[html5] r1042 - /

whatwg at whatwg.org whatwg at whatwg.org
Thu Oct 11 13:15:09 PDT 2007


Author: ianh
Date: 2007-10-11 13:15:08 -0700 (Thu, 11 Oct 2007)
New Revision: 1042

Modified:
   index
   source
Log:
[] (0) Block manifests from loading files from other schemes. This blocks, e.g., javascript:, mailto:, data:, and other dodgy schemes, without having to blacklist or whitelist anything, and without having to maintain a list of safe/unsafe protocols.

Modified: index
===================================================================
--- index	2007-10-11 20:07:58 UTC (rev 1041)
+++ index	2007-10-11 20:15:08 UTC (rev 1042)
@@ -26526,11 +26526,16 @@
      progress information -->
 
      <li>
-      <p>Fetch the resource. If this is an <a href="#upgrade"
+      <p>If the resource's URI has a different <scheme> component than the
+       manifest's URI, then skip this resource.
+
+     <li>
+      <p>Otherwise, fetch the resource. If this is an <a href="#upgrade"
        title=concept-appcache-upgrade>upgrade attempt</a>, then use <var
        title="">cache</var> as an HTTP cache, and honour HTTP caching
        semantics (such as expiration, ETags, and so forth) with respect to
-       that cache. User agents may also have other caches in place.
+       that cache. User agents may also have other caches in place that are
+       also honored.
 
      <li>
       <p>If the previous steps fails (e.g. the server returns a 4xx or 5xx

Modified: source
===================================================================
--- source	2007-10-11 20:07:58 UTC (rev 1041)
+++ source	2007-10-11 20:15:08 UTC (rev 1042)
@@ -24159,12 +24159,16 @@
      updating the application.</p></li> <!-- XXX need to include
      progress information -->
 
-     <li><p>Fetch the resource. If this is an <span
+     <li><p>If the resource's URI has a different <scheme>
+     component than the manifest's URI, then skip this
+     resource.</p></li>
+
+     <li><p>Otherwise, fetch the resource. If this is an <span
      title="concept-appcache-upgrade">upgrade attempt</span>, then use
      <var title="">cache</var> as an HTTP cache, and honour HTTP
      caching semantics (such as expiration, ETags, and so forth) with
      respect to that cache. User agents may also have other caches in
-     place.</p></li>
+     place that are also honored.</p></li>
 
      <li>
 




More information about the Commit-Watchers mailing list