[html5] r4042 - [gow] (2) Block cross-origin PUT and DELETE from <form>s for now. Fixing http:// [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue Sep 29 02:37:25 PDT 2009
Author: ianh
Date: 2009-09-29 02:37:24 -0700 (Tue, 29 Sep 2009)
New Revision: 4042
Modified:
index
source
Log:
[gow] (2) Block cross-origin PUT and DELETE from <form>s for now.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=7709
Modified: index
===================================================================
--- index 2009-09-29 09:31:06 UTC (rev 4041)
+++ index 2009-09-29 09:37:24 UTC (rev 4042)
@@ -39004,9 +39004,15 @@
<dd>Let <var title="">MIME type</var> be "<code title="">text/plain</code>".</dd>
- </dl><p><a href=#navigate>Navigate</a> <var title="">target browsing
- context</var> to <var title="">action</var> using the HTTP
- method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
+ </dl><p>If <var title="">method</var> is anything but GET or POST,
+ and the <a href=#origin>origin</a> of <var title="">action</var> is not
+ the <a href=#same-origin>same origin</a> as that of the <code><a href=#the-form-element>form</a></code>
+ element's <code>Document</code>, then abort these steps.</p>
+ <!-- CORS, one day -->
+
+ <p>Otherwise, <a href=#navigate>navigate</a> <var title="">target
+ browsing context</var> to <var title="">action</var> using the
+ HTTP method given by <var title="">method</var> and with <var title="">entity body</var> as the entity body, of type <var title="">MIME type</var>. If <var title="">target browsing
context</var> was newly created for this purpose by the steps
above, then it must be navigated with <a href=#replacement-enabled>replacement
enabled</a>.</p>
@@ -39019,12 +39025,17 @@
<p>Let <var title="">target browsing context</var> be <a href=#the-form-submission-target-browsing-context>the
form submission target browsing context</a>.</p>
- <p><a href=#navigate>Navigate</a> <var title="">target browsing
- context</var> to <var title="">action</var> using the DELETE
- method. If <var title="">target browsing context</var> was newly
- created for this purpose by the steps above, then it must be
- navigated with <a href=#replacement-enabled>replacement enabled</a>.</p>
+ <p>If the <a href=#origin>origin</a> of <var title="">action</var> is
+ not the <a href=#same-origin>same origin</a> as that of the
+ <code><a href=#the-form-element>form</a></code> element's <code>Document</code>, then abort
+ these steps.</p> <!-- CORS, one day -->
+ <p>Otherwise, <a href=#navigate>navigate</a> <var title="">target
+ browsing context</var> to <var title="">action</var> using the
+ DELETE method. If <var title="">target browsing context</var>
+ was newly created for this purpose by the steps above, then it
+ must be navigated with <a href=#replacement-enabled>replacement enabled</a>.</p>
+
</dd>
<dt><dfn id=submit-get-action title=submit-get-action>Get action</dfn>
Modified: source
===================================================================
--- source 2009-09-29 09:31:06 UTC (rev 4041)
+++ source 2009-09-29 09:37:24 UTC (rev 4042)
@@ -43758,9 +43758,15 @@
</dl>
- <p><span>Navigate</span> <var title="">target browsing
- context</var> to <var title="">action</var> using the HTTP
- method given by <var title="">method</var> and with <var
+ <p>If <var title="">method</var> is anything but GET or POST,
+ and the <span>origin</span> of <var title="">action</var> is not
+ the <span>same origin</span> as that of the <code>form</code>
+ element's <code>Document</code>, then abort these steps.</p>
+ <!-- CORS, one day -->
+
+ <p>Otherwise, <span>navigate</span> <var title="">target
+ browsing context</var> to <var title="">action</var> using the
+ HTTP method given by <var title="">method</var> and with <var
title="">entity body</var> as the entity body, of type <var
title="">MIME type</var>. If <var title="">target browsing
context</var> was newly created for this purpose by the steps
@@ -43775,12 +43781,17 @@
<p>Let <var title="">target browsing context</var> be <span>the
form submission target browsing context</span>.</p>
- <p><span>Navigate</span> <var title="">target browsing
- context</var> to <var title="">action</var> using the DELETE
- method. If <var title="">target browsing context</var> was newly
- created for this purpose by the steps above, then it must be
- navigated with <span>replacement enabled</span>.</p>
+ <p>If the <span>origin</span> of <var title="">action</var> is
+ not the <span>same origin</span> as that of the
+ <code>form</code> element's <code>Document</code>, then abort
+ these steps.</p> <!-- CORS, one day -->
+ <p>Otherwise, <span>navigate</span> <var title="">target
+ browsing context</var> to <var title="">action</var> using the
+ DELETE method. If <var title="">target browsing context</var>
+ was newly created for this purpose by the steps above, then it
+ must be navigated with <span>replacement enabled</span>.</p>
+
</dd>
<dt><dfn title="submit-get-action">Get action</dfn>
More information about the Commit-Watchers
mailing list