[html5] r4975 - [giow] (0) Make 'fetch' algorithm have a mode where it doesn't do redirects. Mak [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Apr 5 17:43:11 PDT 2010
Author: ianh
Date: 2010-04-05 17:43:10 -0700 (Mon, 05 Apr 2010)
New Revision: 4975
Modified:
complete.html
index
source
Log:
[giow] (0) Make 'fetch' algorithm have a mode where it doesn't do redirects. Make 'navigate' algorithm block cross-origin non-safe non-POST redirects.
Modified: complete.html
===================================================================
--- complete.html 2010-04-06 00:08:11 UTC (rev 4974)
+++ complete.html 2010-04-06 00:43:10 UTC (rev 4975)
@@ -6066,9 +6066,10 @@
<p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
<a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
- and optionally with a <i>synchronous flag</i>, the following steps
- must be run. (When a <em>URL</em> is to be fetched, the URL
- identifies a resource to be obtained.)</p>
+ and optionally with a <i>synchronous flag</i> and/or a <i>manual
+ redirect flag</i>, the following steps must be run. (When a
+ <em>URL</em> is to be fetched, the URL identifies a resource to be
+ obtained.)</p>
<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
@@ -6114,6 +6115,8 @@
<li>
+ <p>This is the <i>main step</i>.</p>
+
<p>If the resource is identified by an <a href=#absolute-url>absolute URL</a>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
@@ -6127,14 +6130,10 @@
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
- GET or POST operation, or reading the file from disk, following
- redirects, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code>
- URLs</span></a>, etc).</p>
+ GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript
+ protocol"><code title="">javascript:</code> URLs</span></a>,
+ etc).</p>
- <p class=note>The HTTP specification requires that 301, 302, and
- 307 redirects, when applied to methods other than the safe
- methods, not be followed without user confirmation. <a href=#refsHTTP>[HTTP]</a></p>
-
<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
obtained</i> generated in the earlier step.</p>
@@ -6170,6 +6169,39 @@
<li>
+ <p>If the fetched resource is an HTTP redirect <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ then:</p>
+
+ <dl class=switch><dt>If the <i>manual redirect flag</i> is set</dt>
+
+ <dd>
+
+ <p>Continue, using the fetched resource (the redirect) as the
+ result of the algorithm.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p>First, apply any relevant requirements for redirects (such as
+ showing any appropriate prompts). Then, redo <i>main step</i>,
+ but using the target of the redirect as the resource to fetch,
+ rather than the original resource.</p>
+
+ <p class=note>The HTTP specification requires that 301, 302,
+ and 307 redirects, when applied to methods other than the safe
+ methods, not be followed without user confirmation. That would
+ be an appropriate prompt for the purposes of the requirement in
+ the paragraph above. <a href=#refsHTTP>[HTTP]</a></p>
+
+ </dd>
+
+ </dl></li>
+
+ <li>
+
<p>If the algorithm was not invoked with the <i>synchronous
flag</i>: When the resource is available, or if there is an error
of some description, <a href=#queue-a-task>queue a task</a> that uses the
@@ -55875,9 +55907,9 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
- already been obtained<!-- it's obtained by <object>, for instance
- -->.</p>
+ <p>Otherwise, unless it has already been obtained<!-- it's
+ obtained by <object>, for instance -->, <a href=#fetch>fetch</a> the new
+ resource, with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
@@ -55902,17 +55934,30 @@
<li>
- <p>At this point the user agents must return to whatever algorithm
- invoked the navigation steps and must continue these steps
- asynchronously.</p>
+ <p>At this point, unless this step has already been reached once
+ before in the execution of this instance of the algorithm, the
+ user agents must return to whatever algorithm invoked the
+ navigation steps and must continue these steps asynchronously.</p>
</li>
<li>
- <p>If fetching the resource results in a redirect, return to <a href=#navigate-fragid-step>the step labeled "fragment
- identifiers"</a> with the new resource.</p>
+ <p>If fetching the resource results in a redirect, and either the
+ <a href=#url>URL</a> of the target of the redirect has the <a href=#same-origin>same
+ origin</a> as the original resource, or the resource is being
+ obtained using the POST method or a safe method (in HTTP terms),
+ return to <a href=#navigate-fragid-step>the step labeled
+ "fragment identifiers"</a> with the new resource.</p>
+ <p>Otherwise, if fetching the resource results in a redirect but
+ the <a href=#url>URL</a> of the target of the redirect does not have
+ the <a href=#same-origin>same origin</a> as the original resource and the
+ resource is being obtained using a method that is neither the POST
+ method nor a safe method (in HTTP terms), then abort these
+ steps. The user agent may indicate to the user that the navigation
+ has been aborted for security reasons.</p>
+
</li>
<li><p>Wait for one or more bytes to be available or for the user
@@ -89913,6 +89958,7 @@
Dean Edwards,
Debi Orton,
Derek Featherstone,
+ Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
Modified: index
===================================================================
--- index 2010-04-06 00:08:11 UTC (rev 4974)
+++ index 2010-04-06 00:43:10 UTC (rev 4975)
@@ -5964,9 +5964,10 @@
<p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
<a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
- and optionally with a <i>synchronous flag</i>, the following steps
- must be run. (When a <em>URL</em> is to be fetched, the URL
- identifies a resource to be obtained.)</p>
+ and optionally with a <i>synchronous flag</i> and/or a <i>manual
+ redirect flag</i>, the following steps must be run. (When a
+ <em>URL</em> is to be fetched, the URL identifies a resource to be
+ obtained.)</p>
<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
@@ -6012,6 +6013,8 @@
<li>
+ <p>This is the <i>main step</i>.</p>
+
<p>If the resource is identified by an <a href=#absolute-url>absolute URL</a>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
@@ -6025,14 +6028,10 @@
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
- GET or POST operation, or reading the file from disk, following
- redirects, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code>
- URLs</span></a>, etc).</p>
+ GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript
+ protocol"><code title="">javascript:</code> URLs</span></a>,
+ etc).</p>
- <p class=note>The HTTP specification requires that 301, 302, and
- 307 redirects, when applied to methods other than the safe
- methods, not be followed without user confirmation. <a href=#refsHTTP>[HTTP]</a></p>
-
<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
obtained</i> generated in the earlier step.</p>
@@ -6068,6 +6067,39 @@
<li>
+ <p>If the fetched resource is an HTTP redirect <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>,
+ then:</p>
+
+ <dl class=switch><dt>If the <i>manual redirect flag</i> is set</dt>
+
+ <dd>
+
+ <p>Continue, using the fetched resource (the redirect) as the
+ result of the algorithm.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p>First, apply any relevant requirements for redirects (such as
+ showing any appropriate prompts). Then, redo <i>main step</i>,
+ but using the target of the redirect as the resource to fetch,
+ rather than the original resource.</p>
+
+ <p class=note>The HTTP specification requires that 301, 302,
+ and 307 redirects, when applied to methods other than the safe
+ methods, not be followed without user confirmation. That would
+ be an appropriate prompt for the purposes of the requirement in
+ the paragraph above. <a href=#refsHTTP>[HTTP]</a></p>
+
+ </dd>
+
+ </dl></li>
+
+ <li>
+
<p>If the algorithm was not invoked with the <i>synchronous
flag</i>: When the resource is available, or if there is an error
of some description, <a href=#queue-a-task>queue a task</a> that uses the
@@ -55776,9 +55808,9 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the new resource, if it has not
- already been obtained<!-- it's obtained by <object>, for instance
- -->.</p>
+ <p>Otherwise, unless it has already been obtained<!-- it's
+ obtained by <object>, for instance -->, <a href=#fetch>fetch</a> the new
+ resource, with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
@@ -55803,17 +55835,30 @@
<li>
- <p>At this point the user agents must return to whatever algorithm
- invoked the navigation steps and must continue these steps
- asynchronously.</p>
+ <p>At this point, unless this step has already been reached once
+ before in the execution of this instance of the algorithm, the
+ user agents must return to whatever algorithm invoked the
+ navigation steps and must continue these steps asynchronously.</p>
</li>
<li>
- <p>If fetching the resource results in a redirect, return to <a href=#navigate-fragid-step>the step labeled "fragment
- identifiers"</a> with the new resource.</p>
+ <p>If fetching the resource results in a redirect, and either the
+ <a href=#url>URL</a> of the target of the redirect has the <a href=#same-origin>same
+ origin</a> as the original resource, or the resource is being
+ obtained using the POST method or a safe method (in HTTP terms),
+ return to <a href=#navigate-fragid-step>the step labeled
+ "fragment identifiers"</a> with the new resource.</p>
+ <p>Otherwise, if fetching the resource results in a redirect but
+ the <a href=#url>URL</a> of the target of the redirect does not have
+ the <a href=#same-origin>same origin</a> as the original resource and the
+ resource is being obtained using a method that is neither the POST
+ method nor a safe method (in HTTP terms), then abort these
+ steps. The user agent may indicate to the user that the navigation
+ has been aborted for security reasons.</p>
+
</li>
<li><p>Wait for one or more bytes to be available or for the user
@@ -83335,6 +83380,7 @@
Dean Edwards,
Debi Orton,
Derek Featherstone,
+ Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
Modified: source
===================================================================
--- source 2010-04-06 00:08:11 UTC (rev 4974)
+++ source 2010-04-06 00:43:10 UTC (rev 4975)
@@ -5623,9 +5623,10 @@
<p>When a user agent is to <dfn>fetch</dfn> a resource or
<span>URL</span>, optionally from an origin <i title="">origin</i>,
- and optionally with a <i>synchronous flag</i>, the following steps
- must be run. (When a <em>URL</em> is to be fetched, the URL
- identifies a resource to be obtained.)</p>
+ and optionally with a <i>synchronous flag</i> and/or a <i>manual
+ redirect flag</i>, the following steps must be run. (When a
+ <em>URL</em> is to be fetched, the URL identifies a resource to be
+ obtained.)</p>
<!-- if invoked with the synchronous flag, make sure to release the
storage mutex first -->
@@ -5679,6 +5680,8 @@
<li>
+ <p>This is the <i>main step</i>.</p>
+
<p>If the resource is identified by an <span>absolute URL</span>,
and the resource is to be obtained using an idempotent action
(such as an HTTP GET <span title="concept-http-equivalent-get">or
@@ -5694,16 +5697,11 @@
<p>Otherwise, at a time convenient to the user and the user agent,
download (or otherwise obtain) the resource, applying the
semantics of the relevant specifications (e.g. performing an HTTP
- GET or POST operation, or reading the file from disk, following
- redirects, <span title="concept-js-deref">dereferencing <span
- title="javascript protocol"><code title="">javascript:</code>
- URLs</span></span>, etc).</p>
+ GET or POST operation, or reading the file from disk, <span
+ title="concept-js-deref">dereferencing <span title="javascript
+ protocol"><code title="">javascript:</code> URLs</span></span>,
+ etc).</p>
- <p class="note">The HTTP specification requires that 301, 302, and
- 307 redirects, when applied to methods other than the safe
- methods, not be followed without user confirmation. <a
- href="#refsHTTP">[HTTP]</a></p>
-
<p>For the purposes of the <code
title="http-referer">Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are
@@ -5749,6 +5747,44 @@
<li>
+ <p>If the fetched resource is an HTTP redirect <span
+ title="concept-http-equivalent-codes">or equivalent</span>,
+ then:</p>
+
+ <dl class="switch">
+
+ <dt>If the <i>manual redirect flag</i> is set</dt>
+
+ <dd>
+
+ <p>Continue, using the fetched resource (the redirect) as the
+ result of the algorithm.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p>First, apply any relevant requirements for redirects (such as
+ showing any appropriate prompts). Then, redo <i>main step</i>,
+ but using the target of the redirect as the resource to fetch,
+ rather than the original resource.</p>
+
+ <p class="note">The HTTP specification requires that 301, 302,
+ and 307 redirects, when applied to methods other than the safe
+ methods, not be followed without user confirmation. That would
+ be an appropriate prompt for the purposes of the requirement in
+ the paragraph above. <a href="#refsHTTP">[HTTP]</a></p>
+
+ </dd>
+
+ </dl>
+
+ </li>
+
+ <li>
+
<p>If the algorithm was not invoked with the <i>synchronous
flag</i>: When the resource is available, or if there is an error
of some description, <span>queue a task</span> that uses the
@@ -62901,9 +62937,9 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <span>fetch</span> the new resource, if it has not
- already been obtained<!-- it's obtained by <object>, for instance
- -->.</p>
+ <p>Otherwise, unless it has already been obtained<!-- it's
+ obtained by <object>, for instance -->, <span>fetch</span> the new
+ resource, with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<span title="concept-http-equivalent-get">equivalent to</span>
@@ -62928,18 +62964,30 @@
<li>
- <p>At this point the user agents must return to whatever algorithm
- invoked the navigation steps and must continue these steps
- asynchronously.</p>
+ <p>At this point, unless this step has already been reached once
+ before in the execution of this instance of the algorithm, the
+ user agents must return to whatever algorithm invoked the
+ navigation steps and must continue these steps asynchronously.</p>
</li>
<li>
- <p>If fetching the resource results in a redirect, return to <a
- href="#navigate-fragid-step">the step labeled "fragment
- identifiers"</a> with the new resource.</p>
+ <p>If fetching the resource results in a redirect, and either the
+ <span>URL</span> of the target of the redirect has the <span>same
+ origin</span> as the original resource, or the resource is being
+ obtained using the POST method or a safe method (in HTTP terms),
+ return to <a href="#navigate-fragid-step">the step labeled
+ "fragment identifiers"</a> with the new resource.</p>
+ <p>Otherwise, if fetching the resource results in a redirect but
+ the <span>URL</span> of the target of the redirect does not have
+ the <span>same origin</span> as the original resource and the
+ resource is being obtained using a method that is neither the POST
+ method nor a safe method (in HTTP terms), then abort these
+ steps. The user agent may indicate to the user that the navigation
+ has been aborted for security reasons.</p>
+
</li>
<li><p>Wait for one or more bytes to be available or for the user
@@ -103026,6 +103074,7 @@
Dean Edwards,
Debi Orton,
Derek Featherstone,
+ Devdatta,
Dimitri Glazkov,
Dimitry Golubovsky,
Divya Manian,
More information about the Commit-Watchers
mailing list