[html5] r1500 - /
whatwg at whatwg.org
whatwg at whatwg.org
Mon Apr 28 03:58:33 PDT 2008
Author: ianh
Date: 2008-04-28 03:58:30 -0700 (Mon, 28 Apr 2008)
New Revision: 1500
Modified:
index
source
Log:
[e] (0) Revamp the way that the concept of 'origin' is defined; nuke the concept of 'same scheme/host/port'. This shouldn't, in theory, change anything, but let me know if I screwed up...
Modified: index
===================================================================
--- index 2008-04-28 10:08:56 UTC (rev 1499)
+++ index 2008-04-28 10:58:30 UTC (rev 1500)
@@ -1041,8 +1041,8 @@
<li><a href="#origin"><span class=secno>4.3 </span>Origin</a>
<ul class=toc>
- <li><a href="#unscripted"><span class=secno>4.3.1 </span>Unscripted
- same-origin checks</a>
+ <li><a href="#the-string"><span class=secno>4.3.1 </span>The string
+ representing the script's domain in IDNA format</a>
</ul>
<li><a href="#scripting"><span class=secno>4.4 </span>Scripting</a>
@@ -19018,8 +19018,8 @@
<h5 id=security1><span class=secno>3.12.11.3. </span>Security with <code><a
href="#canvas">canvas</a></code> elements</h5>
- <p><strong>Information leakage</strong> can occur if scripts from one
- origin are exposed to images from another origin.
+ <p><strong>Information leakage</strong> can occur if scripts from one <a
+ href="#origin0">origin</a> are exposed to images from another origin.
<p>To mitigate this, <code><a href="#canvas">canvas</a></code> elements are
defined to have a flag indicating whether they are <i>origin-clean</i>.
@@ -27071,126 +27071,19 @@
https://bugzilla.mozilla.org/show_bug.cgi?id=344495
-->
- <p>Access to certain APIs is granted or denied to scripts based on the <dfn
- id=origin0>origin</dfn> of the script and the API being accessed.
+ <p>The <dfn id=origin0>origin</dfn> of content is the cornerstone of the
+ Web security model. It is defined as follows:
- <p>The origin of a script depends on the context of that script:
-
<dl>
- <dt>If a script is in a <code><a href="#script0">script</a></code> element
+ <dt>The origin of a URI
- <dd>The origin of the script is the origin of the <code>Document</code> to
- which the <code><a href="#script0">script</a></code> element belongs.
+ <dd>
+ <p>The origin is whatever is returned by the following algorithm:</p>
- <dt>If a script is a function or other code reference created by another
- script
-
- <dd>The origin of the script is the origin of the script that created it.
-
- <dt>If a script is a <a href="#the-javascript" title="javascript
- protocol"><code title="">javascript:</code> URI</a> in an attribute
-
- <dd>The origin is the origin of the <code>Document</code> of the element
- on which the attribute is found.
-
- <dt>If a script is a <a href="#the-javascript" title="javascript
- protocol"><code title="">javascript:</code> URI</a> in a style sheet
-
- <dd>The origin is the origin of the <code>Document</code> to which the
- style sheet applies.
-
- <dt>If a script is a <a href="#the-javascript" title="javascript
- protocol"><code title="">javascript:</code> URI</a> to which a <a
- href="#browsing0">browsing context</a> is being <a href="#navigate"
- title=navigate>navigated</a>, the URI having been provided by the user
- (e.g. by using a <i>bookmarklet</i>)
-
- <dd>The origin is the origin of the <code>Document</code> of the <a
- href="#browsing0">browsing context</a>'s <a href="#active">active
- document</a>.
-
- <dt>If a script is a <a href="#the-javascript" title="javascript
- protocol"><code title="">javascript:</code> URI</a> to which a <a
- href="#browsing0">browsing context</a> is being <a href="#navigate"
- title=navigate>navigated</a>, the URI having been declared in markup
-
- <dd>The origin is the origin of the <code>Document</code> of the element
- (e.g. an <code><a href="#a">a</a></code> or <code><a
- href="#area">area</a></code> element) that declared the URI.
-
- <dt>If a script is a <a href="#the-javascript" title="javascript
- protocol"><code title="">javascript:</code> URI</a> to which a <a
- href="#browsing0">browsing context</a> is being <a href="#navigate"
- title=navigate>navigated</a>, the URI having been provided by script
-
- <dd>The origin is the origin of the script that provided the URI.</dd>
- <!-- ... -->
- </dl>
-
- <p>The origin of scripts thus comes down to finding the origin of
- <code>Document</code> objects.
-
- <p>The origin of a <code>Document</code> or image that was served over the
- network and whose address uses a URI scheme with a server-based naming
- authority is the tuple consisting of the <scheme>,
- <host>/<ihost>, and <port> parts of the
- <code>Document</code>'s full URI. <a href="#refsRFC3986">[RFC3986]</a> <a
- href="#refsRFC3987">[RFC3987]</a>
-
- <p>The origin of a <code>Document</code> or image that was generated from a
- <code>data:</code> URI found in another <code>Document</code> or in a
- script is the origin of the <code>Document</code> or script.
-
- <p>The origin of a <code>Document</code> or image that was generated from a
- <code>data:</code> URI from another source (e.g. typed in by the user) is
- a globally unique identifier assigned when the document is created.
-
- <p>The origin of a <code>Document</code> or image that was generated from a
- <a href="#the-javascript" title="javascript
- protocol"><code>javascript:</code> URI</a> is the same as the origin of
- that <code>javascript:</code> URI.
-
- <p><dfn id=the-string>The string representing the script's domain in IDNA
- format</dfn> is obtained as follows: take the domain part of the script's
- <a href="#origin0">origin</a> tuple and apply the IDNA ToASCII algorithm
- and then the IDNA ToUnicode algorithm to each component of the domain name
- (with both the AllowUnassigned and UseSTD3ASCIIRules flags set both
- times). <a href="#refsRFC3490">[RFC3490]</a>
-
- <p>If ToASCII fails to convert one of the components of the string, e.g.
- because it is too long or because it contains invalid characters, or if
- the origin of the script has no domain part, then the string representing
- the script's domain in IDNA format cannot be obtained. (ToUnicode is
- defined to never fail.)
-
- <p class=big-issue>It's been suggested that we should put IP addresses into
- the origin tuple, to mitigate DNS rebinding attacks. However that would
- kill multi-homed systems like GMail. Should we do something like have a
- DNS record say whether or not to include the IP in the origin for a host?
-
- <h4 id=unscripted><span class=secno>4.3.1 </span>Unscripted same-origin
- checks</h4>
-
- <p>When two URIs are to be compared to determine if they have the <dfn
- id=same-schemehostport>same scheme/host/port</dfn>, it means that the
- following algorithm must be invoked, where <var title="">uri<sub
- title="">1</sub></var> and <var title="">uri<sub title="">2</sub></var>
- are the two URIs.
-
- <ol>
- <li>
- <p>First, both <var title="">uri<sub title="">1</sub></var> and <var
- title="">uri<sub title="">2</sub></var> must be normalized to obtain the
- two tuples (<var title="">scheme<sub title="">1</sub></var>, <var
- title="">host<sub title="">1</sub></var>, <var title="">port<sub
- title="">1</sub></var>) and (<var title="">scheme<sub
- title="">2</sub></var>, <var title="">host<sub title="">2</sub></var>,
- <var title="">port<sub title="">2</sub></var>), by applying the
- following subalgorithm to each URI:</p>
-
<ol>
<li>
- <p>Let <var title="">uri</var> be the URI being normalized.
+ <p>Let <var title="">uri</var> be the URI for which the origin is being
+ determined.
<li>
<p>Parse <var title="">uri</var> according to the rules described in
@@ -27199,16 +27092,12 @@
<li>
<p>If <var title="">uri</var> does not use a server-based naming
- authority, then fail the overall algorithm — the two URIs do not
- have the same scheme/host/port.
+ authority, then return a new globally unique identifier.
<li>
<p>Let <var title="">scheme</var> be the <scheme> component of
- the URI. If the UA doesn't support the given protocol, then fail the
- overall algorithm — the two URIs do not have the same
- scheme/host/port<!-- (this should not be
- possible, since this algorithm is only invoked with URIs that
- have been actually fetched) -->.
+ the URI, converted to lowercase. If the UA doesn't support the given
+ protocol, then return a new globally unique identifier.
<li>
<p>Let <var title="">host</var> be the <host>/<ihost>
@@ -27221,10 +27110,14 @@
<p>If ToASCII fails to convert one of the components of the string,
e.g. because it is too long or because it contains invalid characters,
- then fail the overall algorithm — the two URIs do not have the
- same scheme/host/port. <a href="#refsRFC3490">[RFC3490]</a></p>
+ then return a new globally unique identifier. <a
+ href="#refsRFC3490">[RFC3490]</a></p>
<li>
+ <p>Let <var title="">host</var> be the result of converting <var
+ title="">host</var> to lowercase.
+
+ <li>
<p>If no port is explicitly listed, then let <var title="">port</var>
be the default port for the protocol given by <var
title="">scheme</var>. Otherwise, let <var title="">port</var> be the
@@ -27235,21 +27128,113 @@
title="">host</var>, <var title="">port</var>).
</ol>
- <li>
- <p>If <var title="">scheme<sub title="">1</sub></var> is not
- case-insensitively<!-- XXX ascii case matching --> identical to <var
- title="">scheme<sub title="">2</sub></var>, or if <var title="">host<sub
- title="">1</sub></var> is not
- case-insensitively<!-- XXX ascii case matching --> identical to <var
- title="">host<sub title="">2</sub></var>, or if <var title="">port<sub
- title="">1</sub></var> is not identical to <var title="">port<sub
- title="">2</sub></var>, then fail the overall algorithm — the two
- URIs do not have the same scheme/host/port.
+ <dt>The origin of scripts
- <li>
- <p>Otherwise, the two URIs do have the same scheme/host/port.
- </ol>
+ <dd>
+ <dl>
+ <dt>If a script is in a <code><a href="#script0">script</a></code>
+ element
+ <dd>The origin of the script is the origin of the <code>Document</code>
+ to which the <code><a href="#script0">script</a></code> element
+ belongs.
+
+ <dt>If a script is a function or other code reference created by another
+ script
+
+ <dd>The origin of the script is the origin of the script that created
+ it.
+
+ <dt>If a script is a <a href="#the-javascript" title="javascript
+ protocol"><code title="">javascript:</code> URI</a> in an attribute
+
+ <dd>The origin is the origin of the <code>Document</code> of the element
+ on which the attribute is found.
+
+ <dt>If a script is a <a href="#the-javascript" title="javascript
+ protocol"><code title="">javascript:</code> URI</a> in a style sheet
+
+ <dd>The origin is the origin of the <code>Document</code> to which the
+ style sheet applies.
+
+ <dt>If a script is a <a href="#the-javascript" title="javascript
+ protocol"><code title="">javascript:</code> URI</a> to which a <a
+ href="#browsing0">browsing context</a> is being <a href="#navigate"
+ title=navigate>navigated</a>, the URI having been provided by the user
+ (e.g. by using a <i>bookmarklet</i>)
+
+ <dd>The origin is the origin of the <code>Document</code> of the <a
+ href="#browsing0">browsing context</a>'s <a href="#active">active
+ document</a>.
+
+ <dt>If a script is a <a href="#the-javascript" title="javascript
+ protocol"><code title="">javascript:</code> URI</a> to which a <a
+ href="#browsing0">browsing context</a> is being <a href="#navigate"
+ title=navigate>navigated</a>, the URI having been declared in markup
+
+ <dd>The origin is the origin of the <code>Document</code> of the element
+ (e.g. an <code><a href="#a">a</a></code> or <code><a
+ href="#area">area</a></code> element) that declared the URI.
+
+ <dt>If a script is a <a href="#the-javascript" title="javascript
+ protocol"><code title="">javascript:</code> URI</a> to which a <a
+ href="#browsing0">browsing context</a> is being <a href="#navigate"
+ title=navigate>navigated</a>, the URI having been provided by script
+
+ <dd>The origin is the origin of the script that provided the URI.
+ </dl>
+
+ <dt>The origin of <code>Document</code> objects and images
+
+ <dd>
+ <dl>
+ <dt>If a <code>Document</code> or image was generated from a <a
+ href="#the-javascript" title="javascript
+ protocol"><code>javascript:</code> URI</a>
+
+ <dd>The origin is the same as the origin of the script of that
+ <code>javascript:</code> URI.
+
+ <dt>If a <code>Document</code> or image was served over the network and
+ has an address that uses a URI scheme with a server-based naming
+ authority
+
+ <dd>The origin is the origin of the full URI of the
+ <code>Document</code> or image.
+
+ <dt>If a <code>Document</code> or image was generated from a
+ <code>data:</code> URI found in another <code>Document</code> or in a
+ script
+
+ <dd>The origin is the origin of the <code>Document</code> or script in
+ which the <code>data:</code> URI was found.
+
+ <dt>If a <code>Document</code> or image was obtained in some other
+ manner (e.g. a <code>data:</code> URI typed in by the user)
+
+ <dd>The origin is a globally unique identifier assigned when the
+ <code>Document</code> or image is created.
+ </dl>
+ </dl>
+
+ <h4 id=the-string><span class=secno>4.3.1 </span>The string representing
+ the script's domain in IDNA format</h4>
+ <!-- XXX this is only used by the TCPConnection stuff and will be
+ removed when that part is next updated -->
+
+ <p><dfn id=the-string0>The string representing the script's domain in IDNA
+ format</dfn> is obtained as follows: take the domain part of the script's
+ <a href="#origin0">origin</a> tuple and apply the IDNA ToASCII algorithm
+ and then the IDNA ToUnicode algorithm to each component of the domain name
+ (with both the AllowUnassigned and UseSTD3ASCIIRules flags set both
+ times). <a href="#refsRFC3490">[RFC3490]</a>
+
+ <p>If ToASCII fails to convert one of the components of the string, e.g.
+ because it is too long or because it contains invalid characters, or if
+ the origin of the script has no domain part, then the string representing
+ the script's domain in IDNA format cannot be obtained. (ToUnicode is
+ defined to never fail.)
+
<h3 id=scripting><span class=secno>4.4 </span>Scripting</h3>
<h4 id=running><span class=secno>4.4.1 </span>Running executable code</h4>
@@ -27307,14 +27292,15 @@
<p>When a browsing context is <a href="#navigate"
title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a
href="#active">active document</a> of that browsing context has the same
- <a href="#origin0">origin</a> as the URI, the dereference context must be
- the <a href="#browsing0">browsing context</a> being navigated.
+ <a href="#origin0">origin</a> as the script given by that URI, the
+ dereference context must be the <a href="#browsing0">browsing context</a>
+ being navigated.
<p>When a browsing context is <a href="#navigate"
title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a
href="#active">active document</a> of that browsing context has a
- <em>different</em> <a href="#origin0">origin</a> than the URI, the
- dereference context must be an empty object.
+ <em>different</em> <a href="#origin0">origin</a> than the script given by
+ the URI, the dereference context must be an empty object.
<p>Otherwise, the dereference context must the <a
href="#browsing0">browsing context</a> of the <code>Document</code> to
@@ -28004,9 +27990,9 @@
href="#showmodaldialog">showModalDialog()</a></code> method was called,
and that
- <li>have an <a href="#active">active document</a> whose origin is the
- same as the origin of the script that called the <code
- title=dom-showModalDialog><a
+ <li>have an <a href="#active">active document</a> whose <a
+ href="#origin0">origin</a> is the same as the origin of the script that
+ called the <code title=dom-showModalDialog><a
href="#showmodaldialog">showModalDialog()</a></code> method at the time
the method was called,</li>
<!-- XXX document.domain
@@ -28042,8 +28028,9 @@
context be set to the value of <var title="">arguments</var>.</p>
<li>
- <p>Let the <a href="#dialog1">dialog arguments' origin</a> be the origin
- of the script that called the <code title=dom-showModalDialog><a
+ <p>Let the <a href="#dialog1">dialog arguments' origin</a> be the <a
+ href="#origin0">origin</a> of the script that called the <code
+ title=dom-showModalDialog><a
href="#showmodaldialog">showModalDialog()</a></code> method.</p>
<li>
@@ -28491,8 +28478,7 @@
attribute. The manifest is downloaded and processed during the <a
href="#application1">application cache update process</a>. All the <a
href="#implicit" title=concept-appcache-implicit>implicit entries</a>
- have the <a href="#same-schemehostport">same scheme/host/port</a> as
- the manifest.
+ have the same <a href="#origin0">origin</a> as the manifest.
<dt><dfn id=explicit title=concept-appcache-explicit>Explicit
entries</dfn>
@@ -28539,9 +28525,9 @@
title=concept-appcache-matches-oppcache>prefix match patterns</a>, each
of which is mapped to a <a href="#fallback0"
title=concept-appcache-fallback>fallback entry</a>. Each namespace URI
- prefix, when parsed as a URI, has the <a href="#same-schemehostport">same
- scheme/host/port</a> as <a href="#the-manifest"
- title=concept-appcache-manifest>the manifest</a>.
+ prefix, when parsed as a URI, has the same <a href="#origin0">origin</a>
+ as <a href="#the-manifest" title=concept-appcache-manifest>the
+ manifest</a>.
<li>Zero or more URIs that form the <dfn id=online
title=concept-appcache-onlinewhitelist>online whitelist</dfn>.
@@ -28674,8 +28660,7 @@
<p><a href="#opportunistic"
title=concept-appcache-oppcache-ns>Opportunistic caching namespaces</a>
- must have the <a href="#same-schemehostport">same scheme/host/port</a> as
- the manifest itself.
+ must have the same <a href="#origin0">origin</a> as the manifest itself.
<p>An opportunistic caching namespace must not be listed more than once.
@@ -28852,9 +28837,8 @@
namespace</a>, then jump back to the step labelled "start of line".</p>
<p>If the absolute URI or IRI corresponding to <var title="">part
- one</var> does not have the <a href="#same-schemehostport">same
- scheme/host/port</a> as the manifest's URI, then jump back to the step
- labelled "start of line".</p>
+ one</var> does not have the same <a href="#origin0">origin</a> as the
+ manifest's URI, then jump back to the step labelled "start of line".</p>
<!-- SECURITY -->
<p>If the absolute URI or IRI corresponding to <var title="">part
two</var> has a different <scheme> component than the manifest's
@@ -29261,9 +29245,9 @@
<p>A URI <dfn id=matches title=concept-appcache-matches-oppcache>matches an
opportunistic caching namespace</dfn> if there exists an <a
href="#application0">application cache</a> whose <a href="#the-manifest"
- title=concept-appcache-manifest>manifest</a>'s URI has the <a
- href="#same-schemehostport">same scheme/host/port</a> as the URI in
- question, and if that application cache has an <a href="#opportunistic"
+ title=concept-appcache-manifest>manifest</a>'s URI has the same <a
+ href="#origin0">origin</a> as the URI in question, and if that application
+ cache has an <a href="#opportunistic"
title=concept-appcache-oppcache-ns>opportunistic caching namespace</a>
with a <path> component that exactly matches the start of the
<path> component of the URI being examined. If multiple
@@ -29342,9 +29326,9 @@
<dd>
<ol>
<li>
- <p>If the manifest URI does not have the <a
- href="#same-schemehostport">same scheme/host/port</a> as the
- resource's own URI, then invoke the <a href="#application3"
+ <p>If the manifest URI does not have the same <a
+ href="#origin0">origin</a> as the resource's own URI, then invoke the
+ <a href="#application3"
title=concept-appcache-init-no-attribute>application cache selection
algorithm</a> again, but without a manifest, and abort these steps.
@@ -29437,12 +29421,12 @@
fetch the resource from the cache and abort these steps.
<li>
- <p>If the resource's URI has the <a href="#same-schemehostport">same
- scheme/host/port</a> as the manifest's URI, and the start of the
- resource's URI's <path> component is exactly matched by the
- <path> component of an <a href="#opportunistic"
- title=concept-appcache-oppcache-ns>opportunistic caching namespace</a>
- in the <a href="#application0">application cache</a>, then:
+ <p>If the resource's URI has the same <a href="#origin0">origin</a> as
+ the manifest's URI, and the start of the resource's URI's <path>
+ component is exactly matched by the <path> component of an <a
+ href="#opportunistic" title=concept-appcache-oppcache-ns>opportunistic
+ caching namespace</a> in the <a href="#application0">application
+ cache</a>, then:
<p>Fetch the resource normally. If this results 4xx or 5xx status codes
or equivalent, or if there were network errors, then instead fetch, from
@@ -30471,12 +30455,11 @@
href="#top-level">top-level browsing context</a>, then check if there
are any <a href="#application0" title="application cache">application
caches</a> that have a <a href="#the-manifest"
- title=concept-appcache-manifest>manifest</a> with the <a
- href="#same-schemehostport">same scheme/host/port</a> as the URI in
- question, and that have this URI as one of their entries (excluding
- entries marked as <a href="#foreign"
- title=concept-appcache-foreign>manifest</a>), and that already contain
- their manifest, categorised as a <a href="#the-manifest"
+ title=concept-appcache-manifest>manifest</a> with the same <a
+ href="#origin0">origin</a> as the URI in question, and that have this
+ URI as one of their entries (excluding entries marked as <a
+ href="#foreign" title=concept-appcache-foreign>manifest</a>), and that
+ already contain their manifest, categorised as a <a href="#the-manifest"
title=concept-appcache-manifest>manifest</a>. If so, then the user agent
must then fetch the resource from the <a href="#select0"
title=concept-appcache-selection>most appropriate application cache</a>
@@ -32054,7 +32037,7 @@
<p>The <dfn id=localstorage
title=dom-localStorage><code>localStorage</code></dfn> object provides a
- <code><a href="#storage0">Storage</a></code> object for <a
+ <code><a href="#storage0">Storage</a></code> object for an <a
href="#origin0">origin</a>.
<p>User agents must have a set of local storage areas, one for each <a
@@ -33114,9 +33097,9 @@
Which other headers are required depends on the URIs involved.
<dl class=switch>
- <dt>If both the URI of the document containing the hyperlink being audited
- and the ping URI have the same <a href="#origin0">origin</a><!-- XXX
- xref, and check that _URIs_ can have origins -->
+ <dt>If both the URI of the <code>Document</code> object containing the
+ hyperlink being audited and the ping URI have the same <a
+ href="#origin0">origin</a>
<dd>The request must include a <code title="">Ping-From</code> HTTP header
with, as its value, the location of the document containing the
@@ -37877,10 +37860,10 @@
<p>...then the UA must raise a <a href="#security9">security exception</a>.</p>
<!-- XXX we should have our own port for this too, e.g. 980 -->
- <p>Otherwise, the user agent must verify that the <a href="#the-string">the
- string representing the script's domain in IDNA format</a> can be obtained
- without errors. If it cannot, then the user agent must raise a <a
- href="#security9">security exception</a>.
+ <p>Otherwise, the user agent must verify that the <a
+ href="#the-string0">the string representing the script's domain in IDNA
+ format</a> can be obtained without errors. If it cannot, then the user
+ agent must raise a <a href="#security9">security exception</a>.
<p>The user agent may also raise a <a href="#security9">security
exception</a> at this time if, for some reason, permission to create a
@@ -37942,7 +37925,7 @@
<p>The <code title=dom-Connection-network><a
href="#network1">network</a></code> attribute of the object must be set to
- <a href="#the-string">the string representing the script's domain in IDNA
+ <a href="#the-string0">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
raise a <a href="#security9">security exception</a> exception when the
constructor is called.
@@ -38080,7 +38063,7 @@
<p>The <code title=dom-Connection-network><a
href="#network1">network</a></code> attribute of the object must be set to
- <a href="#the-string">the string representing the script's domain in IDNA
+ <a href="#the-string0">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
raise a <a href="#security9">security exception</a> exception when the
constructor is called.
@@ -38312,7 +38295,7 @@
user agent must <a href="#closeConnection">close the connection</a> and
give up trying to connect.
- <p>Otherwise, the user agent must then take <a href="#the-string">the
+ <p>Otherwise, the user agent must then take <a href="#the-string0">the
string representing the script's domain in IDNA format</a>, encode it as
UTF-8, and send that to the remote host, followed by a 0x0A byte (a U+000A
LINE FEED in UTF-8).
@@ -38363,7 +38346,7 @@
the user agent must <a href="#closeConnection">close the connection</a>
and give up trying to connect.
- <p>Otherwise, the user agent must then take <a href="#the-string">the
+ <p>Otherwise, the user agent must then take <a href="#the-string0">the
string representing the script's domain in IDNA format</a>, encode it as
UTF-8, and send that to the remote host, followed by a 0x0A byte (a U+000A
LINE FEED in UTF-8).
@@ -38499,65 +38482,13 @@
<!-- XXX define this in terms of the event queue -->
<li>
- <p>Let <var title="">target</var> be the <code>Document</code> object
- that is the <a href="#active">active document</a> of the <code><a
- href="#window">Window</a></code> object on which the method was invoked.</p>
-
- <li>
<p>If the <var title="">targetOrigin</var> argument has a value other
- than a single literal U+002A ASTERISK character ("*"), run these
- substeps:</p>
+ than a single literal U+002A ASTERISK character ("*"), and the <a
+ href="#active">active document</a> of the <code><a
+ href="#window">Window</a></code> object on which the method was invoked
+ does not have the same <a href="#origin0">origin</a> as <var
+ title="">targetOrigin</var>, then abort these steps silently.</p>
- <ol>
- <li>
- <p>If the <a href="#origin0">origin</a> of the <var
- title="">target</var> document is not a scheme/host/port tuple, then
- abort the overall set of steps silently.
-
- <li>
- <p>Otherwise, let <var title="">targetOrigin</var> be the URI or IRI
- parsed from the <var title="">targetOrigin</var> argument. <a
- href="#refsRFC3490">[RFC3986]</a> <a href="#refsRFC3490">[RFC3987]</a>
-
- <li>
- <p>If <var title="">targetOrigin</var> uses a URI scheme that does not
- have a server-based naming authority, then abort the overall set of
- steps silently. <a href="#refsRFC3490">[RFC3986]</a>
-
- <li>
- <p>Let <var title="">desired scheme</var> be the <scheme> component
- of <var title="">targetOrigin</var>.
-
- <li>
- <p>Let <var title="">desired host</var> be the <host> or <ihost>
- part of <var title="">targetOrigin</var>, with the ToAscii algorithm
- applied. <a href="#refsRFC3490">[RFC3490]</a>
-
- <li>
- <p>Let <var title="">desired port</var> be the <port> component of
- <var title="">targetOrigin</var>, or, if there isn't one, the default
- port for <var title="">desired scheme</var>.
-
- <li>
- <p>If <var title="">desired scheme</var> is not the same as the scheme
- component of the <a href="#origin0">origin</a> of the <var
- title="">target</var> document, then abort the overall set of steps
- silently.
-
- <li>
- <p>If <var title="">desired host</var> is not the same as the host
- component of the <a href="#origin0">origin</a> of the <var
- title="">target</var> document, after having the ToAscii algorithm
- applied, then abort the overall set of steps silently. <a
- href="#refsRFC3490">[RFC3490]</a>
-
- <li>
- <p>If <var title="">desired port</var> is not the same as the port
- component of the <a href="#origin0">origin</a> of the <var
- title="">target</var> document, then abort the overall set of steps
- silently.
- </ol>
-
<li>
<p>Create an event that uses the <code><a
href="#messageevent">MessageEvent</a></code> interface, with the event
@@ -49634,10 +49565,7 @@
more than one control, no controls?
-data: URIs and same-origin policy when navigated to from http:?
- - Hallvord Reiar Michaelsen Steen
-
need conformance section for editors, which says stuff like "can't be
conforming if editor has an "italics" button"
Modified: source
===================================================================
--- source 2008-04-28 10:08:56 UTC (rev 1499)
+++ source 2008-04-28 10:58:30 UTC (rev 1500)
@@ -16763,7 +16763,7 @@
<h5>Security with <code>canvas</code> elements</h5>
<p><strong>Information leakage</strong> can occur if scripts from
- one origin are exposed to images from another origin.</p>
+ one <span>origin</span> are exposed to images from another origin.</p>
<p>To mitigate this, <code>canvas</code> elements are defined to
have a flag indicating whether they are <i>origin-clean</i>. All
@@ -24766,211 +24766,201 @@
https://bugzilla.mozilla.org/show_bug.cgi?id=344495
-->
- <p>Access to certain APIs is granted or denied to scripts based on
- the <dfn>origin</dfn> of the script and the API being accessed.</p>
+ <p>The <dfn>origin</dfn> of content is the cornerstone of the Web
+ security model. It is defined as follows:</p>
- <p>The origin of a script depends on the context of that script:</p>
-
<dl>
- <dt>If a script is in a <code>script</code> element</dt>
+ <dt>The origin of a URI</dt>
- <dd>The origin of the script is the origin of the
- <code>Document</code> to which the <code>script</code> element
- belongs.</dd>
+ <dd>
+ <p>The origin is whatever is returned by the following
+ algorithm:</p>
- <dt>If a script is a function or other code reference created by
- another script</dt>
+ <ol>
- <dd>The origin of the script is the origin of the script that
- created it.</dd>
+ <li><p>Let <var title="">uri</var> be the URI for which the
+ origin is being determined.</p></li>
+ <li><p>Parse <var title="">uri</var> according to the rules
+ described in RFC 3986 and RFC 3987. <a
+ href="#refsRFC3986">[RFC3986]</a> <a
+ href="#refsRFC3987">[RFC3987]</a></p></li>
- <dt>If a script is a <span title="javascript protocol"><code
- title="">javascript:</code> URI</span> in an attribute</dt>
+ <li><p>If <var title="">uri</var> does not use a server-based
+ naming authority, then return a new globally unique
+ identifier.</p></li>
- <dd>The origin is the origin of the <code>Document</code> of the
- element on which the attribute is found.</dd>
+ <li><p>Let <var title="">scheme</var> be the <scheme>
+ component of the URI, converted to lowercase. If the UA doesn't
+ support the given protocol, then return a new globally unique
+ identifier.</p></li>
+ <li><p>Let <var title="">host</var> be the
+ <host>/<ihost> component of the URI.</p></li>
- <dt>If a script is a <span title="javascript protocol"><code
- title="">javascript:</code> URI</span> in a style sheet</dt>
+ <li>
- <dd>The origin is the origin of the <code>Document</code> to which
- the style sheet applies.</dd>
+ <p>Apply the IDNA ToASCII algorithm to <var title="">host</var>,
+ with both the AllowUnassigned and UseSTD3ASCIIRules flags
+ set. Let <var title="">host</var> be the result of the ToASCII
+ algorithm.</p>
+ <p>If ToASCII fails to convert one of the components of the
+ string, e.g. because it is too long or because it contains
+ invalid characters, then return a new globally unique
+ identifier. <a href="#refsRFC3490">[RFC3490]</a></p>
- <dt>If a script is a <span title="javascript protocol"><code
- title="">javascript:</code> URI</span> to which a <span>browsing
- context</span> is being <span title="navigate">navigated</span>,
- the URI having been provided by the user (e.g. by using a
- <i>bookmarklet</i>)</dt>
+ </li>
- <dd>The origin is the origin of the <code>Document</code> of the
- <span>browsing context</span>'s <span>active document</span>.</dd>
+ <li><p>Let <var title="">host</var> be the result of converting
+ <var title="">host</var> to lowercase.</p></li>
+ <li><p>If no port is explicitly listed, then let <var
+ title="">port</var> be the default port for the protocol given by
+ <var title="">scheme</var>. Otherwise, let <var
+ title="">port</var> be the <port> component of the
+ URI.</p></li>
- <dt>If a script is a <span title="javascript protocol"><code
- title="">javascript:</code> URI</span> to which a <span>browsing
- context</span> is being <span title="navigate">navigated</span>,
- the URI having been declared in markup</dt>
+ <li><p>Return the tuple (<var title="">scheme</var>, <var
+ title="">host</var>, <var title="">port</var>).</p></li>
- <dd>The origin is the origin of the <code>Document</code> of the
- element (e.g. an <code>a</code> or <code>area</code> element) that
- declared the URI.</dd>
+ </ol>
+ </dd>
- <dt>If a script is a <span title="javascript protocol"><code
- title="">javascript:</code> URI</span> to which a <span>browsing
- context</span> is being <span title="navigate">navigated</span>,
- the URI having been provided by script</dt>
+ <dt>The origin of scripts</dt>
- <dd>The origin is the origin of the script that provided the
- URI.</dd>
+ <dd>
- <!-- ... -->
+ <dl>
- </dl>
+ <dt>If a script is in a <code>script</code> element</dt>
- <p>The origin of scripts thus comes down to finding the origin of
- <code>Document</code> objects.</p>
+ <dd>The origin of the script is the origin of the
+ <code>Document</code> to which the <code>script</code> element
+ belongs.</dd>
- <p>The origin of a <code>Document</code> or image that was served
- over the network and whose address uses a URI scheme with a
- server-based naming authority is the tuple consisting of the
- <scheme>, <host>/<ihost>, and <port> parts
- of the <code>Document</code>'s full URI. <a
- href="#refsRFC3986">[RFC3986]</a> <a
- href="#refsRFC3987">[RFC3987]</a></p>
- <p>The origin of a <code>Document</code> or image that was generated
- from a <code>data:</code> URI found in another <code>Document</code>
- or in a script is the origin of the <code>Document</code> or
- script.</p>
+ <dt>If a script is a function or other code reference created by
+ another script</dt>
- <p>The origin of a <code>Document</code> or image that was generated
- from a <code>data:</code> URI from another source (e.g. typed in by
- the user) is a globally unique identifier assigned when the document
- is created.</p>
+ <dd>The origin of the script is the origin of the script that
+ created it.</dd>
- <p>The origin of a <code>Document</code> or image that was generated
- from a <span title="javascript protocol"><code>javascript:</code>
- URI</span> is the same as the origin of that
- <code>javascript:</code> URI.</p>
- <p><dfn>The string representing the script's domain in IDNA
- format</dfn> is obtained as follows: take the domain part of the
- script's <span>origin</span> tuple and apply the IDNA ToASCII
- algorithm and then the IDNA ToUnicode algorithm to each component of
- the domain name (with both the AllowUnassigned and UseSTD3ASCIIRules
- flags set both times). <a href="#refsRFC3490">[RFC3490]</a></p>
+ <dt>If a script is a <span title="javascript protocol"><code
+ title="">javascript:</code> URI</span> in an attribute</dt>
- <p>If ToASCII fails to convert one of the components of the string,
- e.g. because it is too long or because it contains invalid
- characters, or if the origin of the script has no domain part, then
- the string representing the script's domain in IDNA format cannot be
- obtained. (ToUnicode is defined to never fail.)</p>
+ <dd>The origin is the origin of the <code>Document</code> of the
+ element on which the attribute is found.</dd>
- <p class="big-issue">It's been suggested that we should put IP
- addresses into the origin tuple, to mitigate DNS rebinding
- attacks. However that would kill multi-homed systems like
- GMail. Should we do something like have a DNS record say whether or
- not to include the IP in the origin for a host?</p>
+ <dt>If a script is a <span title="javascript protocol"><code
+ title="">javascript:</code> URI</span> in a style sheet</dt>
- <h4>Unscripted same-origin checks</h4>
+ <dd>The origin is the origin of the <code>Document</code> to which
+ the style sheet applies.</dd>
- <p>When two URIs are to be compared to determine if they have the
- <dfn>same scheme/host/port</dfn>, it means that the following
- algorithm must be invoked, where <var title="">uri<sub
- title="">1</sub></var> and <var title="">uri<sub
- title="">2</sub></var> are the two URIs.</p>
- <ol>
+ <dt>If a script is a <span title="javascript protocol"><code
+ title="">javascript:</code> URI</span> to which a <span>browsing
+ context</span> is being <span title="navigate">navigated</span>,
+ the URI having been provided by the user (e.g. by using a
+ <i>bookmarklet</i>)</dt>
- <li>
+ <dd>The origin is the origin of the <code>Document</code> of the
+ <span>browsing context</span>'s <span>active document</span>.</dd>
- <p>First, both <var title="">uri<sub title="">1</sub></var> and
- <var title="">uri<sub title="">2</sub></var> must be normalized to
- obtain the two tuples (<var title="">scheme<sub
- title="">1</sub></var>, <var title="">host<sub
- title="">1</sub></var>, <var title="">port<sub
- title="">1</sub></var>) and (<var title="">scheme<sub
- title="">2</sub></var>, <var title="">host<sub
- title="">2</sub></var>, <var title="">port<sub
- title="">2</sub></var>), by applying the following subalgorithm to
- each URI:</p>
- <ol>
+ <dt>If a script is a <span title="javascript protocol"><code
+ title="">javascript:</code> URI</span> to which a <span>browsing
+ context</span> is being <span title="navigate">navigated</span>,
+ the URI having been declared in markup</dt>
- <li><p>Let <var title="">uri</var> be the URI being normalized.</p></li>
+ <dd>The origin is the origin of the <code>Document</code> of the
+ element (e.g. an <code>a</code> or <code>area</code> element) that
+ declared the URI.</dd>
- <li><p>Parse <var title="">uri</var> according to the rules
- described in RFC 3986 and RFC 3987. <a
- href="#refsRFC3986">[RFC3986]</a> <a
- href="#refsRFC3987">[RFC3987]</a></p></li>
- <li><p>If <var title="">uri</var> does not use a server-based
- naming authority, then fail the overall algorithm — the two
- URIs do not have the same scheme/host/port.</p></li>
+ <dt>If a script is a <span title="javascript protocol"><code
+ title="">javascript:</code> URI</span> to which a <span>browsing
+ context</span> is being <span title="navigate">navigated</span>,
+ the URI having been provided by script</dt>
- <li><p>Let <var title="">scheme</var> be the <scheme>
- component of the URI. If the UA doesn't support the given
- protocol, then fail the overall algorithm — the two URIs do
- not have the same scheme/host/port<!-- (this should not be
- possible, since this algorithm is only invoked with URIs that
- have been actually fetched) -->.</p></li>
+ <dd>The origin is the origin of the script that provided the
+ URI.</dd>
- <li><p>Let <var title="">host</var> be the
- <host>/<ihost> component of the URI.</p></li>
+ </dl>
- <li>
+ </dd>
- <p>Apply the IDNA ToASCII algorithm to <var title="">host</var>,
- with both the AllowUnassigned and UseSTD3ASCIIRules flags
- set. Let <var title="">host</var> be the result of the ToASCII
- algorithm.</p>
+ <dt>The origin of <code>Document</code> objects and images</dt>
- <p>If ToASCII fails to convert one of the components of the
- string, e.g. because it is too long or because it contains
- invalid characters, then fail the overall algorithm — the
- two URIs do not have the same scheme/host/port. <a
- href="#refsRFC3490">[RFC3490]</a></p>
+ <dd>
- </li>
+ <dl>
- <li><p>If no port is explicitly listed, then let <var
- title="">port</var> be the default port for the protocol given by
- <var title="">scheme</var>. Otherwise, let <var
- title="">port</var> be the <port> component of the
- URI.</p></li>
+ <dt>If a <code>Document</code> or image was generated from a
+ <span title="javascript protocol"><code>javascript:</code>
+ URI</span></dt>
- <li><p>Return the tuple (<var title="">scheme</var>, <var
- title="">host</var>, <var title="">port</var>).</p></li>
+ <dd>The origin is the same as the origin of the script of that
+ <code>javascript:</code> URI.</dd>
- </ol>
- </li>
+ <dt>If a <code>Document</code> or image was served over the
+ network and has an address that uses a URI scheme with a
+ server-based naming authority</dt>
- <li><p>If <var title="">scheme<sub title="">1</sub></var> is not
- case-insensitively<!-- XXX ascii case matching --> identical to
- <var title="">scheme<sub title="">2</sub></var>, or if <var
- title="">host<sub title="">1</sub></var> is not
- case-insensitively<!-- XXX ascii case matching --> identical to
- <var title="">host<sub title="">2</sub></var>, or if <var
- title="">port<sub title="">1</sub></var> is not identical to <var
- title="">port<sub title="">2</sub></var>, then fail the overall
- algorithm — the two URIs do not have the same
- scheme/host/port.</p></li>
+ <dd>The origin is the origin of the full URI of the
+ <code>Document</code> or image.</dd>
- <li><p>Otherwise, the two URIs do have the same
- scheme/host/port.</p></li>
- </ol>
+ <dt>If a <code>Document</code> or image was generated from a
+ <code>data:</code> URI found in another <code>Document</code> or
+ in a script</dt>
+ <dd>The origin is the origin of the <code>Document</code> or
+ script in which the <code>data:</code> URI was found.</dd>
+ <dt>If a <code>Document</code> or image was obtained in some
+ other manner (e.g. a <code>data:</code> URI typed in by the
+ user)</dt>
+
+ <dd>The origin is a globally unique identifier assigned when the
+ <code>Document</code> or image is created.</dd>
+
+ </dl>
+
+ </dd>
+
+ </dl>
+
+
+
+ <h4>The string representing the script's domain in IDNA format</h4>
+
+ <!-- XXX this is only used by the TCPConnection stuff and will be
+ removed when that part is next updated -->
+
+ <p><dfn>The string representing the script's domain in IDNA
+ format</dfn> is obtained as follows: take the domain part of the
+ script's <span>origin</span> tuple and apply the IDNA ToASCII
+ algorithm and then the IDNA ToUnicode algorithm to each component of
+ the domain name (with both the AllowUnassigned and UseSTD3ASCIIRules
+ flags set both times). <a href="#refsRFC3490">[RFC3490]</a></p>
+
+ <p>If ToASCII fails to convert one of the components of the string,
+ e.g. because it is too long or because it contains invalid
+ characters, or if the origin of the script has no domain part, then
+ the string representing the script's domain in IDNA format cannot be
+ obtained. (ToUnicode is defined to never fail.)</p>
+
+
+
<h3 id="scripting">Scripting</h3>
<h4>Running executable code</h4>
@@ -25034,14 +25024,15 @@
<p>When a browsing context is <span
title="navigate">navigated</span> to a <code>javascript:</code> URI,
and the <span>active document</span> of that browsing context has
- the same <span>origin</span> as the URI, the dereference context
- must be the <span>browsing context</span> being navigated.</p>
+ the same <span>origin</span> as the script given by that URI, the
+ dereference context must be the <span>browsing context</span> being
+ navigated.</p>
<p>When a browsing context is <span
title="navigate">navigated</span> to a <code>javascript:</code> URI,
and the <span>active document</span> of that browsing context has a
- <em>different</em> <span>origin</span> than the URI, the dereference
- context must be an empty object.</p>
+ <em>different</em> <span>origin</span> than the script given by the
+ URI, the dereference context must be an empty object.</p>
<p>Otherwise, the dereference context must the <span>browsing
context</span> of the <code>Document</code> to which belongs the
@@ -25698,10 +25689,11 @@
contexts</span> as the browsing context of the
<code>Window</code> object on which the <code
title="dom-showModalDialog">showModalDialog()</code> method was
- called, and that</p>
+ called, and that</li>
- <li>have an <span>active document</span> whose origin is the same
- as the origin of the script that called the <code
+ <li>have an <span>active document</span> whose
+ <span>origin</span> is the same as the origin of the script that
+ called the <code
title="dom-showModalDialog">showModalDialog()</code> method at
the time the method was called,</li> <!-- XXX document.domain
breaks this. when fixing it, er on the side of including more
@@ -25749,8 +25741,8 @@
<li>
- <p>Let the <span>dialog arguments' origin</span> be the origin of
- the script that called the <code
+ <p>Let the <span>dialog arguments' origin</span> be the
+ <span>origin</span> of the script that called the <code
title="dom-showModalDialog">showModalDialog()</code> method.</p>
</li>
@@ -26245,7 +26237,7 @@
manifest is downloaded and processed during the <span>application
cache update process</span>. All the <span
title="concept-appcache-implicit">implicit entries</span> have
- the <span>same scheme/host/port</span> as the manifest.
+ the same <span>origin</span> as the manifest.
<dt><dfn title="concept-appcache-explicit">Explicit entries</dfn>
@@ -26295,8 +26287,7 @@
title="concept-appcache-matches-oppcache">prefix match
patterns</span>, each of which is mapped to a <span
title="concept-appcache-fallback">fallback entry</span>. Each
- namespace URI prefix, when parsed as a URI, has the <span>same
- scheme/host/port</span> as <span
+ namespace URI prefix, when parsed as a URI, has the same <span>origin</span> as <span
title="concept-appcache-manifest">the manifest</span>.</li>
<li>Zero or more URIs that form the <dfn
@@ -26442,7 +26433,7 @@
sections.</p>
<p><span title="concept-appcache-oppcache-ns">Opportunistic caching
- namespaces</span> must have the <span>same scheme/host/port</span>
+ namespaces</span> must have the same <span>origin</span>
as the manifest itself.</p>
<p>An opportunistic caching namespace must not be listed more than
@@ -26625,8 +26616,7 @@
line".</p>
<p>If the absolute URI or IRI corresponding to <var
- title="">part one</var> does not have the <span>same
- scheme/host/port</span> as the manifest's URI, then jump back to
+ title="">part one</var> does not have the same <span>origin</span> as the manifest's URI, then jump back to
the step labelled "start of line".</p> <!-- SECURITY -->
<p>If the absolute URI or IRI corresponding to <var
@@ -27049,7 +27039,7 @@
opportunistic caching namespace</dfn> if there exists an
<span>application cache</span> whose <span
title="concept-appcache-manifest">manifest</span>'s URI has the
- <span>same scheme/host/port</span> as the URI in question, and if
+ same <span>origin</span> as the URI in question, and if
that application cache has an <span
title="concept-appcache-oppcache-ns">opportunistic caching
namespace</span> with a <path> component that exactly matches
@@ -27147,8 +27137,7 @@
<ol>
- <li><p>If the manifest URI does not have the <span>same
- scheme/host/port</span> as the resource's own URI, then invoke
+ <li><p>If the manifest URI does not have the same <span>origin</span> as the resource's own URI, then invoke
the <span title="concept-appcache-init-no-attribute">application
cache selection algorithm</span> again, but without a manifest,
and abort these steps.</p></li>
@@ -27243,8 +27232,7 @@
<li>
- <p>If the resource's URI has the <span>same
- scheme/host/port</span> as the manifest's URI, and the start of
+ <p>If the resource's URI has the same <span>origin</span> as the manifest's URI, and the start of
the resource's URI's <path> component is exactly matched by
the <path> component of an <span
title="concept-appcache-oppcache-ns">opportunistic caching
@@ -28248,7 +28236,7 @@
<span>top-level browsing context</span>, then check if there are
any <span title="application cache">application caches</span> that
have a <span title="concept-appcache-manifest">manifest</span>
- with the <span>same scheme/host/port</span> as the URI in
+ with the same <span>origin</span> as the URI in
question, and that have this URI as one of their entries
(excluding entries marked as <span
title="concept-appcache-foreign">manifest</span>), and that
@@ -29763,9 +29751,9 @@
<h4>The <code title="dom-localStorage">localStorage</code> attribute</h4>
- <p>The <dfn
- title="dom-localStorage"><code>localStorage</code></dfn> object
- provides a <code>Storage</code> object for <span>origin</span>.</p>
+ <p>The <dfn title="dom-localStorage"><code>localStorage</code></dfn>
+ object provides a <code>Storage</code> object for an
+ <span>origin</span>.</p>
<p>User agents must have a set of local storage areas, one for each
<span>origin</span>.</p>
@@ -30867,9 +30855,9 @@
<dl class="switch">
- <dt>If both the URI of the document containing the hyperlink being
- audited and the ping URI have the same <span>origin</span><!-- XXX
- xref, and check that _URIs_ can have origins --></dt>
+ <dt>If both the URI of the <code>Document</code> object containing
+ the hyperlink being audited and the ping URI have the same
+ <span>origin</span></dt>
<dd>The request must include a <code title="">Ping-From</code> HTTP
header with, as its value, the location of the document containing
@@ -36026,65 +36014,13 @@
<li>
- <p>Let <var title="">target</var> be the <code>Document</code>
- object that is the <span>active document</span> of the
- <code>Window</code> object on which the method was invoked.</p>
-
- </li>
-
- <li>
-
<p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character ("*"), run
- these substeps:</p>
+ other than a single literal U+002A ASTERISK character ("*"), and
+ the <span>active document</span> of the <code>Window</code> object
+ on which the method was invoked does not have the same
+ <span>origin</span> as <var title="">targetOrigin</var>, then
+ abort these steps silently.</p>
- <ol>
-
- <li><p>If the <span>origin</span> of the <var
- title="">target</var> document is not a scheme/host/port tuple,
- then abort the overall set of steps silently.</p></li>
-
- <li><p>Otherwise, let <var title="">targetOrigin</var> be the URI
- or IRI parsed from the <var title="">targetOrigin</var>
- argument. <a href="#refsRFC3490">[RFC3986]</a> <a
- href="#refsRFC3490">[RFC3987]</a></p></li>
-
- <li><p>If <var title="">targetOrigin</var> uses a URI scheme that
- does not have a server-based naming authority, then abort the
- overall set of steps silently. <a
- href="#refsRFC3490">[RFC3986]</a></p></li>
-
- <li><p>Let <var title="">desired scheme</var> be the <scheme>
- component of <var title="">targetOrigin</var>.</p></li>
-
- <li><p>Let <var title="">desired host</var> be the <host> or
- <ihost> part of <var title="">targetOrigin</var>, with the
- ToAscii algorithm applied. <a
- href="#refsRFC3490">[RFC3490]</a></p></li>
-
- <li><p>Let <var title="">desired port</var> be the <port>
- component of <var title="">targetOrigin</var>, or, if there isn't
- one, the default port for <var title="">desired
- scheme</var>.</p></li>
-
- <li><p>If <var title="">desired scheme</var> is not the same as
- the scheme component of the <span>origin</span> of the <var
- title="">target</var> document, then abort the overall set of
- steps silently.</p></li>
-
- <li><p>If <var title="">desired host</var> is not the same as the
- host component of the <span>origin</span> of the <var
- title="">target</var> document, after having the ToAscii
- algorithm applied, then abort the overall set of steps
- silently. <a href="#refsRFC3490">[RFC3490]</a></p></li>
-
- <li><p>If <var title="">desired port</var> is not the same as the
- port component of the <span>origin</span> of the <var
- title="">target</var> document, then abort the overall set of
- steps silently.</p></li>
-
- </ol>
-
</li>
<li>
@@ -44840,10 +44776,7 @@
more than one control, no controls?
-data: URIs and same-origin policy when navigated to from http:?
- - Hallvord Reiar Michaelsen Steen
-
need conformance section for editors, which says stuff like "can't be
conforming if editor has an "italics" button"
More information about the Commit-Watchers
mailing list