[html5] r1634 - /
whatwg at whatwg.org
whatwg at whatwg.org
Thu May 15 18:19:06 PDT 2008
Author: ianh
Date: 2008-05-15 18:19:05 -0700 (Thu, 15 May 2008)
New Revision: 1634
Modified:
index
source
Log:
[] (0) Mostly editorial: Introduce the concept of 'same origin' as a defined term of art; cross-reference 'origin' throughout; minor disambiguations around the term 'origin'.
Modified: index
===================================================================
--- index 2008-05-16 00:34:40 UTC (rev 1633)
+++ index 2008-05-16 01:19:05 UTC (rev 1634)
@@ -2713,8 +2713,8 @@
whenever any of the members of an <code><a
href="#htmldocument">HTMLDocument</a></code> object are accessed by
scripts whose <a href="#effective3">effective script origin</a> is not the
- same as the <code>Document</code>'s <a href="#effective3">effective script
- origin</a>.
+ <a href="#same-origin" title="same origin">same</a> as the
+ <code>Document</code>'s <a href="#effective3">effective script origin</a>.
<h4 id=resource><span class=secno>2.1.2 </span><dfn id=resource0>Resource
metadata management</dfn></h4>
@@ -13953,8 +13953,9 @@
<p class=warning>This, unfortunately, can be used to perform a rudimentary
port scan of the user's local network (especially in conjunction with
scripting, though scripting isn't actually necessary to carry out such an
- attack). User agents may implement cross-origin access control policies
- that mitigate this attack.
+ attack). User agents may implement <a href="#origin0"
+ title=origin>cross-origin</a> access control policies that mitigate this
+ attack.
<p>Once the download has completed, if the image is a valid image, the user
agent must <a href="#firing4">fire a <code title=event-load>load</code>
@@ -20084,7 +20085,8 @@
href="#canvas">canvas</a></code> elements</h5>
<p><strong>Information leakage</strong> can occur if scripts from one <a
- href="#origin0">origin</a> are exposed to images from another origin.
+ href="#origin0">origin</a> are exposed to images from another origin (one
+ that isn't the <a href="#same-origin" title="same origin">same</a>).
<p>To mitigate this, <code><a href="#canvas">canvas</a></code> elements are
defined to have a flag indicating whether they are <i>origin-clean</i>.
@@ -20097,9 +20099,9 @@
<p>The element's 2D context's <code title=dom-context-2d-drawImage><a
href="#drawimage">drawImage()</a></code> method is called with an
<code><a href="#htmlimageelement">HTMLImageElement</a></code> whose <a
- href="#origin0">origin</a> differs from that of the
- <code>Document</code> object that owns the <code><a
- href="#canvas">canvas</a></code> element.
+ href="#origin0">origin</a> is not the <a href="#same-origin" title="same
+ origin">same</a> as that of the <code>Document</code> object that owns
+ the <code><a href="#canvas">canvas</a></code> element.
<li>
<p>The element's 2D context's <code title=dom-context-2d-drawImage><a
@@ -20112,9 +20114,9 @@
href="#fillstyle">fillStyle</a></code> attribute is set to a <code><a
href="#canvaspattern0">CanvasPattern</a></code> object that was created
from an <code><a href="#htmlimageelement">HTMLImageElement</a></code>
- whose <a href="#origin0">origin</a> differs from that of the
- <code>Document</code> object that owns the <code><a
- href="#canvas">canvas</a></code> element.
+ whose <a href="#origin0">origin</a> is not the <a href="#same-origin"
+ title="same origin">same</a> as that of the <code>Document</code> object
+ that owns the <code><a href="#canvas">canvas</a></code> element.
<li>
<p>The element's 2D context's <code title=dom-context-2d-fillStyle><a
@@ -20129,9 +20131,9 @@
<code><a href="#canvaspattern0">CanvasPattern</a></code> object that was
created from an <code><a
href="#htmlimageelement">HTMLImageElement</a></code> whose <a
- href="#origin0">origin</a> differs from that of the
- <code>Document</code> object that owns the <code><a
- href="#canvas">canvas</a></code> element.
+ href="#origin0">origin</a> is not the <a href="#same-origin" title="same
+ origin">same</a> as that of the <code>Document</code> object that owns
+ the <code><a href="#canvas">canvas</a></code> element.
<li>
<p>The element's 2D context's <code title=dom-context-2d-strokeStyle><a
@@ -27780,7 +27782,7 @@
<code>Document</code> is the <a href="#origin0">origin</a> of the <a
href="#active">active document</a> of the new <a
href="#browsing1">browsing context</a>'s <a href="#opener">opener
- browsing context</a> at the time of its creation.
+ browsing context</a> at the time of the new browsing context's creation.
<dt>Otherwise
@@ -27877,9 +27879,10 @@
<ul>
<li>Either the <a href="#origin0">origin</a> of the <a
- href="#active">active document</a> of <var title="">A</var> is the same
- as the <a href="#origin0">origin</a> of the <a href="#active">active
- document</a> of <var title="">B</var>, or
+ href="#active">active document</a> of <var title="">A</var> is the <a
+ href="#same-origin" title="same origin">same</a> as the <a
+ href="#origin0">origin</a> of the <a href="#active">active document</a>
+ of <var title="">B</var>, or
<li>The browsing context <var title="">B</var> an <a
href="#auxiliary0">auxiliary browsing context</a> and either its <a
@@ -27890,10 +27893,10 @@
<li>The browsing context <var title="">B</var> is not a <a
href="#top-level">top-level browsing context</a>, but there exists an
<span>ancestor browsing context</span> of <var title="">B</var> whose <a
- href="#active">active document</a> has the same <a
- href="#origin0">origin</a> as the <a href="#active">active document</a>
- of <var title="">A</var> (possibly in fact being <var title="">A</var>
- itself).
+ href="#active">active document</a> has the <a href="#same-origin"
+ title="same origin">same</a> <a href="#origin0">origin</a> as the <a
+ href="#active">active document</a> of <var title="">A</var> (possibly in
+ fact being <var title="">A</var> itself).
</ul>
<h4 id=threads><span class=secno>4.1.5 </span>Threads</h4>
@@ -28324,8 +28327,8 @@
<ol>
<li>
- <p>Let <var title="">uri</var> be the URI for which the origin is being
- determined.
+ <p>Let <var title="">uri</var> be the URI for which the <a
+ href="#origin0">origin</a> is being determined.
<li>
<p>Parse <var title="">uri</var> according to the rules described in
@@ -28343,7 +28346,7 @@
<li>
<p>If the scheme is "<code title="">file</code>", then the user agent
- may return a UA-specific origin.
+ may return a UA-specific value.
<li>
<p>Let <var title="">host</var> be the <host>/<ihost>
@@ -28439,10 +28442,10 @@
<dd>The owner is the script that provided the URI.
</dl>
- <p>The <a href="#origin0">origin</a> of the script is then the same as
- the <a href="#origin0">origin</a> of the owner, and the <a
- href="#effective3">effective script origin</a> of the script is the same
- as the <a href="#effective3">effective script origin</a> of the owner.</p>
+ <p>The <a href="#origin0">origin</a> of the script is then equal to the
+ <a href="#origin0">origin</a> of the owner, and the <a
+ href="#effective3">effective script origin</a> of the script is equal to
+ the <a href="#effective3">effective script origin</a> of the owner.</p>
<dt>For <code>Document</code> objects and images
@@ -28451,8 +28454,9 @@
<dt>If a <code>Document</code> or image was returned by the
<code>XMLHttpRequest</code> API
- <dd>The origin and <a href="#effective3">effective script origin</a> are
- the same as the origin and <a href="#effective3">effective script
+ <dd>The <a href="#origin0">origin</a> and <a
+ href="#effective3">effective script origin</a> are equal to the <a
+ href="#origin0">origin</a> and <a href="#effective3">effective script
origin</a> of the <code>Document</code> object that was the <a
href="#active">active document</a> of the <code><a
href="#window">Window</a></code> object of the browsing context from
@@ -28466,35 +28470,39 @@
href="#the-javascript" title="javascript
protocol"><code>javascript:</code> URI</a>
- <dd>The origin is the same as the origin of the script of that
+ <dd>The <a href="#origin0">origin</a> is equal to the <a
+ href="#origin0">origin</a> of the script of that
<code>javascript:</code> URI.
<dt>If a <code>Document</code> or image was served over the network and
has an address that uses a URI scheme with a server-based naming
authority
- <dd>The origin is the origin of the full URI of the
- <code>Document</code> or image.
+ <dd>The <a href="#origin0">origin</a> is the <a
+ href="#origin0">origin</a> of the full URI of the <code>Document</code>
+ or image.
<dt>If a <code>Document</code> or image was generated from a <code
title="">data:</code> URI that was returned as the location of an HTTP
redirect (or equivalent in other protocols)
- <dd>The origin is the origin of the URI that redirected to the <code
+ <dd>The <a href="#origin0">origin</a> is the <a
+ href="#origin0">origin</a> of the URI that redirected to the <code
title="">data:</code> URI.
<dt>If a <code>Document</code> or image was generated from a <code
title="">data:</code> URI found in another <code>Document</code> or in
a script
- <dd>The origin is the origin of the <code>Document</code> or script in
+ <dd>The <a href="#origin0">origin</a> is the <a
+ href="#origin0">origin</a> of the <code>Document</code> or script in
which the <code title="">data:</code> URI was found.
<dt>If a <code>Document</code> has the URI "<code>about:blank</code>"
- <dd>The origin of the <code>Document</code> is <a
- href="#about-blank-origin">the origin it was assigned when its browsing
- context was created</a>.
+ <dd>The <a href="#origin0">origin</a> of the <code>Document</code> is <a
+ href="#about-blank-origin">the <span>origin</span> it was assigned when
+ its browsing context was created</a>.
<dt>If a <code>Document</code> or image was obtained in some other
manner (e.g. a <code title="">data:</code> URI typed in by the user, a
@@ -28502,8 +28510,8 @@
title="">createDocument()</code> API, a <code title="">data:</code> URI
returned as the location of an HTTP redirect, etc)
- <dd>The origin is a globally unique identifier assigned when the
- <code>Document</code> or image is created.
+ <dd>The <a href="#origin0">origin</a> is a globally unique identifier
+ assigned when the <code>Document</code> or image is created.
</dl>
<p>When a <code>Document</code> is created, unless stated otherwise
@@ -28522,25 +28530,59 @@
<li>If the <a href="#origin0">origin</a> in question is not a
scheme/host/port tuple, then return the empty string.
- <li>Otherwise, let <var title="">result</var> be the scheme part of the
- origin tuple.
+ <li>Otherwise, let <var title="">result</var> be the scheme part of the <a
+ href="#origin0">origin</a> tuple.
<li>Append the string "<code title="">://</code>" to <var
title="">result</var>.
<li>Apply the IDNA ToUnicode algorithm to each component of the host part
- of the origin tuple, and append the results — each component, in
- the same order, separated by U+002E FULL STOP characters (".") — to
- <var title="">result</var>.
+ of the <a href="#origin0">origin</a> tuple, and append the results
+ — each component, in the same order, separated by U+002E FULL STOP
+ characters (".") — to <var title="">result</var>.
- <li>If the port part of the origin tuple gives a port that is different
- from the default port for the protocol given by the scheme part of the
- origin tuple, then append a U+003A COLON character (":") and the given
- port, in base ten, to <var title="">result</var>.
+ <li>If the port part of the <a href="#origin0">origin</a> tuple gives a
+ port that is different from the default port for the protocol given by
+ the scheme part of the <a href="#origin0">origin</a> tuple, then append a
+ U+003A COLON character (":") and the given port, in base ten, to <var
+ title="">result</var>.
<li>Return <var title="">result</var>.
</ol>
+ <p>Two <a href="#origin0" title=origin>origins</a> are said to be the <dfn
+ id=same-origin>same origin</dfn> if the following algorithm returns true:
+
+ <ol>
+ <li>
+ <p>Let <var title="">A</var> be the first <a href="#origin0">origin</a>
+ being compared, and <var title="">B</var> be the second <a
+ href="#origin0">origin</a> being compared.
+
+ <li>
+ <p>If <var title="">A</var> and <var title="">B</var> are both opaque
+ identifiers, and their value is equal, then return true.
+
+ <li>
+ <p>Otherwise, if either <var title="">A</var> or <var title="">B</var> or
+ both are opaque identifiers, return false.
+
+ <li>
+ <p>If <var title="">A</var> and <var title="">B</var> have scheme
+ components that are not identical, return false.
+
+ <li>
+ <p>If <var title="">A</var> and <var title="">B</var> have host
+ components that are not identical, return false.
+
+ <li>
+ <p>If <var title="">A</var> and <var title="">B</var> have port
+ components that are not identical, return false.
+
+ <li>
+ <p>Return true.
+ </ol>
+
<h4 id=relaxing><span class=secno>4.3.1 </span>Relaxing the same-origin
restriction</h4>
@@ -28595,8 +28637,9 @@
<li>
<p>Set the port part of the <a href="#effective3">effective script
origin</a> tuple of the <code>Document</code> to "manual override" (a
- value that, for the purposes of comparing origins, is the same as
- "manual override" but not the same as any other value).</p>
+ value that, for the purposes of <a href="#same-origin" title="same
+ origin">comparing origins</a>, is identical to "manual override" but not
+ identical to any other value).</p>
</ol>
<p>The <dfn id=domain0 title="the document's domain">domain</dfn> of a
@@ -28682,16 +28725,17 @@
<p>When a browsing context is <a href="#navigate"
title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a
- href="#active">active document</a> of that browsing context has the same
- <a href="#origin0">origin</a> as the script given by that URI, the
+ href="#active">active document</a> of that browsing context has the <a
+ href="#same-origin">same origin</a> as the script given by that URI, the
dereference context must be the <a href="#browsing1">browsing context</a>
being navigated.
<p>When a browsing context is <a href="#navigate"
title=navigate>navigated</a> to a <code>javascript:</code> URI, and the <a
- href="#active">active document</a> of that browsing context has a
- <em>different</em> <a href="#origin0">origin</a> than the script given by
- the URI, the dereference context must be an empty object.
+ href="#active">active document</a> of that browsing context has a an <a
+ href="#origin0">origin</a> that is <em>not</em> the <a href="#same-origin"
+ title="same origin">same</a> as that of the script given by the URI, the
+ dereference context must be an empty object.
<p>Otherwise, the dereference context must be an empty object.
@@ -29378,8 +29422,9 @@
and that
<li>have an <a href="#active">active document</a> whose <a
- href="#origin0">origin</a> is the same as the origin of the script that
- called the <code title=dom-showModalDialog><a
+ href="#origin0">origin</a> is the <a href="#same-origin" title="same
+ origin">same</a> as the <a href="#origin0">origin</a> of the script
+ that called the <code title=dom-showModalDialog><a
href="#showmodaldialog">showModalDialog()</a></code> method at the time
the method was called,</li>
<!-- Note that changing
@@ -29457,11 +29502,12 @@
title=dom-modalWindow-dialogArguments><code>dialogArguments</code></dfn>
DOM attribute, on getting, must check whether its browsing context's <a
href="#active">active document</a>'s <a href="#origin0">origin</a> is the
- same as the <a href="#dialog1">dialog arguments' origin</a>. If it is,
- then the browsing context's <a href="#dialog0">dialog arguments</a> must
- be returned unchanged. Otherwise, if the <a href="#dialog0">dialog
- arguments</a> are an object, then the empty string must be returned, and
- if the <a href="#dialog0">dialog arguments</a> are not an object, then the
+ <a href="#same-origin" title="same origin">same</a> as the <a
+ href="#dialog1">dialog arguments' origin</a>. If it is, then the browsing
+ context's <a href="#dialog0">dialog arguments</a> must be returned
+ unchanged. Otherwise, if the <a href="#dialog0">dialog arguments</a> are
+ an object, then the empty string must be returned, and if the <a
+ href="#dialog0">dialog arguments</a> are not an object, then the
stringification of the <a href="#dialog0">dialog arguments</a> must be
returned.
@@ -29865,7 +29911,8 @@
attribute. The manifest is downloaded and processed during the <a
href="#application1">application cache update process</a>. All the <a
href="#implicit" title=concept-appcache-implicit>implicit entries</a>
- have the same <a href="#origin0">origin</a> as the manifest.
+ have the <a href="#same-origin" title="same origin">same origin</a> as
+ the manifest.
<dt><dfn id=explicit title=concept-appcache-explicit>Explicit
entries</dfn>
@@ -29912,8 +29959,8 @@
title=concept-appcache-matches-oppcache>prefix match patterns</a>, each
of which is mapped to a <a href="#fallback0"
title=concept-appcache-fallback>fallback entry</a>. Each namespace URI
- prefix, when parsed as a URI, has the same <a href="#origin0">origin</a>
- as <a href="#the-manifest" title=concept-appcache-manifest>the
+ prefix, when parsed as a URI, has the <a href="#same-origin">same
+ origin</a> as <a href="#the-manifest" title=concept-appcache-manifest>the
manifest</a>.
<li>Zero or more URIs that form the <dfn id=online
@@ -30047,7 +30094,8 @@
<p><a href="#opportunistic"
title=concept-appcache-oppcache-ns>Opportunistic caching namespaces</a>
- must have the same <a href="#origin0">origin</a> as the manifest itself.
+ must have the <a href="#same-origin">same origin</a> as the manifest
+ itself.
<p>An opportunistic caching namespace must not be listed more than once.
@@ -30227,8 +30275,9 @@
namespace</a>, then jump back to the step labeled "start of line".</p>
<p>If the absolute URI or IRI corresponding to <var title="">part
- one</var> does not have the same <a href="#origin0">origin</a> as the
- manifest's URI, then jump back to the step labeled "start of line".</p>
+ one</var> does not have the <a href="#same-origin">same origin</a> as
+ the manifest's URI, then jump back to the step labeled "start of
+ line".</p>
<!-- SECURITY -->
<p>If the absolute URI or IRI corresponding to <var title="">part
two</var> has a different <scheme> component than the manifest's
@@ -30659,9 +30708,9 @@
<p>A URI <dfn id=matches title=concept-appcache-matches-oppcache>matches an
opportunistic caching namespace</dfn> if there exists an <a
href="#application0">application cache</a> whose <a href="#the-manifest"
- title=concept-appcache-manifest>manifest</a>'s URI has the same <a
- href="#origin0">origin</a> as the URI in question, and if that application
- cache has an <a href="#opportunistic"
+ title=concept-appcache-manifest>manifest</a>'s URI has the <a
+ href="#same-origin">same origin</a> as the URI in question, and if that
+ application cache has an <a href="#opportunistic"
title=concept-appcache-oppcache-ns>opportunistic caching namespace</a>
with a <path> component that exactly matches the start of the
<path> component of the URI being examined. If multiple
@@ -30740,9 +30789,9 @@
<dd>
<ol>
<li>
- <p>If the manifest URI does not have the same <a
- href="#origin0">origin</a> as the resource's own URI, then invoke the
- <a href="#application3"
+ <p>If the manifest URI does not have the <a href="#same-origin">same
+ origin</a> as the resource's own URI, then invoke the <a
+ href="#application3"
title=concept-appcache-init-no-attribute>application cache selection
algorithm</a> again, but without a manifest, and abort these steps.
@@ -30839,12 +30888,12 @@
fetch the resource from the cache and abort these steps.
<li>
- <p>If the resource's URI has the same <a href="#origin0">origin</a> as
- the manifest's URI, and the start of the resource's URI's <path>
- component is exactly matched by the <path> component of an <a
- href="#opportunistic" title=concept-appcache-oppcache-ns>opportunistic
- caching namespace</a> in the <a href="#application0">application
- cache</a>, then:
+ <p>If the resource's URI has the <a href="#same-origin">same origin</a>
+ as the manifest's URI, and the start of the resource's URI's
+ <path> component is exactly matched by the <path> component
+ of an <a href="#opportunistic"
+ title=concept-appcache-oppcache-ns>opportunistic caching namespace</a>
+ in the <a href="#application0">application cache</a>, then:
<p>Fetch the resource normally. If this results 4xx or 5xx status codes
or equivalent, or if there were network errors (but not if the user
@@ -31667,8 +31716,9 @@
<p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of a <code><a
href="#location2">Location</a></code> object are accessed by scripts whose
- <a href="#effective3">effective script origin</a> is not the same as the
- <code><a href="#location2">Location</a></code> object's associated
+ <a href="#effective3">effective script origin</a> is not the <a
+ href="#same-origin" title="same origin">same</a> as the <code><a
+ href="#location2">Location</a></code> object's associated
<code>Document</code>'s <a href="#effective3">effective script origin</a>,
with the following exceptions:
@@ -31772,9 +31822,9 @@
href="#top-level">top-level browsing context</a>, then check if there
are any <a href="#application0" title="application cache">application
caches</a> that have a <a href="#the-manifest"
- title=concept-appcache-manifest>manifest</a> with the same <a
- href="#origin0">origin</a> as the URI in question, and that have this
- URI as one of their entries (excluding entries marked as <a
+ title=concept-appcache-manifest>manifest</a> with the <a
+ href="#same-origin">same origin</a> as the URI in question, and that
+ have this URI as one of their entries (excluding entries marked as <a
href="#foreign" title=concept-appcache-foreign>foreign</a>), and that
already contain their manifest, categorised as a <a href="#the-manifest"
title=concept-appcache-manifest>manifest</a>. If so, then the user agent
@@ -32348,17 +32398,17 @@
<li>If the browsing context is a <a href="#top-level">top-level browsing
context</a> (and not an <a href="#auxiliary0">auxiliary browsing
context</a>), and the <a href="#origin0">origin</a> of the
- <code>Document</code> of the <i>specified entry</i> is not the same as
- the <a href="#origin0">origin</a> of the <code>Document</code> of the
- <a href="#current1">current entry</a>, then the following sub-sub-steps
+ <code>Document</code> of the <i>specified entry</i> is not the <a
+ href="#same-origin" title="same origin">same</a> as the <a
+ href="#origin0">origin</a> of the <code>Document</code> of the <a
+ href="#current1">current entry</a>, then the following sub-sub-steps
must be run:
<ol>
<li>The current <a href="#browsing2">browsing context name</a> must be
stored with all the entries in the history that are associated with
- <code>Document</code> objects with the same <a
- href="#origin0">origin</a> as the <a href="#active">active
- document</a> <em>and</em> that are contiguous with the <a
- href="#current1">current entry</a>.
+ <code>Document</code> objects with the <a href="#same-origin">same
+ origin</a> as the <a href="#active">active document</a> <em>and</em>
+ that are contiguous with the <a href="#current1">current entry</a>.
<li id=resetBCName>The browsing context's <a
href="#browsing2">browsing context name</a> must be unset.
@@ -32380,7 +32430,7 @@
<li>Any <a href="#browsing2">browsing context name</a> stored with the
entries in the history that are associated with <code>Document</code>
- objects with the same <a href="#origin0">origin</a> as the new <a
+ objects with the <a href="#same-origin">same origin</a> as the new <a
href="#active">active document</a>, and that are contiguous with the
specified entry, must be cleared.
</ol>
@@ -33241,7 +33291,9 @@
title=dom-sessionStorage><a
href="#sessionstorage">sessionStorage</a></code> DOM attribute. Sites can
add data to the session storage, and it will be accessible to any page
- from that <a href="#origin0">origin</a> opened in that window.
+ from the same site opened in that window.</p>
+ <!-- we're
+ not using xrefs here because this is just an intro -->
<div class=example>
<p>For example, a page could have a checkbox that the user ticks to
@@ -33304,7 +33356,7 @@
</script></pre>
</div>
- <p>Each <a href="#origin0">origin</a> has its own separate storage area.
+ <p>Each site has its own separate storage area.
<p>Storage areas (both session storage and local storage) store strings. To
store structured data in a storage area, you must first convert it to a
@@ -33457,7 +33509,8 @@
created, the user agent must check to see if the document's <a
href="#top-level">top-level browsing context</a> has allocated a session
storage area for that document's <a href="#origin0">origin</a>. If it has
- not, a new storage area for that document's origin must be created.
+ not, a new storage area for that document's <a href="#origin0">origin</a>
+ must be created.
<p>The <code><a href="#storage0">Storage</a></code> object for the
document's associated <code><a href="#window">Window</a></code> object's
@@ -33477,7 +33530,7 @@
context</a>, or by the user following a link in an existing browsing
context, or in some other way related to a specific <code><a
href="#htmldocument">HTMLDocument</a></code>, then the session storage
- area of the origin of that <code><a
+ area of the <a href="#origin0">origin</a> of that <code><a
href="#htmldocument">HTMLDocument</a></code> must be copied into the new
browsing context when it is created. From that point on, however, the two
session storage areas must be considered separate, not affecting each
@@ -33523,7 +33576,7 @@
user agent must check to see if it has allocated local storage area for
the <a href="#origin0">origin</a> of the <a href="#browsing1">browsing
context</a> within which the script is running. If it has not, a new
- storage area for that origin must be created.
+ storage area for that <a href="#origin0">origin</a> must be created.
<p>The user agent must then create a <code><a
href="#storage0">Storage</a></code> object associated with that origin's
@@ -33642,13 +33695,14 @@
<p>There are various ways of implementing this requirement. One is that if
a script running in one browsing context accesses a local storage area,
the UA blocks scripts in other browsing contexts when they try to access
- the local storage area for the same origin until the first script has
- executed to completion. (Similarly, when a script in one browsing context
- accesses its session storage area, any scripts that have the same top
- level browsing context and the same origin would block when accessing
- their session storage area until the first script has executed to
- completion.) Another (potentially more efficient but probably more
- complex) implementation strategy is to use optimistic transactional script
+ the local storage area for the <a href="#same-origin">same origin</a>
+ until the first script has executed to completion. (Similarly, when a
+ script in one browsing context accesses its session storage area, any
+ scripts that have the same top level browsing context and the <a
+ href="#same-origin">same origin</a> would block when accessing their
+ session storage area until the first script has executed to completion.)
+ Another (potentially more efficient but probably more complex)
+ implementation strategy is to use optimistic transactional script
execution. This specification does not require any particular
implementation strategy, so long as the requirement above is met.
@@ -34279,9 +34333,9 @@
local storage areas and databases.</p>
<li>
- <p>Origin-tracking of persistent storage data: user agents may record the
- origins of sites that contained content from third-party origins that
- caused data to be stored.</p>
+ <p><a href="#origin0">Origin</a>-tracking of persistent storage data:
+ user agents may record the origins of sites that contained content from
+ third-party origins that caused data to be stored.</p>
<p>If this information is then used to present the view of data currently
in persistent storage, it would allow the user to make informed
@@ -34556,8 +34610,8 @@
<dl class=switch>
<dt>If both the URI of the <code>Document</code> object containing the
- hyperlink being audited and the ping URI have the same <a
- href="#origin0">origin</a>
+ hyperlink being audited and the ping URI have the <a
+ href="#same-origin">same origin</a>
<dd>The request must include a <code title="">Ping-From</code> HTTP header
with, as its value, the location of the document containing the
@@ -39019,7 +39073,7 @@
attribute must be set to the value of the <var title="">data</var>
buffer, the <code title=dom-MessageEvent-origin><a
href="#origin1">origin</a></code> attribute must be set to the <a
- href="#origin0">origin</a> of the event stream, the <code
+ href="#origin0">origin</a> of the event stream's URI, the <code
title=dom-MessageEvent-lastEventId><a
href="#lasteventid">lastEventId</a></code> attribute must be set to the
<span>last event ID string</span> of the event source, and the <code
@@ -39385,17 +39439,18 @@
<p>When this constructor is invoked, the following steps must be followed.
- <p>First, if the domain part of the script's <a href="#origin0">origin</a>
- is not a host name (e.g. it is an IP address) then the UA must raise a <a
+ <p>First, if the host part of the script's <a href="#origin0">origin</a> is
+ not a host name (e.g. it is an IP address) then the UA must raise a <a
href="#security9">security exception</a>. <span class=issue>We currently
don't allow connections to be set up back to an originating IP address,
but we could, if the subdomain is the empty string.</span>
<p>Then, if the <var title="">subdomain</var> argument is null or the empty
- string, the target host is the domain part of the script's <a
+ string, the target host is the host part of the script's <a
href="#origin0">origin</a>. Otherwise, the <var title="">subdomain</var>
- argument is prepended to the domain part of the script's origin with a dot
- separating the two strings, and that is the target host.
+ argument is prepended to the host part of the script's <a
+ href="#origin0">origin</a> with a dot separating the two strings, and that
+ is the target host.
<p>If either:
@@ -40036,7 +40091,7 @@
than a single literal U+002A ASTERISK character ("*"), and the <a
href="#active">active document</a> of the <code><a
href="#window">Window</a></code> object on which the method was invoked
- does not have the same <a href="#origin0">origin</a> as <var
+ does not have the <a href="#same-origin">same origin</a> as <var
title="">targetOrigin</var>, then abort these steps silently.</p>
<li>
@@ -40118,8 +40173,10 @@
</div>
<p class=warning>The integrity of this API is based on the inability for
- scripts of one origin to post arbitrary events (using <code
- title="">dispatchEvent()</code> or otherwise) to objects in other origins.
+ scripts of one <a href="#origin0">origin</a> to post arbitrary events
+ (using <code title="">dispatchEvent()</code> or otherwise) to objects in
+ other origins (those that are not the <a href="#same-origin" title="same
+ origin">same</a>).
<p class=note>Implementors are urged to take extra care in the
implementation of this feature. It allows authors to transmit information
Modified: source
===================================================================
--- source 2008-05-16 00:34:40 UTC (rev 1633)
+++ source 2008-05-16 01:19:05 UTC (rev 1634)
@@ -988,8 +988,8 @@
<p>User agents must raise a <span>security exception</span> whenever
any of the members of an <code>HTMLDocument</code> object are
accessed by scripts whose <span>effective script origin</span> is
- not the same as the <code>Document</code>'s <span>effective script
- origin</span>.</p>
+ not the <span title="same origin">same</span> as the
+ <code>Document</code>'s <span>effective script origin</span>.</p>
@@ -11979,7 +11979,8 @@
rudimentary port scan of the user's local network (especially in
conjunction with scripting, though scripting isn't actually
necessary to carry out such an attack). User agents may implement
- cross-origin access control policies that mitigate this attack.</p>
+ <span title="origin">cross-origin</span> access control policies
+ that mitigate this attack.</p>
<p>Once the download has completed, if the image is a valid image,
the user agent must <span>fire a <code
@@ -12255,8 +12256,6 @@
<span>reflect</span> the content attribute of the same name.</p>
-
-
<h4>The <dfn><code>embed</code></dfn> element</h4>
<dl class="element">
@@ -17832,7 +17831,8 @@
<h5>Security with <code>canvas</code> elements</h5>
<p><strong>Information leakage</strong> can occur if scripts from
- one <span>origin</span> are exposed to images from another origin.</p>
+ one <span>origin</span> are exposed to images from another origin
+ (one that isn't the <span title="same origin">same</span>).</p>
<p>To mitigate this, <code>canvas</code> elements are defined to
have a flag indicating whether they are <i>origin-clean</i>. All
@@ -17845,8 +17845,9 @@
<li><p>The element's 2D context's <code
title="dom-context-2d-drawImage">drawImage()</code> method is
called with an <code>HTMLImageElement</code> whose
- <span>origin</span> differs from that of the <code>Document</code>
- object that owns the <code>canvas</code> element.</p></li>
+ <span>origin</span> is not the <span title="same
+ origin">same</span> as that of the <code>Document</code> object
+ that owns the <code>canvas</code> element.</p></li>
<li><p>The element's 2D context's <code
title="dom-context-2d-drawImage">drawImage()</code> method is
@@ -17856,9 +17857,10 @@
<li><p>The element's 2D context's <code
title="dom-context-2d-fillStyle">fillStyle</code> attribute is set
to a <code>CanvasPattern</code> object that was created from an
- <code>HTMLImageElement</code> whose <span>origin</span> differs
- from that of the <code>Document</code> object that owns the
- <code>canvas</code> element.</p></li>
+ <code>HTMLImageElement</code> whose <span>origin</span> is not the
+ <span title="same origin">same</span> as that of the
+ <code>Document</code> object that owns the <code>canvas</code>
+ element.</p></li>
<li><p>The element's 2D context's <code
title="dom-context-2d-fillStyle">fillStyle</code> attribute is set
@@ -17869,9 +17871,10 @@
<li><p>The element's 2D context's <code
title="dom-context-2d-strokeStyle">strokeStyle</code> attribute is
set to a <code>CanvasPattern</code> object that was created from an
- <code>HTMLImageElement</code> whose <span>origin</span> differs
- from that of the <code>Document</code> object that owns the
- <code>canvas</code> element.</p></li>
+ <code>HTMLImageElement</code> whose <span>origin</span> is not the
+ <span title="same origin">same</span> as that of the
+ <code>Document</code> object that owns the <code>canvas</code>
+ element.</p></li>
<li><p>The element's 2D context's <code
title="dom-context-2d-strokeStyle">strokeStyle</code> attribute is
@@ -25479,7 +25482,7 @@
<code>Document</code> is the <span>origin</span> of the
<span>active document</span> of the new <span>browsing
context</span>'s <span>opener browsing context</span> at the time
- of its creation.</dd>
+ of the new browsing context's creation.</dd>
<dt>Otherwise</dt>
@@ -25582,9 +25585,9 @@
<ul>
<li>Either the <span>origin</span> of the <span>active
- document</span> of <var title="">A</var> is the same as the
- <span>origin</span> of the <span>active document</span> of <var
- title="">B</var>, or</li>
+ document</span> of <var title="">A</var> is the <span title="same
+ origin">same</span> as the <span>origin</span> of the <span>active
+ document</span> of <var title="">B</var>, or</li>
<li>The browsing context <var title="">B</var> an <span>auxiliary
browsing context</span> and either its <span>opener browsing
@@ -25595,9 +25598,10 @@
<li>The browsing context <var title="">B</var> is not a
<span>top-level browsing context</span>, but there exists an
<span>ancestor browsing context</span> of <var title="">B</var>
- whose <span>active document</span> has the same <span>origin</span>
- as the <span>active document</span> of <var title="">A</var>
- (possibly in fact being <var title="">A</var> itself).</li>
+ whose <span>active document</span> has the <span title="same
+ origin">same</span> <span>origin</span> as the <span>active
+ document</span> of <var title="">A</var> (possibly in fact being
+ <var title="">A</var> itself).</li>
</ul>
@@ -26047,7 +26051,7 @@
<ol>
<li><p>Let <var title="">uri</var> be the URI for which the
- origin is being determined.</p></li>
+ <span>origin</span> is being determined.</p></li>
<li><p>Parse <var title="">uri</var> according to the rules
described in RFC 3986 and RFC 3987. <a
@@ -26064,7 +26068,7 @@
identifier.</p></li>
<li><p>If the scheme is "<code title="">file</code>", then the
- user agent may return a UA-specific origin.</p></li>
+ user agent may return a UA-specific value.</p></li>
<li><p>Let <var title="">host</var> be the
<host>/<ihost> component of the URI.</p></li>
@@ -26173,10 +26177,10 @@
</dl>
- <p>The <span>origin</span> of the script is then the same as the
+ <p>The <span>origin</span> of the script is then equal to the
<span>origin</span> of the owner, and the <span>effective script
- origin</span> of the script is the same as the <span>effective
- script origin</span> of the owner.</p>
+ origin</span> of the script is equal to the <span>effective script
+ origin</span> of the owner.</p>
</dd>
@@ -26189,13 +26193,14 @@
<dt>If a <code>Document</code> or image was returned by the
<code>XMLHttpRequest</code> API</dt>
- <dd>The origin and <span>effective script origin</span> are the
- same as the origin and <span>effective script origin</span> of
- the <code>Document</code> object that was the <span>active
- document</span> of the <code>Window</code> object of the browsing
- context from which the <code>XMLHttpRequest</code> constructor
- was invoked. (That is, they track the <code>Document</code> to
- which the <code>XMLHttpRequest</code> object's <a
+ <dd>The <span>origin</span> and <span>effective script
+ origin</span> are equal to the <span>origin</span> and
+ <span>effective script origin</span> of the <code>Document</code>
+ object that was the <span>active document</span> of the
+ <code>Window</code> object of the browsing context from which the
+ <code>XMLHttpRequest</code> constructor was invoked. (That is,
+ they track the <code>Document</code> to which the
+ <code>XMLHttpRequest</code> object's <a
href="http://dev.w3.org/2006/webapi/XMLHttpRequest-2/Overview.html#document-pointer"><code>Document</code>
pointer</a> pointed when it was created.) <a
href="#refsXHR">[XHR]</a></dd>
@@ -26205,50 +26210,52 @@
<span title="javascript protocol"><code>javascript:</code>
URI</span></dt>
- <dd>The origin is the same as the origin of the script of that
- <code>javascript:</code> URI.</dd>
+ <dd>The <span>origin</span> is equal to the <span>origin</span>
+ of the script of that <code>javascript:</code> URI.</dd>
<dt>If a <code>Document</code> or image was served over the
network and has an address that uses a URI scheme with a
server-based naming authority</dt>
- <dd>The origin is the origin of the full URI of the
- <code>Document</code> or image.</dd>
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ full URI of the <code>Document</code> or image.</dd>
<dt>If a <code>Document</code> or image was generated from a
- <code title="">data:</code> URI that was returned as the location of an
- HTTP redirect (or equivalent in other protocols)</dt>
+ <code title="">data:</code> URI that was returned as the location
+ of an HTTP redirect (or equivalent in other protocols)</dt>
- <dd>The origin is the origin of the URI that redirected to the
- <code title="">data:</code> URI.</dd>
+ <dd>The <span>origin</span> is the <span>origin</span> of the URI
+ that redirected to the <code title="">data:</code> URI.</dd>
<dt>If a <code>Document</code> or image was generated from a
- <code title="">data:</code> URI found in another <code>Document</code> or
- in a script</dt>
+ <code title="">data:</code> URI found in another
+ <code>Document</code> or in a script</dt>
- <dd>The origin is the origin of the <code>Document</code> or
- script in which the <code title="">data:</code> URI was found.</dd>
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ <code>Document</code> or script in which the <code
+ title="">data:</code> URI was found.</dd>
<dt>If a <code>Document</code> has the URI
"<code>about:blank</code>"</dt>
- <dd>The origin of the <code>Document</code> is <a
- href="#about-blank-origin">the origin it was assigned when its
- browsing context was created</a>.</dd>
+ <dd>The <span>origin</span> of the <code>Document</code> is <a
+ href="#about-blank-origin">the <span>origin</span> it was
+ assigned when its browsing context was created</a>.</dd>
<dt>If a <code>Document</code> or image was obtained in some
- other manner (e.g. a <code title="">data:</code> URI typed in by the user,
- a <code>Document</code> created using the <code
- title="">createDocument()</code> API, a <code title="">data:</code> URI
- returned as the location of an HTTP redirect, etc)</dt>
+ other manner (e.g. a <code title="">data:</code> URI typed in by
+ the user, a <code>Document</code> created using the <code
+ title="">createDocument()</code> API, a <code
+ title="">data:</code> URI returned as the location of an HTTP
+ redirect, etc)</dt>
- <dd>The origin is a globally unique identifier assigned when the
- <code>Document</code> or image is created.</dd>
+ <dd>The <span>origin</span> is a globally unique identifier
+ assigned when the <code>Document</code> or image is created.</dd>
</dl>
@@ -26273,28 +26280,57 @@
scheme/host/port tuple, then return the empty string.</li>
<li>Otherwise, let <var title="">result</var> be the scheme part of
- the origin tuple.</li>
+ the <span>origin</span> tuple.</li>
<li>Append the string "<code title="">://</code>" to <var
title="">result</var>.</li>
<li>Apply the IDNA ToUnicode algorithm to each component of the
- host part of the origin tuple, and append the results — each
- component, in the same order, separated by U+002E FULL STOP
- characters (".") — to <var title="">result</var>.</li>
+ host part of the <span>origin</span> tuple, and append the results
+ — each component, in the same order, separated by U+002E FULL
+ STOP characters (".") — to <var title="">result</var>.</li>
- <li>If the port part of the origin tuple gives a port that is
- different from the default port for the protocol given by the
- scheme part of the origin tuple, then append a U+003A COLON
- character (":") and the given port, in base ten, to <var
- title="">result</var>.</li>
+ <li>If the port part of the <span>origin</span> tuple gives a port
+ that is different from the default port for the protocol given by
+ the scheme part of the <span>origin</span> tuple, then append a
+ U+003A COLON character (":") and the given port, in base ten, to
+ <var title="">result</var>.</li>
<li>Return <var title="">result</var>.</li>
</ol>
+ <p>Two <span title="origin">origins</span> are said to be the
+ <dfn>same origin</dfn> if the following algorithm returns true:</p>
+ <ol>
+ <li><p>Let <var title="">A</var> be the first <span>origin</span>
+ being compared, and <var title="">B</var> be the second
+ <span>origin</span> being compared.</p></li>
+
+ <li><p>If <var title="">A</var> and <var title="">B</var> are both
+ opaque identifiers, and their value is equal, then return
+ true.</p></li>
+
+ <li><p>Otherwise, if either <var title="">A</var> or <var
+ title="">B</var> or both are opaque identifiers, return
+ false.</p></li>
+
+ <li><p>If <var title="">A</var> and <var title="">B</var> have
+ scheme components that are not identical, return false.</p></li>
+
+ <li><p>If <var title="">A</var> and <var title="">B</var> have host
+ components that are not identical, return false.</p></li>
+
+ <li><p>If <var title="">A</var> and <var title="">B</var> have port
+ components that are not identical, return false.</p></li>
+
+ <li><p>Return true.</p></li>
+
+ </ol>
+
+
<h4>Relaxing the same-origin restriction</h4>
<p>The <dfn title="dom-document-domain"><code>domain</code></dfn>
@@ -26377,8 +26413,9 @@
<p>Set the port part of the <span>effective script origin</span>
tuple of the <code>Document</code> to "manual override" (a value
- that, for the purposes of comparing origins, is the same as
- "manual override" but not the same as any other value).</p>
+ that, for the purposes of <span title="same origin">comparing
+ origins</span>, is identical to "manual override" but not
+ identical to any other value).</p>
</li>
@@ -26479,15 +26516,16 @@
<p>When a browsing context is <span
title="navigate">navigated</span> to a <code>javascript:</code> URI,
and the <span>active document</span> of that browsing context has
- the same <span>origin</span> as the script given by that URI, the
+ the <span>same origin</span> as the script given by that URI, the
dereference context must be the <span>browsing context</span> being
navigated.</p>
<p>When a browsing context is <span
title="navigate">navigated</span> to a <code>javascript:</code> URI,
and the <span>active document</span> of that browsing context has a
- <em>different</em> <span>origin</span> than the script given by the
- URI, the dereference context must be an empty object.</p>
+ an <span>origin</span> that is <em>not</em> the <span title="same
+ origin">same</span> as that of the script given by the URI, the
+ dereference context must be an empty object.</p>
<p>Otherwise, the dereference context must be an empty object.</p>
@@ -27143,8 +27181,8 @@
called, and that</li>
<li>have an <span>active document</span> whose
- <span>origin</span> is the same as the origin of the script that
- called the <code
+ <span>origin</span> is the <span title="same origin">same</span>
+ as the <span>origin</span> of the script that called the <code
title="dom-showModalDialog">showModalDialog()</code> method at
the time the method was called,</li> <!-- Note that changing
document.domain to talk to another domain doesn't make you able
@@ -27247,14 +27285,14 @@
<p>The <dfn
title="dom-modalWindow-dialogArguments"><code>dialogArguments</code></dfn>
DOM attribute, on getting, must check whether its browsing context's
- <span>active document</span>'s <span>origin</span> is the same as
- the <span>dialog arguments' origin</span>. If it is, then the
- browsing context's <span>dialog arguments</span> must be returned
- unchanged. Otherwise, if the <span>dialog arguments</span> are an
- object, then the empty string must be returned, and if the
- <span>dialog arguments</span> are not an object, then the
- stringification of the <span>dialog arguments</span> must be
- returned.
+ <span>active document</span>'s <span>origin</span> is the <span
+ title="same origin">same</span> as the <span>dialog arguments'
+ origin</span>. If it is, then the browsing context's <span>dialog
+ arguments</span> must be returned unchanged. Otherwise, if the
+ <span>dialog arguments</span> are an object, then the empty string
+ must be returned, and if the <span>dialog arguments</span> are not
+ an object, then the stringification of the <span>dialog
+ arguments</span> must be returned.
<p>These browsing contexts also have an associated <dfn>return
value</dfn>. The <span>return value</span> of a browsing context
@@ -27688,7 +27726,7 @@
manifest is downloaded and processed during the <span>application
cache update process</span>. All the <span
title="concept-appcache-implicit">implicit entries</span> have
- the same <span>origin</span> as the manifest.
+ the <span title="same origin">same origin</span> as the manifest.
<dt><dfn title="concept-appcache-explicit">Explicit entries</dfn>
@@ -27738,8 +27776,9 @@
title="concept-appcache-matches-oppcache">prefix match
patterns</span>, each of which is mapped to a <span
title="concept-appcache-fallback">fallback entry</span>. Each
- namespace URI prefix, when parsed as a URI, has the same <span>origin</span> as <span
- title="concept-appcache-manifest">the manifest</span>.</li>
+ namespace URI prefix, when parsed as a URI, has the <span>same
+ origin</span> as <span title="concept-appcache-manifest">the
+ manifest</span>.</li>
<li>Zero or more URIs that form the <dfn
title="concept-appcache-onlinewhitelist">online whitelist</dfn>.
@@ -27884,8 +27923,8 @@
sections.</p>
<p><span title="concept-appcache-oppcache-ns">Opportunistic caching
- namespaces</span> must have the same <span>origin</span>
- as the manifest itself.</p>
+ namespaces</span> must have the <span>same origin</span> as the
+ manifest itself.</p>
<p>An opportunistic caching namespace must not be listed more than
once.</p>
@@ -28069,8 +28108,9 @@
line".</p>
<p>If the absolute URI or IRI corresponding to <var
- title="">part one</var> does not have the same <span>origin</span> as the manifest's URI, then jump back to
- the step labeled "start of line".</p> <!-- SECURITY -->
+ title="">part one</var> does not have the <span>same
+ origin</span> as the manifest's URI, then jump back to the step
+ labeled "start of line".</p> <!-- SECURITY -->
<p>If the absolute URI or IRI corresponding to <var
title="">part two</var> has a different <scheme> component
@@ -28527,8 +28567,8 @@
opportunistic caching namespace</dfn> if there exists an
<span>application cache</span> whose <span
title="concept-appcache-manifest">manifest</span>'s URI has the
- same <span>origin</span> as the URI in question, and if
- that application cache has an <span
+ <span>same origin</span> as the URI in question, and if that
+ application cache has an <span
title="concept-appcache-oppcache-ns">opportunistic caching
namespace</span> with a <path> component that exactly matches
the start of the <path> component of the URI being
@@ -28625,11 +28665,11 @@
<ol>
- <li><p>If the manifest URI does not have the same
- <span>origin</span> as the resource's own URI, then invoke the
- <span title="concept-appcache-init-no-attribute">application
- cache selection algorithm</span> again, but without a manifest,
- and abort these steps.</p></li>
+ <li><p>If the manifest URI does not have the <span>same
+ origin</span> as the resource's own URI, then invoke the <span
+ title="concept-appcache-init-no-attribute">application cache
+ selection algorithm</span> again, but without a manifest, and
+ abort these steps.</p></li>
<li><p>If there is already an <span>application cache</span>
identified by this manifest URI, and the most up to date version
@@ -28725,7 +28765,7 @@
<li>
- <p>If the resource's URI has the same <span>origin</span> as the
+ <p>If the resource's URI has the <span>same origin</span> as the
manifest's URI, and the start of the resource's URI's <path>
component is exactly matched by the <path> component of an
<span title="concept-appcache-oppcache-ns">opportunistic caching
@@ -29519,10 +29559,10 @@
<p>User agents must raise a <span>security exception</span> whenever
any of the members of a <code>Location</code> object are accessed by
- scripts whose <span>effective script origin</span> is not the same
- as the <code>Location</code> object's associated
- <code>Document</code>'s <span>effective script origin</span>, with
- the following exceptions:</p>
+ scripts whose <span>effective script origin</span> is not the <span
+ title="same origin">same</span> as the <code>Location</code>
+ object's associated <code>Document</code>'s <span>effective script
+ origin</span>, with the following exceptions:</p>
<ul>
@@ -29623,10 +29663,9 @@
<span>top-level browsing context</span>, then check if there are
any <span title="application cache">application caches</span> that
have a <span title="concept-appcache-manifest">manifest</span>
- with the same <span>origin</span> as the URI in
- question, and that have this URI as one of their entries
- (excluding entries marked as <span
- title="concept-appcache-foreign">foreign</span>), and that
+ with the <span>same origin</span> as the URI in question, and that
+ have this URI as one of their entries (excluding entries marked as
+ <span title="concept-appcache-foreign">foreign</span>), and that
already contain their manifest, categorised as a <span
title="concept-appcache-manifest">manifest</span>. If so, then the
user agent must then fetch the resource from the <span
@@ -30219,19 +30258,18 @@
<li>If the browsing context is a <span>top-level browsing
context</span> (and not an <span>auxiliary browsing
context</span>), and the <span>origin</span> of the
- <code>Document</code> of the <i>specified entry</i> is not
- the same as the <span>origin</span> of the <code>Document</code>
- of the <span>current entry</span>, then the following
- sub-sub-steps must be run:
+ <code>Document</code> of the <i>specified entry</i> is not the
+ <span title="same origin">same</span> as the <span>origin</span>
+ of the <code>Document</code> of the <span>current entry</span>,
+ then the following sub-sub-steps must be run:
<ol>
<li>The current <span>browsing context name</span> must be
stored with all the entries in the history that are associated
- with <code>Document</code> objects with the same
- <span>origin</span> as the <span>active document</span>
- <em>and</em> that are contiguous with the <span>current
- entry</span>.</li>
+ with <code>Document</code> objects with the <span>same
+ origin</span> as the <span>active document</span> <em>and</em>
+ that are contiguous with the <span>current entry</span>.</li>
<li id="resetBCName">The browsing context's <span>browsing
context name</span> must be unset.</li>
@@ -30259,7 +30297,7 @@
<li>Any <span>browsing context name</span> stored with the
entries in the history that are associated with
- <code>Document</code> objects with the same <span>origin</span>
+ <code>Document</code> objects with the <span>same origin</span>
as the new <span>active document</span>, and that are
contiguous with the specified entry, must be cleared.</li>
@@ -31050,7 +31088,8 @@
<p>To address this, this specification introduces the <code
title="dom-sessionStorage">sessionStorage</code> DOM attribute.
Sites can add data to the session storage, and it will be accessible
- to any page from that <span>origin</span> opened in that window.</p>
+ to any page from the same site opened in that window.</p> <!-- we're
+ not using xrefs here because this is just an intro -->
<div class="example">
@@ -31118,7 +31157,7 @@
</div>
- <p>Each <span>origin</span> has its own separate storage area.</p>
+ <p>Each site has its own separate storage area.</p>
<p>Storage areas (both session storage and local storage) store
strings. To store structured data in a storage area, you must first
@@ -31264,7 +31303,7 @@
must check to see if the document's <span>top-level browsing
context</span> has allocated a session storage area for that
document's <span>origin</span>. If it has not, a new storage area
- for that document's origin must be created.</p>
+ for that document's <span>origin</span> must be created.</p>
<p>The <code>Storage</code> object for the document's associated
<code>Window</code> object's <code
@@ -31282,10 +31321,11 @@
a script in an existing <span>browsing context</span>, or by the
user following a link in an existing browsing context, or in some
other way related to a specific <code>HTMLDocument</code>, then the
- session storage area of the origin of that <code>HTMLDocument</code>
- must be copied into the new browsing context when it is created.
- From that point on, however, the two session storage areas must be
- considered separate, not affecting each other in any way.</p>
+ session storage area of the <span>origin</span> of that
+ <code>HTMLDocument</code> must be copied into the new browsing
+ context when it is created. From that point on, however, the two
+ session storage areas must be considered separate, not affecting
+ each other in any way.</p>
<p id="sessionStorageEvent">When the <code
title="dom-Storage-setItem">setItem()</code>, <code
@@ -31322,7 +31362,8 @@
attribute is accessed, the user agent must check to see if it has
allocated local storage area for the <span>origin</span> of the
<span>browsing context</span> within which the script is running. If
- it has not, a new storage area for that origin must be created.</p>
+ it has not, a new storage area for that <span>origin</span> must be
+ created.</p>
<p>The user agent must then create a <code>Storage</code> object
associated with that origin's local storage area, and return
@@ -31441,17 +31482,17 @@
<p>There are various ways of implementing this requirement. One is
that if a script running in one browsing context accesses a local
storage area, the UA blocks scripts in other browsing contexts when
- they try to access the local storage area for the same origin until
- the first script has executed to completion. (Similarly, when a
- script in one browsing context accesses its session storage area,
- any scripts that have the same top level browsing context and the
- same origin would block when accessing their session storage area
- until the first script has executed to completion.) Another
- (potentially more efficient but probably more complex)
- implementation strategy is to use optimistic transactional script
- execution. This specification does not require any particular
- implementation strategy, so long as the requirement above is
- met.</p>
+ they try to access the local storage area for the <span>same
+ origin</span> until the first script has executed to
+ completion. (Similarly, when a script in one browsing context
+ accesses its session storage area, any scripts that have the same
+ top level browsing context and the <span>same origin</span> would
+ block when accessing their session storage area until the first
+ script has executed to completion.) Another (potentially more
+ efficient but probably more complex) implementation strategy is to
+ use optimistic transactional script execution. This specification
+ does not require any particular implementation strategy, so long as
+ the requirement above is met.</p>
@@ -32098,8 +32139,8 @@
<li>
- <p>Origin-tracking of persistent storage data: user agents may
- record the origins of sites that contained content from
+ <p><span>Origin</span>-tracking of persistent storage data: user
+ agents may record the origins of sites that contained content from
third-party origins that caused data to be stored.</p>
<p>If this information is then used to present the view of data
@@ -32398,8 +32439,8 @@
<dl class="switch">
<dt>If both the URI of the <code>Document</code> object containing
- the hyperlink being audited and the ping URI have the same
- <span>origin</span></dt>
+ the hyperlink being audited and the ping URI have the <span>same
+ origin</span></dt>
<dd>The request must include a <code title="">Ping-From</code> HTTP
header with, as its value, the location of the document containing
@@ -36597,12 +36638,11 @@
title="dom-MessageEvent-data">data</code> attribute must be set to
the value of the <var title="">data</var> buffer, the <code
title="dom-MessageEvent-origin">origin</code> attribute must be set
- to the <span>origin</span> of the event stream, the <code
- title="dom-MessageEvent-lastEventId">lastEventId</code>
- attribute must be set to the <span>last event ID string</span> of
- the event source, and the <code
- title="dom-MessageEvent-source">source</code> attribute must be set
- to null.</p></li>
+ to the <span>origin</span> of the event stream's URI, the <code
+ title="dom-MessageEvent-lastEventId">lastEventId</code> attribute
+ must be set to the <span>last event ID string</span> of the event
+ source, and the <code title="dom-MessageEvent-source">source</code>
+ attribute must be set to null.</p></li>
<li><p>If the <var title="">event name</var> buffer has a value
other than the empty string, change the type of the newly created
@@ -36971,7 +37011,7 @@
<p>When this constructor is invoked, the following steps must be
followed.</p>
- <p>First, if the domain part of the script's <span>origin</span> is
+ <p>First, if the host part of the script's <span>origin</span> is
not a host name (e.g. it is an IP address) then the UA must raise a
<span>security exception</span>. <span class="issue">We currently
don't allow connections to be set up back to an originating IP
@@ -36979,10 +37019,11 @@
string.</span></p>
<p>Then, if the <var title="">subdomain</var> argument is null or
- the empty string, the target host is the domain part of the script's
+ the empty string, the target host is the host part of the script's
<span>origin</span>. Otherwise, the <var title="">subdomain</var>
- argument is prepended to the domain part of the script's origin with
- a dot separating the two strings, and that is the target host.</p>
+ argument is prepended to the host part of the script's
+ <span>origin</span> with a dot separating the two strings, and that
+ is the target host.</p>
<p>If either:</p>
<ul>
@@ -37651,9 +37692,9 @@
<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character ("*"), and
the <span>active document</span> of the <code>Window</code> object
- on which the method was invoked does not have the same
- <span>origin</span> as <var title="">targetOrigin</var>, then
- abort these steps silently.</p>
+ on which the method was invoked does not have the <span>same
+ origin</span> as <var title="">targetOrigin</var>, then abort
+ these steps silently.</p>
</li>
@@ -37741,9 +37782,10 @@
</div>
<p class="warning">The integrity of this API is based on the
- inability for scripts of one origin to post arbitrary events (using
- <code title="">dispatchEvent()</code> or otherwise) to objects in
- other origins.</p>
+ inability for scripts of one <span>origin</span> to post arbitrary
+ events (using <code title="">dispatchEvent()</code> or otherwise) to
+ objects in other origins (those that are not the <span title="same
+ origin">same</span>).</p>
<p class="note">Implementors are urged to take extra care in the
implementation of this feature. It allows authors to transmit
More information about the Commit-Watchers
mailing list