[html5] r1811 - [g] (2) URLify the registerContentHandler() section. This also modified the rule [...]
whatwg at whatwg.org
whatwg at whatwg.org
Thu Jun 26 17:21:35 PDT 2008
Author: ianh
Date: 2008-06-26 17:21:35 -0700 (Thu, 26 Jun 2008)
New Revision: 1811
Modified:
index
source
Log:
[g] (2) URLify the registerContentHandler() section. This also modified the rules for handling relative URLs and for escaping content here, it wasn't just s/URI/URL/ as other commits have been.
Modified: index
===================================================================
--- index 2008-06-26 23:48:35 UTC (rev 1810)
+++ index 2008-06-27 00:21:35 UTC (rev 1811)
@@ -25,7 +25,7 @@
<h1 id=html-5>HTML 5</h1>
- <h2 class="no-num no-toc" id=draft>Draft Recommendation — 26 June
+ <h2 class="no-num no-toc" id=draft>Draft Recommendation — 27 June
2008</h2>
<p>You can take part in this work. <a
@@ -31978,46 +31978,47 @@
parameters. Thus, if <var title="">mimeType</var> values passed to this
method include characters such as commas or whitespace, or include MIME
parameters, then the handler being registered will never be used.</p>
- </dd>
- <!-- XXXURL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \(URI\|IRI\|URL\) -->
<dt><var title="">url</var>
- <dd> <!-- XXXURL use url, algorithms -->
- <p>The URI of the page that will handle the requests. When the user agent
- uses this URI, it must replace the first occurrence of the exact literal
- string "<code>%s</code>" with an escaped version of the URI of the
- content in question (as defined below), and then fetch the resulting URI
- using the GET method (or equivalent for non-HTTP URIs).</p>
- <!-- XXXURL use url, algorithms -->
- <p>To get the escaped version of the URI, first, the domain part of the
- URI (if any) must be converted to its punycode representation, and then,
- every character in the URI that is not in the ranges given in the next
- paragraph must be replaced by its UTF-8 byte representation, each byte
- being represented by a U+0025 (%) character and two digits in the range
- U+0030 (0) to U+0039 (9) and U+0041 (A) to U+0046 (F) giving the
- hexadecimal representation of the byte.</p>
+ <dd>
+ <p>The <a href="#url">URL</a> of the page that will handle the requests.
+ When the user agent uses this URL, it must replace the first occurrence
+ of the exact literal string "<code>%s</code>" with an escaped version of
+ the URL of the content in question (as defined below), then <a
+ href="#resolve" title="resolve a url">resolve</a> the resulting URL
+ (using the <a href="#document0">document base URL</a> of the <a
+ href="#script4">script document context</a> of the script that
+ originally invoked the <code
+ title=dom-navigator-registerContentHandler><a
+ href="#registercontenthandler">registerContentHandler()</a></code> or
+ <code title=dom-navigator-registerProtocolHandler><a
+ href="#registerprotocolhandler">registerProtocolHandler()</a></code>
+ method), and then fetch the resulting URL using the GET method (or
+ equivalent for non-HTTP URLs).</p>
- <p>The ranges of characters that must not be escaped are: U+002D (-),
- U+002E (.), U+0030 (0) to U+0039 (9), U+0041 (A) to U+005A (Z), U+005F
- (_), U+0061 (a) to U+007A (z), and U+007E (~).</p>
- <!-- XXXURL move that to a common algorithms section if any other
- part of the spec needs it -->
-
+ <p>To get the escaped version of the URL of the content in question, the
+ user agent must <a href="#resolve" title="resolve a URL">resolve</a> the
+ URL, and then every character in the URL that doesn't match the
+ <query> production defined in RFC 3986 must be replaced by the
+ percent-encoded form of the character.</p>
+
<div class=example>
- <p>If the user had visited a site that made the following call:</p>
+ <p>If the user had visited a site at <code
+ title="">http://example.com/</code> that made the following call:</p>
- <pre>navigator.registerContentHandler('application/x-soup', 'http://example.com/soup?url=%s', 'SoupWeb™')</pre>
+ <pre>navigator.registerContentHandler('application/x-soup', 'soup?url=%s', 'SoupWeb™')</pre>
- <p>...and then clicked on a link such as:</p>
+ <p>...and then, much later, while visiting <code
+ title="">http://www.example.net/</code>, clicked on a link such as:</p>
- <pre><a href="http://www.example.net/chickenkïwi.soup">Download our Chicken Kiwi soup!</a></pre>
- <!-- XXXURL use url -->
+ <pre><a href="chickenkïwi.soup">Download our Chicken Kiwi soup!</a></pre>
+
<p>...then, assuming this <code>chickenkïwi.soup</code> file was
served with the MIME type <code>application/x-soup</code>, the UA might
- navigate to the following URI:</p>
+ navigate to the following URL:</p>
- <pre>http://example.com/soup?url=http%3A%2F%2Fwww.example.net%2Fchickenk%C3%AFwi.soup</pre>
+ <pre>http://example.com/soup?url=http://www.example.net/chickenk%C3%AFwi.soup</pre>
<p>This site could then fetch the <code>chickenkïwi.soup</code>
file and do whatever it is that it does with soup (synthesize it and
@@ -32030,13 +32031,12 @@
<p>A descriptive title of the handler, which the UA might use to remind
the user what the site in question is.</p>
</dl>
- <!-- XXXURL use url -->
<p>User agents should raise <a href="#security9" title="security
exception">security exceptions</a> if the methods are called with <var
title="">protocol</var> or <var title="">mimeType</var> values that the UA
deems to be "privileged". For example, a site attempting to register a
- handler for <code>http</code> URIs or <code>text/html</code> content in a
+ handler for <code>http</code> URLs or <code>text/html</code> content in a
Web browser would likely cause an exception to be raised.
<p>User agents must raise a <code>SYNTAX_ERR</code> exception if the <var
@@ -32097,11 +32097,10 @@
against typical attacks against strings embedded in their interface, for
example ensuring that markup or escape characters in such strings are not
executed, that null bytes are properly handled, that over-long strings do
- not cause crashes or buffer overruns, and so forth.</p>
- <!-- XXXURL use url -->
+ not cause crashes or buffer overruns, and so forth.
- <p><strong>Leaking Intranet URIs.</strong> The mechanism described in this
- section can result in secret Intranet URIs being leaked, in the following
+ <p><strong>Leaking Intranet URLs.</strong> The mechanism described in this
+ section can result in secret Intranet URLs being leaked, in the following
manner:
<ol>
@@ -32114,28 +32113,25 @@
<li>The user agent contacts the third party and hands the third party the
URI to the Intranet content.
</ol>
- <!-- XXXURL use url -->
- <p>No actual confidential file data is leaked in this manner, but the URIs
- themselves could contain confidential information. For example, the URI
+ <p>No actual confidential file data is leaked in this manner, but the URLs
+ themselves could contain confidential information. For example, the URL
could be
- <code>https://www.corp.example.com/upcoming-aquisitions/samples.egf</code>,
+ <code>http://www.corp.example.com/upcoming-aquisitions/the-sample-company.egf</code>,
which might tell the third party that Example Corporation is intending to
- merge with Samples LLC. Implementors might wish to consider allowing
- administrators to disable this feature for certain subdomains, content
- types, or protocols.</p>
- <!-- XXXURL use url -->
+ merge with The Sample Company. Implementors might wish to consider
+ allowing administrators to disable this feature for certain subdomains,
+ content types, or protocols.
- <p><strong>Leaking secure URIs.</strong> User agents should not send HTTPS
- URIs to third-party sites registered as content handlers, in the same way
+ <p><strong>Leaking secure URLs.</strong> User agents should not send HTTPS
+ URLs to third-party sites registered as content handlers, in the same way
that user agents do not send <code>Referer</code> headers from secure
- sites to third-party sites.</p>
- <!-- XXXURL use url -->
+ sites to third-party sites.
<p><strong>Leaking credentials.</strong> User agents must never send
- username or password information in the URIs that are escaped and included
+ username or password information in the URLs that are escaped and included
sent to the handler sites. User agents may even avoid attempting to pass
- to Web-based handlers the URIs of resources that are known to require
+ to Web-based handlers the URLs of resources that are known to require
authentication to access, as such sites would be unable to access the
resources in question without prompting the user for credentials
themselves (a practice that would require the user to know whether to
@@ -32172,10 +32168,9 @@
| |
| ( Trust kittens.example.org ) (( Cancel )) |
|____________________________________________________________|</pre>
- <!-- XXXURL use url -->
<p>...where "Kittens at work" is the title of the page that invoked the
- method, "http://kittens.example.org/" is the URI of that page, "x-meow" is
+ method, "http://kittens.example.org/" is the URL of that page, "x-meow" is
the string that was passed to the <code
title=dom-navigator-registerProtocolHandler><a
href="#registerprotocolhandler">registerProtocolHandler()</a></code>
@@ -32185,12 +32180,10 @@
argument (<var title="">title</var>).
<p>If the user clicks the Cancel button, then nothing further happens. If
- the user clicks the "Trust" button, then the handler is remembered.</p>
- <!-- XXXURL use url -->
+ the user clicks the "Trust" button, then the handler is remembered.
- <p>When the user then attempts to fetch a URI that uses the "x-meow:"
- scheme, then it might display a dialog as follows:</p>
- <!-- XXXURL use url? -->
+ <p>When the user then attempts to fetch a URL that uses the "x-meow:"
+ scheme, then it might display a dialog as follows:
<pre>||[ Unknown Protocol ]||||||||||||||||||||||||||||||||||||||||
| |
@@ -32203,10 +32196,10 @@
| (o) Contact the FerretBrowser plugin registry to see if |
| there is an official way to handle this resource. |
| |
-| ( ) Pass this URI to a local application: |
+| ( ) Pass this URL to a local application: |
| [ /no application selected/ ] ( Choose ) |
| |
-| ( ) Pass this URI to the "Kittens-at-work displayer" |
+| ( ) Pass this URL to the "Kittens-at-work displayer" |
| application at "kittens.example.org". |
| |
| [ ] Always do this for resources using the "x-meow" |
@@ -32226,7 +32219,8 @@
<p>The <code title=dom-navigator-registerContentHandler><a
href="#registercontenthandler">registerContentHandler()</a></code> method
would work equivalently, but for unknown MIME types instead of unknown
- protocols.
+ protocols.</p>
+ <!-- XXXURL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \(URI\|IRI\|URL\) -->
<h3 id=offline><span class=secno>5.7 </span>Offline Web applications</h3>
Modified: source
===================================================================
--- source 2008-06-26 23:48:35 UTC (rev 1810)
+++ source 2008-06-27 00:21:35 UTC (rev 1811)
@@ -29609,53 +29609,51 @@
</dd>
- <!-- XXXURL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \(URI\|IRI\|URL\) -->
<dt><var title="">url</var></dt>
<dd>
- <!-- XXXURL use url, algorithms -->
- <p>The URI of the page that will handle the requests. When the
- user agent uses this URI, it must replace the first occurrence of
- the exact literal string "<code>%s</code>" with an escaped version
- of the URI of the content in question (as defined below), and then
- fetch the resulting URI using the GET method (or equivalent for
- non-HTTP URIs).</p>
+ <p>The <span>URL</span> of the page that will handle the
+ requests. When the user agent uses this URL, it must replace the
+ first occurrence of the exact literal string "<code>%s</code>"
+ with an escaped version of the URL of the content in question (as
+ defined below), then <span title="resolve a url">resolve</span>
+ the resulting URL (using the <span>document base URL</span> of the
+ <span>script document context</span> of the script that originally
+ invoked the <code
+ title="dom-navigator-registerContentHandler">registerContentHandler()</code>
+ or <code
+ title="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
+ method), and then fetch the resulting URL using the GET method (or
+ equivalent for non-HTTP URLs).</p>
- <!-- XXXURL use url, algorithms -->
- <p>To get the escaped version of the URI, first, the domain part
- of the URI (if any) must be converted to its punycode
- representation, and then, every character in the URI that is not
- in the ranges given in the next paragraph must be replaced by its
- UTF-8 byte representation, each byte being represented by a U+0025
- (%) character and two digits in the range U+0030 (0) to U+0039 (9)
- and U+0041 (A) to U+0046 (F) giving the hexadecimal representation
- of the byte.</p>
+ <p>To get the escaped version of the URL of the content in
+ question, the user agent must <span title="resolve a
+ URL">resolve</span> the URL, and then every character in the URL
+ that doesn't match the <query> production defined in RFC
+ 3986 must be replaced by the percent-encoded form of the
+ character.</p>
- <p>The ranges of characters that must not be escaped are: U+002D
- (-), U+002E (.), U+0030 (0) to U+0039 (9), U+0041 (A) to U+005A
- (Z), U+005F (_), U+0061 (a) to U+007A (z), and U+007E (~).</p>
-
- <!-- XXXURL move that to a common algorithms section if any other
- part of the spec needs it -->
-
<div class="example">
- <p>If the user had visited a site that made the following call:</p>
+ <p>If the user had visited a site at <code
+ title="">http://example.com/</code> that made the following
+ call:</p>
- <pre>navigator.registerContentHandler('application/x-soup', 'http://example.com/soup?url=%s', 'SoupWeb™')</pre>
+ <pre>navigator.registerContentHandler('application/x-soup', 'soup?url=%s', 'SoupWeb™')</pre>
- <p>...and then clicked on a link such as:</p>
+ <p>...and then, much later, while visiting <code
+ title="">http://www.example.net/</code>, clicked on a link such
+ as:</p>
- <pre><a href="http://www.example.net/chickenkïwi.soup">Download our Chicken Kiwi soup!</a></pre>
+ <pre><a href="chickenkïwi.soup">Download our Chicken Kiwi soup!</a></pre>
- <!-- XXXURL use url -->
<p>...then, assuming this <code>chickenkïwi.soup</code> file
was served with the MIME type <code>application/x-soup</code>,
- the UA might navigate to the following URI:</p>
+ the UA might navigate to the following URL:</p>
- <pre>http://example.com/soup?url=http%3A%2F%2Fwww.example.net%2Fchickenk%C3%AFwi.soup</pre>
+ <pre>http://example.com/soup?url=http://www.example.net/chickenk%C3%AFwi.soup</pre>
<p>This site could then fetch the <code>chickenkïwi.soup</code>
file and do whatever it is that it does with soup (synthesize it
@@ -29676,12 +29674,11 @@
</dl>
- <!-- XXXURL use url -->
<p>User agents should raise <span title="security
exception">security exceptions</span> if the methods are called with
<var title="">protocol</var> or <var title="">mimeType</var> values
that the UA deems to be "privileged". For example, a site attempting
- to register a handler for <code>http</code> URIs or
+ to register a handler for <code>http</code> URLs or
<code>text/html</code> content in a Web browser would likely cause
an exception to be raised.</p>
@@ -29750,9 +29747,8 @@
that over-long strings do not cause crashes or buffer overruns, and
so forth.</p>
- <!-- XXXURL use url -->
- <p><strong>Leaking Intranet URIs.</strong> The mechanism described
- in this section can result in secret Intranet URIs being leaked, in
+ <p><strong>Leaking Intranet URLs.</strong> The mechanism described
+ in this section can result in secret Intranet URLs being leaked, in
the following manner:</p>
<ol>
@@ -29768,27 +29764,24 @@
</ol>
- <!-- XXXURL use url -->
<p>No actual confidential file data is leaked in this manner, but
- the URIs themselves could contain confidential information. For
- example, the URI could be
- <code>https://www.corp.example.com/upcoming-aquisitions/samples.egf</code>,
+ the URLs themselves could contain confidential information. For
+ example, the URL could be
+ <code>http://www.corp.example.com/upcoming-aquisitions/the-sample-company.egf</code>,
which might tell the third party that Example Corporation is
- intending to merge with Samples LLC. Implementors might wish to
- consider allowing administrators to disable this feature for certain
- subdomains, content types, or protocols.</p>
+ intending to merge with The Sample Company. Implementors might wish
+ to consider allowing administrators to disable this feature for
+ certain subdomains, content types, or protocols.</p>
- <!-- XXXURL use url -->
- <p><strong>Leaking secure URIs.</strong> User agents should not send
- HTTPS URIs to third-party sites registered as content handlers, in
+ <p><strong>Leaking secure URLs.</strong> User agents should not send
+ HTTPS URLs to third-party sites registered as content handlers, in
the same way that user agents do not send <code>Referer</code>
headers from secure sites to third-party sites.</p>
- <!-- XXXURL use url -->
<p><strong>Leaking credentials.</strong> User agents must never send
- username or password information in the URIs that are escaped and
+ username or password information in the URLs that are escaped and
included sent to the handler sites. User agents may even avoid
- attempting to pass to Web-based handlers the URIs of resources
+ attempting to pass to Web-based handlers the URLs of resources
that are known to require authentication to access, as such sites
would be unable to access the resources in question without
prompting the user for credentials themselves (a practice that would
@@ -29826,9 +29819,8 @@
| ( Trust kittens.example.org ) (( Cancel )) |
|____________________________________________________________|</pre>
- <!-- XXXURL use url -->
<p>...where "Kittens at work" is the title of the page that invoked
- the method, "http://kittens.example.org/" is the URI of that page,
+ the method, "http://kittens.example.org/" is the URL of that page,
"x-meow" is the string that was passed to the <code
title="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
method as its first argument (<var title="">protocol</var>),
@@ -29840,11 +29832,9 @@
happens. If the user clicks the "Trust" button, then the handler is
remembered.</p>
- <!-- XXXURL use url -->
- <p>When the user then attempts to fetch a URI that uses the
+ <p>When the user then attempts to fetch a URL that uses the
"x-meow:" scheme, then it might display a dialog as follows:</p>
- <!-- XXXURL use url? -->
<pre>||[ Unknown Protocol ]||||||||||||||||||||||||||||||||||||||||
| |
| You have attempted to access: |
@@ -29856,10 +29846,10 @@
| (o) Contact the FerretBrowser plugin registry to see if |
| there is an official way to handle this resource. |
| |
-| ( ) Pass this URI to a local application: |
+| ( ) Pass this URL to a local application: |
| [ /no application selected/ ] ( Choose ) |
| |
-| ( ) Pass this URI to the "Kittens-at-work displayer" |
+| ( ) Pass this URL to the "Kittens-at-work displayer" |
| application at "kittens.example.org". |
| |
| [ ] Always do this for resources using the "x-meow" |
@@ -29881,6 +29871,7 @@
method would work equivalently, but for unknown MIME types instead
of unknown protocols.</p>
+ <!-- XXXURL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \(URI\|IRI\|URL\) -->
More information about the Commit-Watchers
mailing list