCII
-  serialization of an origin">ASCII serialization</a> of the
-  <a href=#origin>origin</a> of the <code>Document</code> containing the
-  <a href=#hyperlink>hyperlink</a>.</p>
-
-  <p class=note>To save bandwidth, implementors might also wish to
+  </dl><p class=note>To save bandwidth, implementors might also wish to
   consider omitting optional headers such as <code>Accept</code> from
   these requests.</p>
 
@@ -74053,8 +74084,10 @@
   its <a href=#fallback-content>fallback content</a>, the element must be ignored (it
   represents nothing).</p>
 
-  <p>Otherwise, <span class=XXX>define how the element works,
-  if supported</span>.</p> <!-- remember to delay the laod event -->
+  <p>Otherwise, <span class=XXX>define how the element works, if
+  supported</span>.</p> <!-- remember to delay the load event --> <!--
+  remember to include ", from the element's <span>browsing context
+  scope origin</span> if it has one" when fetching -->
 
   <p>The <code><a href=#the-applet-element>applet</a></code> element must implement the
   <code><a href=#htmlappletelement>HTMLAppletElement</a></code> interface.</p>
@@ -74651,7 +74684,8 @@
 
    <li><p>For each token that is successfully resolved,
    <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute URL</a> and
-   apply the appropriate processing.</li>
+   apply the appropriate processing.</li> <!-- http-origin privacy
+   sensitive -->
 
   </ol><p>The <dfn id=dom-head-profile title=dom-head-profile><code>profile</code></dfn> IDL
   attribute of the <code><a href=#the-head-element-0>head</a></code> element must <a href=#reflect>reflect</a>
@@ -75871,6 +75905,11 @@
    in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
    Section 4.6.2. OpenSearch.org.</dd>
 
+   <dt id=refsORIGIN>[ORIGIN]</dt>
+   <dd><cite><a href=http://tools.ietf.org/html/draft-abarth-origin>The HTTP
+   Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+   September 2009.</dd>
+
    <dt id=refsPINGBACK>[PINGBACK]</dt>
    <dd><cite><a href=http://www.hixie.ch/specs/pingback/pingback>Pingback
    1.0</a></cite>, S. Langridge, I. Hickson. January 2007.</dd>

Modified: source
===================================================================
--- source	2009-09-28 21:00:58 UTC (rev 4010)
+++ source	2009-09-28 23:51:09 UTC (rev 4011)
@@ -4662,8 +4662,9 @@
 
   <h3>Fetching resources</h3>
 
-  <p>When a user agent is to <dfn>fetch</dfn> a resource, the
-  following steps must be run:</p>
+  <p>When a user agent is to <dfn>fetch</dfn> a resource, optionally
+  from an origin <i title="">origin</i>, the following steps must be
+  run:</p>
 
   <ol>
 
@@ -4679,11 +4680,13 @@
     and the resource is to be obtained using an idempotent action
     (such as an HTTP GET <span title="concept-http-equivalent-get">or
     equivalent</span>), and it is already being downloaded for other
-    reasons (e.g. another invocation of this algorithm), and the user
-    agent is configured such that it is to reuse the data from the
-    existing download instead of initiating a new one, then use the
-    results of the existing download instead of starting a new
-    one.</p>
+    reasons (e.g. another invocation of this algorithm), and this
+    request would be identical to the previous one (e.g. same <code
+    title="http-accept">Accept</code> and <code
+    title="http-origin">Origin</code> headers), and the user agent is
+    configured such that it is to reuse the data from the existing
+    download instead of initiating a new one, then use the results of
+    the existing download instead of starting a new one.</p>
 
     <p>Otherwise, at a time convenient to the user and the user agent,
     download (or otherwise obtain) the resource, applying the
@@ -4719,6 +4722,14 @@
 
     </dl>
 
+    <p>For the purposes of the <code title="http-origin">Origin</code>
+    header, if the <span title="fetch">fetching algorithm</span> was
+    explicitly initiated from an <i title="">origin</i>, then <i
+    title="">the origin that initiated the HTTP request</i> is <i
+    title="">origin</i>. Otherwise, this is <i title="">a request from
+    a "privacy-sensitive" context</i>. <a
+    href="#refsORIGIN">[ORIGIN]</a></p>
+
    </li>
 
    <li>
@@ -11019,14 +11030,15 @@
   applied (as defined below). <span class="impl">For external
   resources that are represented in the DOM (for example, style
   sheets), the DOM representation must be made available even if the
-  resource is not applied. To obtain the resource, the user agent must
-  <span title="resolve a url">resolve</span> the <span>URL</span>
-  given by the <code title="attr-link-href">href</code> attribute,
-  relative to the element, and then <span>fetch</span> the resulting
-  <span>absolute URL</span>. User agents may opt to only
-  <span>fetch</span> such resources when they are needed, instead of
-  pro-actively <span title="fetch">fetching</span> all the external
-  resources that are not applied.</span></p>
+  resource is not applied. To <dfn title="concept-link-obtain">obtain
+  the resource</dfn>, the user agent must <span title="resolve a
+  url">resolve</span> the <span>URL</span> given by the <code
+  title="attr-link-href">href</code> attribute, relative to the
+  element, and then <span>fetch</span> the resulting <span>absolute
+  URL</span>. User agents may opt to only <span>fetch</span> such
+  resources when they are needed, instead of pro-actively <span
+  title="fetch">fetching</span> all the external resources that are
+  not applied.</span></p> <!-- http-origin privacy sensitive -->
 
   <div class="impl">
 
@@ -11161,15 +11173,18 @@
   the given type. If the attribute is omitted, but the external
   resource link type has a default type defined, then the user agent
   must assume that the resource is of that type. If the UA does not
-  support the given <span>MIME type</span> for the given link relationship, then
-  the UA should not fetch the resource; if the UA does support the
-  given <span>MIME type</span> for the given link relationship, then the UA should
-  <span>fetch</span> the resource. If the attribute is omitted, and
-  the external resource link type does not have a default type
-  defined, but the user agent would fetch the resource if the type was
-  known and supported, then the user agent should <span>fetch</span>
-  the resource under the assumption that it will be
-  supported.</span></p>
+  support the given <span>MIME type</span> for the given link
+  relationship, then the UA should not <span
+  title="concept-link-obtain">obtain</span> the resource; if the UA
+  does support the given <span>MIME type</span> for the given link
+  relationship, then the UA should <span
+  title="concept-link-obtain">obtain</span> the resource. If the
+  attribute is omitted, and the external resource link type does not
+  have a default type defined, but the user agent would <span
+  title="concept-link-obtain">obtain</span> the resource if the type
+  was known and supported, then the user agent should <span
+  title="concept-link-obtain">obtain</span> the resource under the
+  assumption that it will be supported.</span></p>
 
   <div class="impl">
 
@@ -12829,7 +12844,9 @@
     attribute, then the value of that attribute must be <span
     title="resolve a url">resolved</span> relative to the element, and
     if that is successful, the specified resource must then be <span
-    title="fetch">fetched</span>.</p>
+    title="fetch">fetched</span>, from the <span>origin</span> of the
+    element's <code>Document</code>.</p> <!-- not http-origin privacy
+    sensitive -->
 
     <p>For historical reasons, if the <span>URL</span> is a <span
     title="javascript protocol"><code title="">javascript:</code>
@@ -19644,7 +19661,8 @@
   user agent must <span title="resolve a url">resolve</span> the value
   of that attribute, relative to the element, and if that is
   successful must then <span>fetch</span> that resource.</p> <!-- Note
-  how this does NOT happen when the base URL changes. -->
+  how this does NOT happen when the base URL changes. --> <!--
+  http-origin privacy sensitive -->
 
   <p>The <code title="attr-img-src">src</code> attribute's value is an
   <i>ignored self-reference</i> if its value is the empty string, and
@@ -21716,7 +21734,9 @@
     the value of the element's <code title="attr-embed-src">src</code>
     attribute, relative to the element. If that is successful, the
     user agent should <span>fetch</span> the resulting <span>absolute
-    URL</span>. The <span title="concept-task">task</span> that is
+    URL</span>, from the element's <span>browsing context scope
+    origin</span> if it has one<!-- potentially http-origin privacy
+    sensitive -->. The <span title="concept-task">task</span> that is
     <span title="queue a task">queued</span> by the <span>networking
     task source</span> once the resource has been <span
     title="fetch">fetched</span> must find and instantiate an
@@ -22048,7 +22068,9 @@
       element.</p>
 
       <p>If that is successful, <span>fetch</span> the resulting
-      <span>absolute URL</span>.</p>
+      <span>absolute URL</span>, from the element's <span>browsing
+      context scope origin</span> if it has one<!-- potentially
+      http-origin privacy sensitive -->.</p>
 
       <!-- similar text in various places -->
       <p>Fetching the resource must <span>delay the load event</span>
@@ -22592,10 +22614,12 @@
   is set, its value must be <span title="resolve a
   url">resolved</span> relative to the element, and if that is
   successful, the resulting <span>absolute URL</span> must be <span
-  title="fetch">fetched</span>; this must <span>delay the load
-  event</span> of the element's document. The <dfn>poster frame</dfn>
-  is then the image obtained from that resource, if any.</span></p>
-  <!-- thus it is unaffected by changes to the base URL. -->
+  title="fetch">fetched</span>, from the element's
+  <code>Document</code>'s <span>origin</span>; this must <span>delay
+  the load event</span> of the element's document. The <dfn>poster
+  frame</dfn> is then the image obtained from that resource, if
+  any.</span></p> <!-- thus it is unaffected by changes to the base
+  URL. -->
 
   <p class="note">The image given by the <code
   title="attr-video-poster">poster</code> attribute, the <i>poster
@@ -24053,7 +24077,9 @@
    <li>
 
     <p>Begin to <span>fetch</span> the <var title="">current media
-    resource</var>.</p>
+    resource</var>, from the <span>media element</span>'s
+    <code>Document</code>'s <span>origin</span>.</p> <!-- not
+    http-origin privacy sensitive (looking forward to CORS here) -->
 
     <p>Every 350ms (&#xB1;200ms) or for every byte received, whichever
     is <em>least</em> frequent, <span>queue a task</span> to
@@ -38564,7 +38590,8 @@
   <code title="attr-input-src">src</code> attribute, relative to the
   element, and if that is successful, must <span>fetch</span> the
   resulting <span>absolute URL</span>:</p> <!-- Note how this does NOT
-  happen when the base URL changes. -->
+  happen when the base URL changes. --> <!-- http-origin privacy
+  sensitive -->
 
   <ul>
 
@@ -47238,14 +47265,15 @@
    title="concept-facet">facets</span><!-- we might need to be
    explicit about what this means for each facet, if testing shows
    this isn't well-implemented. e.g.: If there's an Icon facet for the
-   command, it should be <span title="fetch">fetched</span>, and then
-   that image should be associated with the command, such that each
-   command only has its image fetched once, to prevent changes to the
-   base URL from having effects after the image has been fetched
-   once. (no need to resolve the Icon facet, it's an absolute URL)
-   -->. <!--If the element is a <code>command</code> element with a
-   <code title="attr-command-default">default</code> attribute, mark
-   the command as being a default command.--></dd>
+   command, it should be <span title="fetch">fetched</span> (this
+   would be http-origin privacy-sensitive), and then that image should
+   be associated with the command, such that each command only has its
+   image fetched once, to prevent changes to the base URL from having
+   effects after the image has been fetched once. (no need to resolve
+   the Icon facet, it's an absolute URL) -->. <!--If the element is a
+   <code>command</code> element with a <code
+   title="attr-command-default">default</code> attribute, mark the
+   command as being a default command.--></dd>
 
 
    <dt>An <code>hr</code> element</dt>
@@ -54416,6 +54444,19 @@
 
   </ul>
 
+  <hr>
+
+  <p>An element has a <dfn>browsing context scope origin</dfn> if its
+  <code>Document</code>'s <span>browsing context</span> is a
+  <span>top-level browsing context</span> or if all of its
+  <code>Document</code>'s <span title="ancestor browsing
+  context">ancestor browsing contexts</span> all have <span
+  title="active document">active documents</span> whose
+  <span>origin</span> are the <span>same origin</span> as the
+  element's <code>Document</code>'s <span>origin</span>. If an element
+  has a <span>browsing context scope origin</span>, then its value is
+  the <span>origin</span> of the element's <code>Document</code>.</p>
+
   </div>
 
 
@@ -59591,7 +59632,9 @@
 
     <p><i>Fetching the manifest</i>: <span>Fetch</span> the resource
     from <var title="">manifest URL</var>, and let <var
-    title="">manifest</var> be that resource.</p>
+    title="">manifest</var> be that resource.</p> <!-- http-origin
+    privacy sensitive, though it doesn't matter, since this can never
+    be cross-origin -->
 
     <p>If the resource is labeled with the <span>MIME type</span>
     <code>text/cache-manifest</code>, parse <var
@@ -59850,19 +59893,21 @@
 
      <li>
 
-      <p><span>Fetch</span> the resource. If this is an <span
-      title="concept-appcache-upgrade">upgrade attempt</span>, then
-      use the <span title="concept-appcache-newer">newest</span>
-      <span>application cache</span> in <var title="">cache
-      group</var> as an HTTP cache, and honor HTTP caching semantics
-      (such as expiration, ETags, and so forth) with respect to that
-      cache. User agents may also have other caches in place that are
-      also honored.</p>
+      <p><span>Fetch</span> the resource, from the <span>origin</span>
+      of the <span>URL</span> <var title="">manifest URL</var>. If
+      this is an <span title="concept-appcache-upgrade">upgrade
+      attempt</span>, then use the <span
+      title="concept-appcache-newer">newest</span> <span>application
+      cache</span> in <var title="">cache group</var> as an HTTP
+      cache, and honor HTTP caching semantics (such as expiration,
+      ETags, and so forth) with respect to that cache. User agents may
+      also have other caches in place that are also honored.</p> <!--
+      not http-origin privacy sensitive -->
 
       <p class="note">If the resource in question is already being
       downloaded for other reasons then the existing download process
-      can be used for the purposes of this step, as defined by the
-      <span title="fetch">fetching</span> algorithm.</p>
+      can sometimes be used for the purposes of this step, as defined
+      by the <span title="fetch">fetching</span> algorithm.</p>
 
       <p class="example">An example of a resource that might already
       be being downloaded is a large image on a Web page that is being
@@ -60045,7 +60090,8 @@
 
     <p><span>Fetch</span> the resource from <var title="">manifest
     URL</var> again, and let <var title="">second manifest</var> be
-    that resource.</p>
+    that resource.</p> <!-- http-origin privacy sensitive, though it
+    doesn't matter, since this can never be cross-origin -->
 
    </li>
 
@@ -61662,28 +61708,27 @@
 
     <p>Otherwise, <span>fetch</span> the new resource, if it has not
     already been obtained<!-- it's obtained by <object>, for instance
-    -->. If the resource is being fetched using HTTP, and the method
-    is not GET<!-- or HEAD (but that can't happen) -->, then the user
-    agent must include an <code title="http-origin">Origin</code>
-    header whose value is determined as follows:</p>
+    -->.</p>
 
-    <dl class="switch">
+    <p>If the resource is being fetched using a method other than one
+    <span title="concept-http-equivalent-get">equivalent to</span>
+    HTTP's GET<!-- or HEAD (but that can't happen) -->, or, if the
+    <span title="navigate">navigation algorithm</span> was invoked as
+    a result of the <span title="concept-form-submit">form submission
+    algorithm</span>, then the <span title="fetch">fetching
+    algorithm</span> must be invoked from the <span>origin</span> of
+    the <span>active document</span> of the <span>source browsing
+    context</span>, if any.</p> <!-- potentially http-origin privacy
+    sensitive -->
 
-     <dt>If the <span title="navigate">navigation</span> algorithm has
-     so far contacted more than one <span>origin</span></dt>
-     <dt>If there is no <span>source browsing context</span></dt>
+    <p>If the <span>browsing context</span> being navigated is a
+    <span>child browsing context</span> for an <code>iframe</code> or
+    <code>object</code> element, then the <span title="fetch">fetching
+    algorithm</span> must be invoked from the <code>iframe</code> or
+    <code>object</code> element's <span>browsing context scope
+    origin</span>, if it has one.</p> <!-- potentially http-origin
+    privacy sensitive -->
 
-     <dd>The value must be the string "<code title="">null</code>".</dd>
-
-     <dt>Otherwise</dt>
-
-     <dd>The value must be the <span title="ASCII serialization of an
-     origin">ASCII serialization</span> of the <span>origin</span> of
-     the <span>active document</span> of the <span>source browsing
-     context</span> at the time the navigation was started.</dd>
-
-    </dl>
-
    </li>
 
    <li>
@@ -64644,7 +64689,9 @@
   <span title="fetch">fetching</span> the specified URLs using the
   POST method, with an entity body with the <span>MIME type</span>
   <code>text/ping</code> consisting of the four-character string
-  "<code title="">PING</code>". All relevant cookie and HTTP
+  "<code title="">PING</code>", from the <span>origin</span> of the
+  <code>Document</code> containing the <span>hyperlink</span>. <!--
+  not http-origin privacy sensitive --> All relevant cookie and HTTP
   authentication headers must be included in the request. Which other
   headers are required depends on the URLs involved.</p>
 
@@ -64690,12 +64737,6 @@
 
   </dl>
 
-  <p>In addition, an <code title="http-origin">Origin</code> header
-  must always be included, whose value is the <span title="ASCII
-  serialization of an origin">ASCII serialization</span> of the
-  <span>origin</span> of the <code>Document</code> containing the
-  <span>hyperlink</span>.</p>
-
   <p class="note">To save bandwidth, implementors might also wish to
   consider omitting optional headers such as <code>Accept</code> from
   these requests.</p>
@@ -71065,9 +71106,9 @@
 
   <p>When a user agent is to <dfn>run a worker</dfn> for a script with
   <span>URL</span> <var title="">url</var>, a browsing context <var
-  title="">owner browsing context</var>, and with global scope <var
-  title="">worker global scope</var>, it must run the following
-  steps:</p>
+  title="">owner browsing context</var>, an origin <var title="">owner
+  origin</var>, and with global scope <var title="">worker global
+  scope</var>, it must run the following steps:</p>
 
   <ol>
 
@@ -71094,7 +71135,8 @@
    <li>
 
     <p>Attempt to <span>fetch</span> the resource identified by <var
-    title="">url</var>.</p>
+    title="">url</var>, from the <var title="">owner origin</var>.</p>
+    <!-- not http-origin privacy sensitive -->
 
     <p>If the attempt fails, or if the attempt involves any redirects
     to URIs that do not have the <span>same origin</span> as <var
@@ -71533,9 +71575,8 @@
 
     <p>If the <span>origin</span> of the resulting <span>absolute
     URL</span> is not the <span title="same origin">same</span> as the
-    origin of the <span title="concept-script">script</span> that
-    invoked the constructor, then throw a <span>security
-    exception</span>.</p>
+    origin of the <span>first script</span>, then throw a
+    <span>security exception</span>.</p>
 
     <p class="note">Thus, scripts must be external files with the same
     scheme as the original page: you can't load a script from a <code
@@ -71619,8 +71660,9 @@
     <p><span>Run a worker</span> for the resulting <span>absolute
     URL</span>, with the <span>script browsing context</span> of the
     script that invoked the method as the <var title="">owner browsing
-    context</var>, and with <var title="">worker global scope</var> as
-    the global scope.</p>
+    context</var>, with the <span>origin</span> of the <span>first
+    script</span> as the <var title="">owner origin</var>, and with
+    <var title="">worker global scope</var> as the global scope.</p>
 
    </li>
 
@@ -71667,7 +71709,7 @@
 
     <p>If the <span>origin</span> of <var title="">scriptURL</var> is
     not the <span title="same origin">same</span> as the origin of the
-    script that invoked the constructor, then throw a <span>security
+    <span>first script</span>, then throw a <span>security
     exception</span>.</p>
 
     <p class="note">Thus, scripts must be external files with the same
@@ -71863,8 +71905,9 @@
     <p><span>Run a worker</span> for <var title="">scriptURL</var>,
     with the <span>script browsing context</span> of the script that
     invoked the method as the <var title="">owner browsing
-    context</var>, and with <var title="">worker global scope</var> as
-    the global scope.</p>
+    context</var>, with the <span>origin</span> of the <span>first
+    script</span> as the <var title="">owner origin</var>, and with
+    <var title="">worker global scope</var> as the global scope.</p>
 
    </li>
 
@@ -71923,7 +71966,9 @@
    <li>
 
     <p>Attempt to <span>fetch</span> each resource identified by the
-    resulting <span title="absolute URLs">absolute URL</span>.</p>
+    resulting <span title="absolute URLs">absolute URL</span>, from
+    the <span>first script</span>'s <span>origin</span>.</p> <!-- not
+    http-origin privacy sensitive -->
 
    </li>
 
@@ -72305,7 +72350,9 @@
    <li>
 
     <p><span>Fetch</span> the resource identified by the resulting
-    <span>absolute URL</span>, and process it as described below.</p>
+    <span>absolute URL</span>, from the <span>first script</span>'s
+    <span>origin</span>, and process it as described below.</p> <!--
+    not http-origin privacy sensitive -->
 
     <p class="note">The definition of the <span
     title="fetch">fetching</span> algorithm is such that if the
@@ -72482,6 +72529,10 @@
   the resource at a later point, it must return to the previously
   specified URL for this event source.</p>
 
+  <p class="note">The Origin specification also introduces some
+  relevant requirements when dealing with redirects. <a
+  href="#refsORIGIN">[ORIGIN]</a></p>
+
   <p>HTTP 305 Use Proxy, HTTP 401 Unauthorized, and 407 Proxy
   Authentication Required should be treated transparently as for any
   other subresource.</p>
@@ -72518,9 +72569,12 @@
   <code title="event-error">error</code> at the
   <code>EventSource</code> object, and then <span>fetch</span> the
   event source resource again after a delay equal to the reconnection
-  time of the event source. <strong>Only if the user agent <span
-  title="reset the connection">resets the connection</span> does the
-  connection get opened anew!</strong></p>
+  time of the event source, from the same <span>origin</span> as the
+  original request triggered by the <code
+  title="dom-EventSource">EventSource()</code>
+  constructor. <strong>Only if the user agent <span title="reset the
+  connection">resets the connection</span> does the connection get
+  opened anew!</strong></p>
 
   <p>When a user agent is to <dfn>fail the connection</dfn>, the user
   agent must set the <code
@@ -74166,6 +74220,10 @@
 
     <hr>
 <!--
+redirect support
+we should probably reintroduce this at some point, with the
+multi-origin semantics described in [ORIGIN] applying. (http-origin)
+
     <p>If <var title="">mode</var> is <i title="">redirect</i>, then:
     If there is not exactly one entry in the <var
     title="">headers</var> list whose name is "<code
@@ -87828,8 +87886,10 @@
   its <span>fallback content</span>, the element must be ignored (it
   represents nothing).</p>
 
-  <p>Otherwise, <span class="XXX">define how the element works,
-  if supported</span>.</p> <!-- remember to delay the laod event -->
+  <p>Otherwise, <span class="XXX">define how the element works, if
+  supported</span>.</p> <!-- remember to delay the load event --> <!--
+  remember to include ", from the element's <span>browsing context
+  scope origin</span> if it has one" when fetching -->
 
   <p>The <code>applet</code> element must implement the
   <code>HTMLAppletElement</code> interface.</p>
@@ -88594,7 +88654,8 @@
 
    <li><p>For each token that is successfully resolved,
    <span>fetch</span> the resulting <span>absolute URL</span> and
-   apply the appropriate processing.</p></li>
+   apply the appropriate processing.</p></li> <!-- http-origin privacy
+   sensitive -->
 
   </ol>
 
@@ -90082,6 +90143,12 @@
    in HTML/XHTML</a></cite>. In <cite>OpenSearch 1.1 Draft 4</cite>,
    Section 4.6.2. OpenSearch.org.</dd>
 
+   <dt id="refsORIGIN">[ORIGIN]</dt>
+   <dd><cite><a
+   href="http://tools.ietf.org/html/draft-abarth-origin">The HTTP
+   Origin Header</a></cite>, A. Barth, C. Jackson, I. Hickson. IETF,
+   September 2009.</dd>
+
    <dt id="refsPINGBACK">[PINGBACK]</dt>
    <dd><cite><a
    href="http://www.hixie.ch/specs/pingback/pingback">Pingback




More information about the Commit-Watchers mailing list