[html5] r2499 - [] (0) Always put javascript: into the online whitelist. Make some comments abou [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Dec 1 15:52:15 PST 2008
Author: ianh
Date: 2008-12-01 15:52:15 -0800 (Mon, 01 Dec 2008)
New Revision: 2499
Modified:
index
source
Log:
[] (0) Always put javascript: into the online whitelist. Make some comments about HTML and HTTPS security. Vaguely define 'or equivalent' for HTTP concepts.
Modified: index
===================================================================
--- index 2008-12-01 12:31:21 UTC (rev 2498)
+++ index 2008-12-01 23:52:15 UTC (rev 2499)
@@ -247,7 +247,10 @@
<li><a href=#resolving-urls><span class=secno>2.5.3 </span>Resolving URLs</a></li>
<li><a href=#dynamic-changes-to-base-urls><span class=secno>2.5.4 </span>Dynamic changes to base URLs</a></li>
<li><a href=#interfaces-for-url-manipulation><span class=secno>2.5.5 </span>Interfaces for URL manipulation</a></ol></li>
- <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a></li>
+ <li><a href=#fetching-resources><span class=secno>2.6 </span>Fetching resources</a>
+ <ol>
+ <li><a href=#concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</a></li>
+ <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</a></ol></li>
<li><a href=#content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</a>
<ol>
<li><a href=#content-type><span class=secno>2.7.1 </span>Content-Type metadata</a></li>
@@ -507,7 +510,7 @@
<li><a href=#states-of-the-type-attribute><span class=secno>4.10.4.1 </span>States of the <code title=attr-input-type>type</code> attribute</a>
<ol>
<li><a href=#hidden-state><span class=secno>4.10.4.1.1 </span>Hidden state</a></li>
- <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and </a></li>
+ <li><a href=#text-state-and-search-state><span class=secno>4.10.4.1.2 </span>Text state and Search state</a></li>
<li><a href=#url-state><span class=secno>4.10.4.1.3 </span>URL state</a></li>
<li><a href=#e-mail-state><span class=secno>4.10.4.1.4 </span>E-mail state</a></li>
<li><a href=#password-state><span class=secno>4.10.4.1.5 </span>Password state</a></li>
@@ -4330,11 +4333,12 @@
<p>If the resource identified by the resulting <a href=#absolute-url>absolute
URL</a> is already being downloaded for other reasons
(e.g. another invocation of this algorithm), and the resource is
- to be obtained using a idempotent action (such as an HTTP GET or
- equivalent), and the user agent is configured such that it is to
- reuse the data from the existing download instead of initiating a
- new one, then use the results of the existing download instead of
- starting a new one.</p>
+ to be obtained using a idempotent action (such as an HTTP GET
+ <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>),
+ and the user agent is configured such that it is to reuse the data
+ from the existing download instead of initiating a new one, then
+ use the results of the existing download instead of starting a new
+ one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download the resource, applying the semantics of the relevant
@@ -4369,7 +4373,69 @@
applicable.</p>
+ <h4 id=concept-http-equivalent><span class=secno>2.6.1 </span>Protocol concepts</h4>
+ <p>User agents can implement a variety of transfer protocols, but
+ this specification mostly defines behavior in terms of HTTP. <a href=#refsHTTP>[HTTP]</a></p>
+
+ <p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.</p>
+
+ <p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.</p>
+
+ <p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.</p>
+
+ <p class=XXX>If there are any specific questions with what should
+ be considered equivalent to what, let me know, and I'll make it more
+ explicit for those cases.</p>
+
+
+ <h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.6.2 </span>Encrypted HTTP and related security concerns</h4>
+
+ <p>Anything in this specification that refers to HTTP also applies
+ to HTTP-over-TLS, as represented by <a href=#url title=url>URLs</a>
+ representing the <code title="">https</code> scheme.</p>
+
+ <p class=warning>User agents should report certificate errors to
+ the user and must either refuse to download resources sent with
+ erroneous certificates or must act as if such resources were in fact
+ served with no encryption.</p>
+
+ <p>Not doing so can result in users not noticing man-in-the-middle
+ attacks.</p>
+
+ <div class=example>
+
+ <p>If a user connects to a server with a self-signed certificate,
+ the user agent could allow the connection but just act as if there
+ had been no encryption. If the user agent instead allowed the user
+ to override the problem and then displayed the page as if it was
+ fully and safely encrypted, the user could be easily tricked into
+ accepting man-in-the-middle connections.</p>
+
+ <p>If a user connects to a server with full encryption, but the
+ page then refers to an external resource that has an expired
+ certificate, then the user agent will act as if the resource was
+ unavailable, possibly also reporting the problem to the user. If
+ the user agent instead allowed the resource to be used, then an
+ attacker could just look for "secure" sites that used resources
+ from a different host and only apply man-in-the-middle attacks to
+ that host, for example taking over scripts in the page.</p>
+
+ </div>
+
+
+
<h3 id=content-type-sniffing><span class=secno>2.7 </span>Determining the type of a resource</h3>
<p class=warning>It is imperative that the rules in this section
@@ -14296,8 +14362,9 @@
the presentation of the image appropriately.</p>
<p>Whether the image is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the image's type and whether it is a valid image.</p>
+ the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+ ignored when determining the image's type and whether it is a valid
+ image.</p>
<p class=note>This allows servers to return images with error
responses, and have them displayed.</p>
@@ -15954,9 +16021,9 @@
<!-- This algorithm is a monument to bad design. Go legacy! -->
</ol><p>Whether the resource is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the resource's type and when handing the resource to the
- plugin.</p>
+ the response code was a 2xx code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>) must be
+ ignored when determining the resource's type and when handing the
+ resource to the plugin.</p>
<p class=note>This allows servers to return data for plugins even
with error responses (e.g. HTTP 500 Internal Server Error codes can
@@ -32869,8 +32936,8 @@
<dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a> that was returned as the
- location of an HTTP redirect (or equivalent in other
- protocols)</dt>
+ location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The owner is the <a href=#url>URL</a> that redirected to the
<a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>.</dd>
@@ -32965,7 +33032,8 @@
<dt>If a <code>Document</code> or image was generated from a
<code title="">data:</code> URL that was returned as the location
- of an HTTP redirect (or equivalent in other protocols)</dt>
+ of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The <a href=#origin-0>origin</a> is the <a href=#origin-0>origin</a> of the
<a href=#url>URL</a> that redirected to the <code title="">data:</code> URL.</dd>
@@ -34561,7 +34629,8 @@
invoked the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
method), and then <a href=#fetch>fetch</a> the resulting URL using the
- GET method (or equivalent for non-HTTP URLs).</p>
+ GET method (<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a> for non-HTTP URLs).</p>
<p>To get the escaped version of the URL of the content in
question, the user agent must <a href=#resolve-a-url title="resolve a
@@ -35422,16 +35491,17 @@
<li>
- <p>If the previous step fails due to a 404 or 410 response or
- equivalent, then run the <a href=#cache-removal-steps>cache removal steps</a></p>
+ <p>If the previous step fails due to a 404 or 410 response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+ run the <a href=#cache-removal-steps>cache removal steps</a></p>
<p>If the previous step fails in some other way (e.g. the server
- returns another 4xx or 5xx response or equivalent, or there is a
- DNS error, or the connection times out, or the user cancels the
- download, or the parser for manifests fails when checking the
- magic signature), or if the server returned a redirect, or if the
- resource is labeled with a MIME type other than <code title="">text/cache-manifest</code>, then run the <a href=#cache-failure-steps>cache
- failure steps</a>.</p>
+ returns another 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download, or the parser for manifests fails when
+ checking the magic signature), or if the server returned a
+ redirect, or if the resource is labeled with a MIME type other
+ than <code title="">text/cache-manifest</code>, then run the
+ <a href=#cache-failure-steps>cache failure steps</a>.</p>
</li>
@@ -35440,7 +35510,8 @@
<p>If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade
attempt</a> and the newly downloaded <var title="">manifest</var> is byte-for-byte identical to the manifest
found in <var title="">cache</var>, or if the server reported it
- as "304 Not Modified" or equivalent, then run these substeps:</p>
+ as "304 Not Modified" <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, then
+ run these substeps:</p>
<ol><li><p><a href=#fire-a-simple-event>Fire a simple event</a> called <code title=event-noupdate>noupdate</code> at the
<code><a href=#applicationcache>ApplicationCache</a></code> singleton of each <a href=#browsing-context>browsing
@@ -35453,9 +35524,9 @@
<li><p>If there are any pending downloads of <a href=#concept-appcache-master title=concept-appcache-master>master entries</a> that are
being stored in the cache, then wait for all of them to have
completed. If any of these downloads fail (e.g. the server
- returns a 4xx or 5xx response or equivalent, or there is a DNS
- error, or the connection times out, or the user cancels the
- download), then run the <a href=#cache-failure-steps>cache failure
+ returns a 4xx or 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download), then run the <a href=#cache-failure-steps>cache failure
steps</a>.</li>
<li><p>Let the <a href=#concept-appcache-status title=concept-appcache-status>status</a> of the group of
@@ -35562,10 +35633,11 @@
<li>
<p>If the previous step fails (e.g. the server returns a 4xx or
- 5xx response or equivalent, or there is a DNS error, or the
- connection times out, or the user cancels the download), or if
- the server returned a redirect, then run the first appropriate
- step from the following list:</p>
+ 5xx response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or
+ equivalent</a>, or there is a DNS error, or the connection
+ times out, or the user cancels the download), or if the server
+ returned a redirect, then run the first appropriate step from
+ the following list:</p>
<dl class=switch><dt>If the URL being processed was flagged as an "explicit
entry" or a "fallback entry"</dt>
@@ -35584,8 +35656,7 @@
</dd>
- <dt>If the error was a 404 or 410 HTTP response or
- equivalent</dt>
+ <dt>If the error was a 404 or 410 HTTP response <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a></dt>
<dd>
@@ -35880,8 +35951,7 @@
<dt>If the resource being loaded was not loaded from an application
- cache, but it was loaded using HTTP GET or equivalent</dt>
- <dd>
+ cache, but it was loaded using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a></dt> <dd>
<ol><li><p>If the manifest URL does not have the <a href=#same-origin>same
origin</a> as the resource's own URL, then invoke the <a href=#concept-appcache-init-no-attribute title=concept-appcache-init-no-attribute>application cache
@@ -35924,8 +35994,11 @@
mechanisms appropriate to that resource's scheme:</p>
<ol><li><p>If the resource is not to be fetched using the HTTP GET
- mechanism or equivalent, then <a href=#fetch>fetch</a> the resource
- normally and abort these steps.</li>
+ mechanism <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a>, or if it has a <a href=#javascript-protocol title="javascript
+ protocol"><code title="">javascript:</code> URL</a>, then
+ <a href=#fetch>fetch</a> the resource normally and abort these
+ steps.</li>
<li><p>If the resource's URL is <a href=#concept-appcache-master title=concept-appcache-master>an master entry</a>, <a href=#concept-appcache-manifest title=concept-appcache-manifest>the manifest</a>, <a href=#concept-appcache-explicit title=concept-appcache-explicit>an explicit entry</a>, <a href=#concept-appcache-fallback title=concept-appcache-fallback>a fallback entry</a>, or a
<a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a> in the
@@ -35941,12 +36014,12 @@
<p><a href=#fetch>Fetch</a> the resource normally. If this results in a
redirect to a resource with another <a href=#origin-0>origin</a>
- (indicative of a captive portal), or a 4xx or 5xx status code or
- equivalent, or if there were network errors (but not if the user
- canceled the download), then instead get, from the cache, the
- resource of the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback
- entry</a> corresponding to the matched namespace. Abort these
- steps.</p>
+ (indicative of a captive portal), or a 4xx or 5xx status code
+ <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ or if there were network errors (but not if the user canceled the
+ download), then instead get, from the cache, the resource of the
+ <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback entry</a>
+ corresponding to the matched namespace. Abort these steps.</p>
</li>
@@ -36131,8 +36204,9 @@
<li><p><a href=#fetch>Fetch</a> the resource referenced by <var title="">url</var>.</li>
<li><p>If this results in a redirect, or a 4xx or 5xx status code
- or equivalent, or if there were network errors, or if the user
- canceled the download, then abort these steps.</li>
+ <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ or if there were network errors, or if the user canceled the
+ download, then abort these steps.</li>
<li><p>Add the fetched resource to the <a href=#application-cache>application
cache</a> and categorize it as a <a href=#concept-appcache-dynamic title=concept-appcache-dynamic>dynamic entry</a>.</li>
@@ -36770,8 +36844,9 @@
<a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a>
being navigated, ignoring any <a href=#url-fragment title=url-fragment><fragment></a> components of those
<a href=#url title=URL>URLs</a>, and the new resource is to be
- fetched using HTTP GET or equivalent, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to that fragment identifier</a>
- and abort these steps.</li>
+ fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
+ equivalent</a>, then <a href=#scroll-to-fragid title=navigate-fragid>navigate to
+ that fragment identifier</a> and abort these steps.</li>
<li><p>If the new resource is to be handled by displaying some sort
of inline content, e.g. an error message because the specified
@@ -36788,12 +36863,12 @@
<li>
- <p>If the new resource is to be fetched using HTTP GET or
- equivalent, then check if there are any <a href=#relevant-application-cache title="relevant
- application cache">relevant application caches</a> that are
- identified by a URL with the <a href=#same-origin>same origin</a> as the URL
- in question, and that have this URL as one of their entries,
- excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
+ <p>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, then
+ check if there are any <a href=#relevant-application-cache title="relevant application
+ cache">relevant application caches</a> that are identified by a
+ URL with the <a href=#same-origin>same origin</a> as the URL in question, and
+ that have this URL as one of their entries, excluding entries
+ marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>. If so, then the
user agent must then get the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most appropriate application
cache</a> of those that match.</p>
@@ -36835,17 +36910,18 @@
<li>
<p>If the resource was not fetched from an <a href=#application-cache>application
- cache</a>, and was to be fetched using HTTP GET or equivalent,
- and its URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the fallback
- namespace</a> of one or more <a href=#relevant-application-cache title="relevant application
- cache">relevant application caches</a>, and the user didn't
- cancel the navigation attempt during the previous step, and the
- navigation attempt failed (e.g. the server returned a 4xx or 5xx
- status code or equivalent, or there was a DNS error), then:</p>
- <!-- note that a redirect can never reach this point as it is
- handled earlier, meaning that a captive portal captures URLs in
- fallback namespaces and you can't ever get to the fallback file of
- a resource if you have a captive portal -->
+ cache</a>, and was to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and its
+ URL <a href=#concept-appcache-matches-fallback title=concept-appcache-matches-fallback>matches the
+ fallback namespace</a> of one or more <a href=#relevant-application-cache title="relevant
+ application cache">relevant application caches</a>, and the
+ user didn't cancel the navigation attempt during the previous
+ step, and the navigation attempt failed (e.g. the server returned
+ a 4xx or 5xx status code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>, or
+ there was a DNS error), then:</p> <!-- note that a redirect can
+ never reach this point as it is handled earlier, meaning that a
+ captive portal captures URLs in fallback namespaces and you can't
+ ever get to the fallback file of a resource if you have a captive
+ portal -->
<p>Let <var title="">candidate</var> be the <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback resource</a>
specified for the <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespace</a> in
@@ -39345,9 +39421,9 @@
used with <code><a href=#the-a-element>a</a></code> and <code><a href=#the-area-element>area</a></code> elements.</p>
<p>If a user agent follows a link defined by an <code><a href=#the-a-element>a</a></code> or
- <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent must
- not include a <code title="">Referer</code> HTTP header (or
- equivalent for other protocols) in the request.</p>
+ <code><a href=#the-area-element>area</a></code> element that has the <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword, the user agent
+ must not include a <code title="">Referer</code> HTTP header (<a href=#concept-http-equivalent-headers title=concept-http-equivalent-headers>or equivalent</a> for
+ other protocols) in the request.</p>
<p>This keyword also <a href=#noopener>causes the <code title=dom-opener>opener</code> attribute to remain null</a> if the
hyperlink creates a new <a href=#browsing-context>browsing context</a>.</p>
@@ -53875,41 +53951,42 @@
<p>Thanks to Aankhen, Aaron Boodman, Aaron Leventhal, Adam Barth,
Adam Roben, Addison Phillips, Adele Peterson, Adrian Sutton,
Agustín Fernández, Ajai Tirumali, Alastair Campbell,
- Alexey Feldgendler, Anders Carlsson, Andrew Gove, Andrew Sidwell,
- Anne van Kesteren, Anthony Hickson, Anthony Ricaud, Antti Koivisto,
- Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan, Aurelien Levy,
- Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard, Benjamin
- Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern Hoehrmann,
- Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson, Brendan Eich,
- Brett Wilson, Brian Campbell, Brian Smith, Bruce Miller, Cameron
- McCormack, Cao Yipeng, Carlos Perelló Marín, Chao Cai,
- 윤석찬 (Channy Yun), Charl van Niekerk, Charles
- Iliya Krempeaux, Charles McCathieNevile, Christian Biesinger,
- Christian Johansen, Christian Schmidt, Chriswa, Cole Robison, Collin
- Jackson, Daniel Barclay, Daniel Brumbaugh Keeney, Daniel Glazman,
- Daniel Peng, Daniel Spång, Daniel Steinberg, Danny Sullivan,
- Darin Adler, Darin Fisher, Dave Camp, Dave Singer, Dave Townsend<!--
- Mossop on moz irc -->, David Baron, David Bloom, David Carlisle,
- David Flanagan, David Håsäther, David Hyatt, David Smith,
- David Woolley, Dean Edridge, Debi Orton, Derek Featherstone, DeWitt
- Clinton, Dimitri Glazkov, dolphinling, Doron Rosenberg, Doug Kramer,
- Edward O'Connor, Eira Monstad, Elliotte Harold, Eric Carlson, Eric
- Law, Erik Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix
- Sasaki, Franck 'Shift' Quélain, Garrett Smith, Geoffrey
- Garen, Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri
- Sivonen, Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo
- Emanuel Gonçalves, J. King, Jacques Distler, James Graham,
- James Justin Harrell, James M Snell, James Perrett, Jan-Klaas
- Kollhof, Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff
- Schiller, Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der
- Meer, Jim Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph
- Kesselman, Jjgod Jiang, Joel Spolsky, Johan Herland, John Boyer,
- John Bussjaeger, John Harding, Johnny Stenback, Jon Gibbins, Jon
- Perlow, Jonathan Worent, Jorgen Horstink, Josh Levenberg, Joshua
- Randall, Jukka K. Korpela, Jules Clément-Ripoche, Julian
- Reschke, Kai Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel
- Lesinski, 黒澤剛志 (KUROSAWA Takeshi),
- Kristof Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
+ Alex Nicolaou, Alexey Feldgendler, Anders Carlsson, Andrew Gove,
+ Andrew Sidwell, Anne van Kesteren, Anthony Hickson, Anthony Ricaud,
+ Antti Koivisto, Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan,
+ Aurelien Levy, Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard,
+ Benjamin Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern
+ Hoehrmann, Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson,
+ Brendan Eich, Brett Wilson, Brian Campbell, Brian Smith, Bruce
+ Miller, Cameron McCormack, Cao Yipeng, Carlos Perelló
+ Marín, Chao Cai, 윤석찬 (Channy Yun), Charl
+ van Niekerk, Charles Iliya Krempeaux, Charles McCathieNevile,
+ Christian Biesinger, Christian Johansen, Christian Schmidt, Chriswa,
+ Cole Robison, Collin Jackson, Daniel Barclay, Daniel Brumbaugh
+ Keeney, Daniel Glazman, Daniel Peng, Daniel Spång, Daniel
+ Steinberg, Danny Sullivan, Darin Adler, Darin Fisher, Dave Camp,
+ Dave Singer, Dave Townsend<!-- Mossop on moz irc -->, David Baron,
+ David Bloom, David Carlisle, David Flanagan, David
+ Håsäther, David Hyatt, David Smith, David Woolley, Dean
+ Edridge, Debi Orton, Derek Featherstone, DeWitt Clinton, Dimitri
+ Glazkov, dolphinling, Doron Rosenberg, Doug Kramer, Edward O'Connor,
+ Eira Monstad, Elliotte Harold, Eric Carlson, Eric Law, Erik
+ Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix Sasaki,
+ Franck 'Shift' Quélain, Garrett Smith, Geoffrey Garen,
+ Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri Sivonen,
+ Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo Emanuel
+ Gonçalves, J. King, Jacques Distler, James Graham, James
+ Justin Harrell, James M Snell, James Perrett, Jan-Klaas Kollhof,
+ Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff Schiller,
+ Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der Meer, Jim
+ Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph Kesselman, Jjgod
+ Jiang, Joel Spolsky, Johan Herland, John Boyer, John Bussjaeger,
+ John Harding, Johnny Stenback, Jon Gibbins, Jon Perlow, Jonathan
+ Worent, Jorgen Horstink, Josh Levenberg, Joshua Randall, Jukka
+ K. Korpela, Jules Clément-Ripoche, Julian Reschke, Kai
+ Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel Lesinski,
+ 黒澤剛志 (KUROSAWA Takeshi), Kristof
+ Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
L. Carlson, Laura Wisewell, Laurens Holst, Lee Kowalkowski, Leif
Halvard Silli, Lenny Domnitser, Léonard Bouchet, Leons
Petrazickis, Logan<!-- on moz irc -->, Loune, Maciej Stachowiak,
Modified: source
===================================================================
--- source 2008-12-01 12:31:21 UTC (rev 2498)
+++ source 2008-12-01 23:52:15 UTC (rev 2499)
@@ -4019,11 +4019,12 @@
<p>If the resource identified by the resulting <span>absolute
URL</span> is already being downloaded for other reasons
(e.g. another invocation of this algorithm), and the resource is
- to be obtained using a idempotent action (such as an HTTP GET or
- equivalent), and the user agent is configured such that it is to
- reuse the data from the existing download instead of initiating a
- new one, then use the results of the existing download instead of
- starting a new one.</p>
+ to be obtained using a idempotent action (such as an HTTP GET
+ <span title="concept-http-equivalent-get">or equivalent</span>),
+ and the user agent is configured such that it is to reuse the data
+ from the existing download instead of initiating a new one, then
+ use the results of the existing download instead of starting a new
+ one.</p>
<p>Otherwise, at a time convenient to the user and the user agent,
download the resource, applying the semantics of the relevant
@@ -4062,7 +4063,70 @@
applicable.</p>
+ <h4 id="concept-http-equivalent">Protocol concepts</h4>
+ <p>User agents can implement a variety of transfer protocols, but
+ this specification mostly defines behavior in terms of HTTP. <a
+ href="#refsHTTP">[HTTP]</a></p>
+
+ <p>The <dfn title="concept-http-equivalent-get">HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.</p>
+
+ <p>The <dfn title="concept-http-equivalent-codes">HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.</p>
+
+ <p>The <dfn title="concept-http-equivalent-headers">HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.</p>
+
+ <p class="XXX">If there are any specific questions with what should
+ be considered equivalent to what, let me know, and I'll make it more
+ explicit for those cases.</p>
+
+
+ <h4>Encrypted HTTP and related security concerns</h4>
+
+ <p>Anything in this specification that refers to HTTP also applies
+ to HTTP-over-TLS, as represented by <span title="url">URLs</span>
+ representing the <code title="">https</code> scheme.</p>
+
+ <p class="warning">User agents should report certificate errors to
+ the user and must either refuse to download resources sent with
+ erroneous certificates or must act as if such resources were in fact
+ served with no encryption.</p>
+
+ <p>Not doing so can result in users not noticing man-in-the-middle
+ attacks.</p>
+
+ <div class="example">
+
+ <p>If a user connects to a server with a self-signed certificate,
+ the user agent could allow the connection but just act as if there
+ had been no encryption. If the user agent instead allowed the user
+ to override the problem and then displayed the page as if it was
+ fully and safely encrypted, the user could be easily tricked into
+ accepting man-in-the-middle connections.</p>
+
+ <p>If a user connects to a server with full encryption, but the
+ page then refers to an external resource that has an expired
+ certificate, then the user agent will act as if the resource was
+ unavailable, possibly also reporting the problem to the user. If
+ the user agent instead allowed the resource to be used, then an
+ attacker could just look for "secure" sites that used resources
+ from a different host and only apply man-in-the-middle attacks to
+ that host, for example taking over scripts in the page.</p>
+
+ </div>
+
+
+
<h3 id="content-type-sniffing">Determining the type of a resource</h3>
<p class="warning">It is imperative that the rules in this section
@@ -15281,8 +15345,10 @@
the presentation of the image appropriately.</p>
<p>Whether the image is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the image's type and whether it is a valid image.</p>
+ the response code was a 2xx code <span
+ title="concept-http-equivalent-codes">or equivalent</span>) must be
+ ignored when determining the image's type and whether it is a valid
+ image.</p>
<p class="note">This allows servers to return images with error
responses, and have them displayed.</p>
@@ -17083,9 +17149,10 @@
</ol>
<p>Whether the resource is fetched successfully or not (e.g. whether
- the response code was a 2xx code or equivalent) must be ignored when
- determining the resource's type and when handing the resource to the
- plugin.</p>
+ the response code was a 2xx code <span
+ title="concept-http-equivalent-codes">or equivalent</span>) must be
+ ignored when determining the resource's type and when handing the
+ resource to the plugin.</p>
<p class="note">This allows servers to return data for plugins even
with error responses (e.g. HTTP 500 Internal Server Error codes can
@@ -37388,8 +37455,9 @@
<dt>If a script is a <span title="javascript protocol"><code
title="">javascript:</code> URL</span> that was returned as the
- location of an HTTP redirect (or equivalent in other
- protocols)</dt>
+ location of an HTTP redirect (<span
+ title="concept-http-equivalent-codes">or equivalent</span> in
+ other protocols)</dt>
<dd>The owner is the <span>URL</span> that redirected to the
<span title="javascript protocol"><code
@@ -37496,7 +37564,9 @@
<dt>If a <code>Document</code> or image was generated from a
<code title="">data:</code> URL that was returned as the location
- of an HTTP redirect (or equivalent in other protocols)</dt>
+ of an HTTP redirect (<span
+ title="concept-http-equivalent-codes">or equivalent</span> in
+ other protocols)</dt>
<dd>The <span>origin</span> is the <span>origin</span> of the
<span>URL</span> that redirected to the <code
@@ -39316,7 +39386,8 @@
or <code
title="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
method), and then <span>fetch</span> the resulting URL using the
- GET method (or equivalent for non-HTTP URLs).</p>
+ GET method (<span title="concept-http-equivalent-get">or
+ equivalent</span> for non-HTTP URLs).</p>
<p>To get the escaped version of the URL of the content in
question, the user agent must <span title="resolve a
@@ -40305,17 +40376,19 @@
<li>
- <p>If the previous step fails due to a 404 or 410 response or
- equivalent, then run the <span>cache removal steps</span></p>
+ <p>If the previous step fails due to a 404 or 410 response <span
+ title="concept-http-equivalent-codes">or equivalent</span>, then
+ run the <span>cache removal steps</span></p>
<p>If the previous step fails in some other way (e.g. the server
- returns another 4xx or 5xx response or equivalent, or there is a
- DNS error, or the connection times out, or the user cancels the
- download, or the parser for manifests fails when checking the
- magic signature), or if the server returned a redirect, or if the
- resource is labeled with a MIME type other than <code
- title="">text/cache-manifest</code>, then run the <span>cache
- failure steps</span>.</p>
+ returns another 4xx or 5xx response <span
+ title="concept-http-equivalent-codes">or equivalent</span>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download, or the parser for manifests fails when
+ checking the magic signature), or if the server returned a
+ redirect, or if the resource is labeled with a MIME type other
+ than <code title="">text/cache-manifest</code>, then run the
+ <span>cache failure steps</span>.</p>
</li>
@@ -40325,7 +40398,9 @@
attempt</span> and the newly downloaded <var
title="">manifest</var> is byte-for-byte identical to the manifest
found in <var title="">cache</var>, or if the server reported it
- as "304 Not Modified" or equivalent, then run these substeps:</p>
+ as "304 Not Modified" <span
+ title="concept-http-equivalent-codes">or equivalent</span>, then
+ run these substeps:</p>
<ol>
@@ -40342,9 +40417,10 @@
title="concept-appcache-master">master entries</span> that are
being stored in the cache, then wait for all of them to have
completed. If any of these downloads fail (e.g. the server
- returns a 4xx or 5xx response or equivalent, or there is a DNS
- error, or the connection times out, or the user cancels the
- download), then run the <span>cache failure
+ returns a 4xx or 5xx response <span
+ title="concept-http-equivalent-codes">or equivalent</span>, or
+ there is a DNS error, or the connection times out, or the user
+ cancels the download), then run the <span>cache failure
steps</span>.</p></li>
<li><p>Let the <span
@@ -40467,10 +40543,11 @@
<li>
<p>If the previous step fails (e.g. the server returns a 4xx or
- 5xx response or equivalent, or there is a DNS error, or the
- connection times out, or the user cancels the download), or if
- the server returned a redirect, then run the first appropriate
- step from the following list:</p>
+ 5xx response <span title="concept-http-equivalent-codes">or
+ equivalent</span>, or there is a DNS error, or the connection
+ times out, or the user cancels the download), or if the server
+ returned a redirect, then run the first appropriate step from
+ the following list:</p>
<dl class="switch">
@@ -40491,8 +40568,8 @@
</dd>
- <dt>If the error was a 404 or 410 HTTP response or
- equivalent</dt>
+ <dt>If the error was a 404 or 410 HTTP response <span
+ title="concept-http-equivalent-codes">or equivalent</span></dt>
<dd>
@@ -40829,8 +40906,8 @@
<dt>If the resource being loaded was not loaded from an application
- cache, but it was loaded using HTTP GET or equivalent</dt>
- <dd>
+ cache, but it was loaded using HTTP GET <span
+ title="concept-http-equivalent-get">or equivalent</span></dt> <dd>
<ol>
@@ -40885,8 +40962,11 @@
<ol>
<li><p>If the resource is not to be fetched using the HTTP GET
- mechanism or equivalent, then <span>fetch</span> the resource
- normally and abort these steps.</p></li>
+ mechanism <span title="concept-http-equivalent-get">or
+ equivalent</span>, or if it has a <span title="javascript
+ protocol"><code title="">javascript:</code> URL</span>, then
+ <span>fetch</span> the resource normally and abort these
+ steps.</p></li>
<li><p>If the resource's URL is <span
title="concept-appcache-master">an master entry</span>, <span
@@ -40907,12 +40987,12 @@
<p><span>Fetch</span> the resource normally. If this results in a
redirect to a resource with another <span>origin</span>
- (indicative of a captive portal), or a 4xx or 5xx status code or
- equivalent, or if there were network errors (but not if the user
- canceled the download), then instead get, from the cache, the
- resource of the <span title="concept-appcache-fallback">fallback
- entry</span> corresponding to the matched namespace. Abort these
- steps.</p>
+ (indicative of a captive portal), or a 4xx or 5xx status code
+ <span title="concept-http-equivalent-codes">or equivalent</span>,
+ or if there were network errors (but not if the user canceled the
+ download), then instead get, from the cache, the resource of the
+ <span title="concept-appcache-fallback">fallback entry</span>
+ corresponding to the matched namespace. Abort these steps.</p>
</li>
@@ -41124,8 +41204,9 @@
title="">url</var>.</p></li>
<li><p>If this results in a redirect, or a 4xx or 5xx status code
- or equivalent, or if there were network errors, or if the user
- canceled the download, then abort these steps.</p></li>
+ <span title="concept-http-equivalent-codes">or equivalent</span>,
+ or if there were network errors, or if the user canceled the
+ download, then abort these steps.</p></li>
<li><p>Add the fetched resource to the <span>application
cache</span> and categorize it as a <span
@@ -41884,9 +41965,9 @@
being navigated, ignoring any <span
title="url-fragment"><fragment></span> components of those
<span title="URL">URLs</span>, and the new resource is to be
- fetched using HTTP GET or equivalent, then <span
- title="navigate-fragid">navigate to that fragment identifier</span>
- and abort these steps.</p></li>
+ fetched using HTTP GET <span title="concept-http-equivalent-get">or
+ equivalent</span>, then <span title="navigate-fragid">navigate to
+ that fragment identifier</span> and abort these steps.</p></li>
<li><p>If the new resource is to be handled by displaying some sort
of inline content, e.g. an error message because the specified
@@ -41905,12 +41986,13 @@
<li>
- <p>If the new resource is to be fetched using HTTP GET or
- equivalent, then check if there are any <span title="relevant
- application cache">relevant application caches</span> that are
- identified by a URL with the <span>same origin</span> as the URL
- in question, and that have this URL as one of their entries,
- excluding entries marked as <span
+ <p>If the new resource is to be fetched using HTTP GET <span
+ title="concept-http-equivalent-get">or equivalent</span>, then
+ check if there are any <span title="relevant application
+ cache">relevant application caches</span> that are identified by a
+ URL with the <span>same origin</span> as the URL in question, and
+ that have this URL as one of their entries, excluding entries
+ marked as <span
title="concept-appcache-foreign">foreign</span>. If so, then the
user agent must then get the resource from the <span
title="concept-appcache-selection">most appropriate application
@@ -41955,18 +42037,20 @@
<li>
<p>If the resource was not fetched from an <span>application
- cache</span>, and was to be fetched using HTTP GET or equivalent,
- and its URL <span
- title="concept-appcache-matches-fallback">matches the fallback
- namespace</span> of one or more <span title="relevant application
- cache">relevant application caches</span>, and the user didn't
- cancel the navigation attempt during the previous step, and the
- navigation attempt failed (e.g. the server returned a 4xx or 5xx
- status code or equivalent, or there was a DNS error), then:</p>
- <!-- note that a redirect can never reach this point as it is
- handled earlier, meaning that a captive portal captures URLs in
- fallback namespaces and you can't ever get to the fallback file of
- a resource if you have a captive portal -->
+ cache</span>, and was to be fetched using HTTP GET <span
+ title="concept-http-equivalent-get">or equivalent</span>, and its
+ URL <span title="concept-appcache-matches-fallback">matches the
+ fallback namespace</span> of one or more <span title="relevant
+ application cache">relevant application caches</span>, and the
+ user didn't cancel the navigation attempt during the previous
+ step, and the navigation attempt failed (e.g. the server returned
+ a 4xx or 5xx status code <span
+ title="concept-http-equivalent-codes">or equivalent</span>, or
+ there was a DNS error), then:</p> <!-- note that a redirect can
+ never reach this point as it is handled earlier, meaning that a
+ captive portal captures URLs in fallback namespaces and you can't
+ ever get to the fallback file of a resource if you have a captive
+ portal -->
<p>Let <var title="">candidate</var> be the <span
title="concept-appcache-fallback">fallback resource</span>
@@ -44821,9 +44905,10 @@
<p>If a user agent follows a link defined by an <code>a</code> or
<code>area</code> element that has the <code
- title="rel-noreferrer">noreferrer</code> keyword, the user agent must
- not include a <code title="">Referer</code> HTTP header (or
- equivalent for other protocols) in the request.</p>
+ title="rel-noreferrer">noreferrer</code> keyword, the user agent
+ must not include a <code title="">Referer</code> HTTP header (<span
+ title="concept-http-equivalent-headers">or equivalent</span> for
+ other protocols) in the request.</p>
<p>This keyword also <a href="#noopener">causes the <code
title="dom-opener">opener</code> attribute to remain null</a> if the
@@ -58835,41 +58920,42 @@
<p>Thanks to Aankhen, Aaron Boodman, Aaron Leventhal, Adam Barth,
Adam Roben, Addison Phillips, Adele Peterson, Adrian Sutton,
Agustín Fernández, Ajai Tirumali, Alastair Campbell,
- Alexey Feldgendler, Anders Carlsson, Andrew Gove, Andrew Sidwell,
- Anne van Kesteren, Anthony Hickson, Anthony Ricaud, Antti Koivisto,
- Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan, Aurelien Levy,
- Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard, Benjamin
- Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern Hoehrmann,
- Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson, Brendan Eich,
- Brett Wilson, Brian Campbell, Brian Smith, Bruce Miller, Cameron
- McCormack, Cao Yipeng, Carlos Perelló Marín, Chao Cai,
- 윤석찬 (Channy Yun), Charl van Niekerk, Charles
- Iliya Krempeaux, Charles McCathieNevile, Christian Biesinger,
- Christian Johansen, Christian Schmidt, Chriswa, Cole Robison, Collin
- Jackson, Daniel Barclay, Daniel Brumbaugh Keeney, Daniel Glazman,
- Daniel Peng, Daniel Spång, Daniel Steinberg, Danny Sullivan,
- Darin Adler, Darin Fisher, Dave Camp, Dave Singer, Dave Townsend<!--
- Mossop on moz irc -->, David Baron, David Bloom, David Carlisle,
- David Flanagan, David Håsäther, David Hyatt, David Smith,
- David Woolley, Dean Edridge, Debi Orton, Derek Featherstone, DeWitt
- Clinton, Dimitri Glazkov, dolphinling, Doron Rosenberg, Doug Kramer,
- Edward O'Connor, Eira Monstad, Elliotte Harold, Eric Carlson, Eric
- Law, Erik Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix
- Sasaki, Franck 'Shift' Quélain, Garrett Smith, Geoffrey
- Garen, Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri
- Sivonen, Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo
- Emanuel Gonçalves, J. King, Jacques Distler, James Graham,
- James Justin Harrell, James M Snell, James Perrett, Jan-Klaas
- Kollhof, Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff
- Schiller, Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der
- Meer, Jim Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph
- Kesselman, Jjgod Jiang, Joel Spolsky, Johan Herland, John Boyer,
- John Bussjaeger, John Harding, Johnny Stenback, Jon Gibbins, Jon
- Perlow, Jonathan Worent, Jorgen Horstink, Josh Levenberg, Joshua
- Randall, Jukka K. Korpela, Jules Clément-Ripoche, Julian
- Reschke, Kai Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel
- Lesinski, 黒澤剛志 (KUROSAWA Takeshi),
- Kristof Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
+ Alex Nicolaou, Alexey Feldgendler, Anders Carlsson, Andrew Gove,
+ Andrew Sidwell, Anne van Kesteren, Anthony Hickson, Anthony Ricaud,
+ Antti Koivisto, Arphen Lin, Asbjørn Ulsberg, Ashley Sheridan,
+ Aurelien Levy, Ben Boyle, Ben Godfrey, Ben Meadowcroft, Ben Millard,
+ Benjamin Hawkes-Lewis, Bert Bos, Bill Mason, Billy Wong, Bjoern
+ Hoehrmann, Boris Zbarsky, Brad Fults, Brad Neuberg, Brady Eidson,
+ Brendan Eich, Brett Wilson, Brian Campbell, Brian Smith, Bruce
+ Miller, Cameron McCormack, Cao Yipeng, Carlos Perelló
+ Marín, Chao Cai, 윤석찬 (Channy Yun), Charl
+ van Niekerk, Charles Iliya Krempeaux, Charles McCathieNevile,
+ Christian Biesinger, Christian Johansen, Christian Schmidt, Chriswa,
+ Cole Robison, Collin Jackson, Daniel Barclay, Daniel Brumbaugh
+ Keeney, Daniel Glazman, Daniel Peng, Daniel Spång, Daniel
+ Steinberg, Danny Sullivan, Darin Adler, Darin Fisher, Dave Camp,
+ Dave Singer, Dave Townsend<!-- Mossop on moz irc -->, David Baron,
+ David Bloom, David Carlisle, David Flanagan, David
+ Håsäther, David Hyatt, David Smith, David Woolley, Dean
+ Edridge, Debi Orton, Derek Featherstone, DeWitt Clinton, Dimitri
+ Glazkov, dolphinling, Doron Rosenberg, Doug Kramer, Edward O'Connor,
+ Eira Monstad, Elliotte Harold, Eric Carlson, Eric Law, Erik
+ Arvidsson, Evan Martin, Evan Prodromou, fantasai, Felix Sasaki,
+ Franck 'Shift' Quélain, Garrett Smith, Geoffrey Garen,
+ Geoffrey Sneddon, George Lund, Håkon Wium Lie, Henri Sivonen,
+ Henrik Lied, Henry Mason, Hugh Winkler, Ignacio Javier, Ivo Emanuel
+ Gonçalves, J. King, Jacques Distler, James Graham, James
+ Justin Harrell, James M Snell, James Perrett, Jan-Klaas Kollhof,
+ Jason White, Jasper Bryant-Greene, Jeff Cutsinger, Jeff Schiller,
+ Jeff Walden, Jens Bannmann, Jens Fendler, Jeroen van der Meer, Jim
+ Jewett, Jim Meehan, Joe Clark, John Fallows, Joseph Kesselman, Jjgod
+ Jiang, Joel Spolsky, Johan Herland, John Boyer, John Bussjaeger,
+ John Harding, Johnny Stenback, Jon Gibbins, Jon Perlow, Jonathan
+ Worent, Jorgen Horstink, Josh Levenberg, Joshua Randall, Jukka
+ K. Korpela, Jules Clément-Ripoche, Julian Reschke, Kai
+ Hendry, <!-- Keryx Web, = Lars Gunther --> Kornel Lesinski,
+ 黒澤剛志 (KUROSAWA Takeshi), Kristof
+ Zelechovski, Lachlan Hunt, Larry Page, Lars Gunther, Laura
L. Carlson, Laura Wisewell, Laurens Holst, Lee Kowalkowski, Leif
Halvard Silli, Lenny Domnitser, Léonard Bouchet, Leons
Petrazickis, Logan<!-- on moz irc -->, Loune, Maciej Stachowiak,
More information about the Commit-Watchers
mailing list