[html5] r6142 - [giow] (0) First draft for working out how to use CORS with <img>, <video>, and [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue May 17 18:09:34 PDT 2011
Author: ianh
Date: 2011-05-17 18:09:32 -0700 (Tue, 17 May 2011)
New Revision: 6142
Modified:
complete.html
index
source
Log:
[giow] (0) First draft for working out how to use CORS with <img>, <video>, and <audio>.
Modified: complete.html
===================================================================
--- complete.html 2011-05-16 23:52:45 UTC (rev 6141)
+++ complete.html 2011-05-18 01:09:32 UTC (rev 6142)
@@ -239,7 +239,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1>Web Applications 1.0</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 16 May 2011</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 18 May 2011</h2>
</hgroup><dl><dt>Multiple-page version:</dt>
<dd><a href=http://www.whatwg.org/specs/web-apps/current-work/complete/>http://www.whatwg.org/specs/web-apps/current-work/complete/</a></dd>
<dt>One-page version:</dt>
@@ -360,7 +360,8 @@
<li><a href=#concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</a></li>
<li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
<li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
- <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></ol></li>
+ <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3468,6 +3469,16 @@
</dd>
+ <dt>CORS</dt>
+
+ <dd>
+
+ <p>The following terms are defined in the CORS specification:</p>
+
+ <ul class=brief><li><dfn id=cross-origin-request>cross-origin request</dfn>
+ <li><dfn id=cross-origin-request-status>cross-origin request status</dfn>
+ </ul></dd>
+
<dt>CSS modules</dt>
<dd>
@@ -7189,7 +7200,30 @@
</div>
+ <h4 id=cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</h4>
+ <p>A <dfn id=cors-settings-attribute>CORS settings attribute</dfn> is an <a href=#enumerated-attribute>enumerated
+ attribute</a>. The following table lists the keywords and states
+ for the attribute — the keywords in the left column map to the
+ states in the cell in the second column on the same row as the
+ keyword.</p>
+
+ <table><thead><tr><th> Keyword
+ <th> State
+ <th> Brief description
+ <tbody><tr><td><dfn id=attr-cross-origin-anonymous-keyword title=attr-cross-origin-anonymous-keyword><code>anonymous</code></dfn>
+ <td><dfn id=attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</dfn>
+ <td>Cross-origin CORS requests for the element will not have the <i>credentials flag</i> set.
+ <tr><td><dfn id=attr-cross-origin-use-credentials-keyword title=attr-cross-origin-use-credentials-keyword><code>use-credentials</code></dfn>
+ <td><dfn id=attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</dfn>
+ <td>Cross-origin CORS requests for the element will have the <i>credentials flag</i> set.
+ </table><p>The empty string is also a valid keyword, and maps to the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
+ attribute's <i>invalid value default</i> is the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
+ <i>missing value default</i>, used when the attribute is omitted, is
+ the <dfn id=attr-cross-origin-none title=attr-cross-origin-none>No CORS</dfn> state.</p>
+
+
+
<h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
<h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
@@ -21967,6 +22001,7 @@
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-img-alt><a href=#attr-img-alt>alt</a></code></dd>
<dd><code title=attr-img-src><a href=#attr-img-src>src</a></code></dd>
+ <dd><code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code></dd>
<dd><code title=attr-dim-width><a href=#attr-dim-width>width</a></code></dd>
@@ -21979,6 +22014,7 @@
interface <dfn id=htmlimageelement>HTMLImageElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-img-alt title=dom-img-alt>alt</a>;
attribute DOMString <a href=#dom-img-src title=dom-img-src>src</a>;
+ attribute DOMString <a href=#dom-img-crossorigin title=dom-img-crossOrigin>crossOrigin</a>;
attribute DOMString <a href=#dom-img-usemap title=dom-img-useMap>useMap</a>;
attribute boolean <a href=#dom-img-ismap title=dom-img-isMap>isMap</a>;
attribute unsigned long <a href=#dom-img-width title=dom-img-width>width</a>;
@@ -22040,6 +22076,9 @@
display transparent images, as they rarely convey meaning and rarely
add anything useful to the document.</p>
+ <p>The <dfn id=attr-img-cross-origin title=attr-img-cross-origin><code>cross-origin</code></dfn>
+ attribute is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>
+
<div class=impl>
<hr><p>An <code><a href=#the-img-element>img</a></code> is always in one of the following states:</p>
@@ -22107,12 +22146,32 @@
<li>
- <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the value
+ <p><a href=#resolve-a-url title="resolve a url">Resolve</a> the value
of the element's <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute,
- relative to the element, and, if that is successful,
- <a href=#fetch>fetch</a> that resource.</p> <!-- http-origin privacy
- sensitive -->
+ relative to the element.</p>
+ <p>If that is not successful, abort these steps.</p>
+
+ <p>Otherwise, if the <a href=#origin>origin</a> of the resulting
+ <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same origin</a> as
+ the <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>, and the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
+ perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
+ URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
+ <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
+ <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
+ the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ If the <a href=#cross-origin-request-status>cross-origin request status</a> is set to
+ <i>success</i>, then the element's image data's
+ <a href=#origin>origin</a> is forced to be the <code><a href=#the-img-element>img</a></code> element's
+ <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
+ URL</a>.</p> <!-- http-origin privacy sensitive -->
+
<p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
element's image data.</p>
@@ -22353,10 +22412,20 @@
<div class=impl>
- <p>The IDL attributes <dfn id=dom-img-alt title=dom-img-alt><code>alt</code></dfn>, <dfn id=dom-img-src title=dom-img-src><code>src</code></dfn>, <dfn id=dom-img-usemap title=dom-img-useMap><code>useMap</code></dfn>, and <dfn id=dom-img-ismap title=dom-img-isMap><code>isMap</code></dfn> each must
+ <p>The <dfn id=dom-img-alt title=dom-img-alt><code>alt</code></dfn> and <dfn id=dom-img-src title=dom-img-src><code>src</code></dfn> IDL attributes must
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-img-crossorigin title=dom-img-crossOrigin><code>crossOrigin</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
+ attribute.</p>
+
+ <p>The <dfn id=dom-img-usemap title=dom-img-useMap><code>useMap</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-usemap>usemap</code> content attribute.</p>
+
+ <p>The <dfn id=dom-img-ismap title=dom-img-isMap><code>isMap</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> content attribute.</p>
+
</div>
<dl class=domintro><dt><var title="">image</var> . <code title=dom-img-width><a href=#dom-img-width>width</a></code> [ = <var title="">value</var> ]</dt>
@@ -25398,6 +25467,7 @@
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
+ <dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-video-poster><a href=#attr-video-poster>poster</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
@@ -25732,6 +25802,7 @@
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
+ <dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
<dd><code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code></dd>
@@ -26236,6 +26307,7 @@
// network state
attribute DOMString <a href=#dom-media-src title=dom-media-src>src</a>;
readonly attribute DOMString <a href=#dom-media-currentsrc title=dom-media-currentSrc>currentSrc</a>;
+ attribute DOMString <a href=#dom-media-crossorigin title=dom-media-crossOrigin>crossOrigin</a>;
const unsigned short <a href=#dom-media-network_empty title=dom-media-NETWORK_EMPTY>NETWORK_EMPTY</a> = 0;
const unsigned short <a href=#dom-media-network_idle title=dom-media-NETWORK_IDLE>NETWORK_IDLE</a> = 1;
const unsigned short <a href=#dom-media-network_loading title=dom-media-NETWORK_LOADING>NETWORK_LOADING</a> = 2;
@@ -26290,7 +26362,7 @@
<a href=#mutabletexttrack>MutableTextTrack</a> <a href=#dom-media-addtexttrack title=dom-media-addTextTrack>addTextTrack</a>(in DOMString kind, in optional DOMString label, in optional DOMString language);
};</pre>
- <p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
+ <p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>,
<code title=attr-media-loop><a href=#attr-media-loop>loop</a></code>,
<code title=attr-media-muted><a href=#attr-media-muted>muted</a></code>, and <code title=attr-media-controls><a href=#attr-media-controls>controls</a></code>, apply to all <a href=#media-element title="media element">media elements</a>. They are defined in
@@ -26445,6 +26517,10 @@
attribute, if present, must contain a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>
+ <p>The <dfn id=attr-media-cross-origin title=attr-media-cross-origin><code>cross-origin</code></dfn>
+ content attribute on <a href=#media-element title="media element">media
+ elements</a> is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>
+
<div class=impl>
<p>If a <code title=attr-media-src><a href=#attr-media-src>src</a></code> attribute of a
@@ -26457,6 +26533,10 @@
attribute on <a href=#media-element title="media element">media elements</a> must
<a href=#reflect>reflect</a> the content attribute of the same name.</p>
+ <p>The <dfn id=dom-media-crossorigin title=dom-media-crossOrigin><code>crossOrigin</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute.</p>
+
</div>
<dl class=domintro><dt><var title="">media</var> . <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code></dt>
@@ -27050,11 +27130,27 @@
<li>
- <p>Begin to <a href=#fetch>fetch</a> the <var title="">current media
+ <p>If the <a href=#origin>origin</a> of <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same
+ origin</a> as the <a href=#media-element>media element</a>'s
+ <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, and the <a href=#media-element>media
+ element</a> has a <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute,
+ then perform a <a href=#cross-origin-request>cross-origin request</a>, with the
+ <i>request URL</i> set to <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a>, the <i>source
+ origin</i> set to the <a href=#origin>origin</a> of the <a href=#media-element>media
+ element</a>'s <code><a href=#document>Document</a></code>, and the <i>credentials
+ flag</i> set unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <a href=#fetch>fetch</a> the <var title="">current media
resource</var>, from the <a href=#media-element>media element</a>'s
<code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with the <i>force
same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive (looking forward to CORS here) -->
+ sensitive -->
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -27445,17 +27541,11 @@
<dd>
- <p>If the <a href=#media-resource>media resource</a>'s <a href=#origin>origin</a> is
- the <a href=#same-origin>same origin</a> as the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, <a href=#queue-a-task>queue a
- task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
+ <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
media-resource-specific text track</a> with the relevant
- data.</p> <!-- CORS -->
+ data.</p>
- <p class=note>Cross-origin files do not expose their subtitles
- in the DOM, for security reasons. However, user agents may still
- provide the user with access to such data in their user
- interface.</p>
+ <!-- only allow this if the video is same-origin or CORS-protected -->
</dd>
@@ -30574,13 +30664,29 @@
<li>
- <p><i>Download</i>: If <var title="">URL</var> is not the empty
- string, and its <a href=#origin>origin</a> is the same as the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, then
+ <p><i>Download</i>: At this point, the text track is downloaded.</p>
+
+ <p>If <var title="">URL</var> is not the empty string, and its
+ <a href=#origin>origin</a> is not the <a href=#same-origin>same origin</a> as the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>, and the <a href=#media-element>media element</a> has a
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>
+ attribute, then perform a <a href=#cross-origin-request>cross-origin request</a>, with
+ the <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
+ <i>credentials flag</i> set unless the <a href=#media-element>media
+ element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, if <var title="">URL</var> is not the empty string,
<a href=#fetch>fetch</a> <var title="">URL</var>, from the <a href=#media-element>media
element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with
the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive (looking forward to CORS here) -->
+ privacy sensitive -->
<p>The <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue
a task">queued</a> by the <a href=#fetch title=fetch>fetching
@@ -33675,27 +33781,17 @@
<hr><p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. The API does expose some
- information: the existence of the media, its type, its duration, its
- size, and the performance characteristics of its host. Such
- information is already potentially problematic, but in practice the
- same information can more or less be obtained using the
- <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>
+ would not otherwise have access to. To avoid this, the API will not
+ allow videos to be shown cross-origin unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ present and the remote server opts-in to cross-origin requsts. <a href=#refsCORS>[CORS]</a></p>
- <p>However, significantly more sensitive information could be
- obtained if the user agent further exposes metadata within the
- content such as subtitles or chapter titles. This version of the API
- does not expose such information. Future extensions to this API will
- likely reuse a mechanism such as CORS to check that the embedded
- content's site has opted in to exposing such information. <a href=#refsCORS>[CORS]</a></p> <!-- v2 -->
+ <p class=example>Without this restriction, an attacker could trick
+ a user running within a corporate network into visiting a site that
+ attempts to load a video from a previously leaked location on the
+ corporation's intranet. If such a video included confidential plans
+ for a new product, then being able to read the subtitles would
+ present a serious confidentiality breach.</p>
- <p class=example>An attacker could trick a user running within a
- corporate network into visiting a site that attempts to load a video
- from a previously leaked location on the corporation's intranet. If
- such a video included confidential plans for a new product, then
- being able to read the subtitles would present a confidentiality
- breach.</p>
-
</div>
@@ -61597,7 +61693,7 @@
</dd>
- <dt>For <code><a href=#document>Document</a></code> objects and images</dt>
+ <dt>For <code><a href=#document>Document</a></code> objects</dt>
<dd>
@@ -61613,8 +61709,7 @@
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
URL</a></dt>
<dd>The <a href=#origin>origin</a> is equal to the <a href=#origin>origin</a>
@@ -61622,31 +61717,25 @@
protocol"><code>javascript:</code> URL</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was served over the
- network and has an address that uses a URL scheme with a
- server-based naming authority</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was served over the network and
+ has an address that uses a URL scheme with a server-based naming
+ authority</dt>
- <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
- <a href="#the-document's-address" title="the document's address">address</a> of the
- <code><a href=#document>Document</a></code> or the <a href=#url>URL</a> of the image, as
- appropriate.</dd>
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of
+ <a href="#the-document's-address">the <code>Document</code>'s address</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#data-protocol title="data protocol"><code title="">data:</code>
- URL</a> that was returned as the location of an HTTP redirect
- (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>
- in other protocols)</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> that
+ was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
protocol"><code title="">data:</code> URL</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#data-protocol title="data protocol"><code title="">data:</code>
- URL</a> found in another <code><a href=#document>Document</a></code> or in a
- script</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
+ found in another <code><a href=#document>Document</a></code> or in a script</dt>
<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</dd>
@@ -61668,13 +61757,14 @@
<code><a href=#document>Document</a></code>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was obtained in some
- other manner (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> typed in by the user, a
- <code><a href=#document>Document</a></code> created using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
+ <dt>If a <code><a href=#document>Document</a></code> was obtained in some other manner
+ (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code>
+ URL</a> typed in by the user, a <code><a href=#document>Document</a></code> created
+ using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
API, etc)</dt>
<dd>The <a href=#origin>origin</a> is a globally unique identifier
- assigned when the <code><a href=#document>Document</a></code> or image is created.</dd>
+ assigned when the <code><a href=#document>Document</a></code> is created.</dd>
</dl><p>When a <code><a href=#document>Document</a></code> is created, its <a href=#effective-script-origin>effective
script origin</a> is initialized to the <a href=#origin>origin</a> of
@@ -61684,19 +61774,62 @@
</dd>
+ <dt>For images</dt>
+
+ <dd>
+
+ <dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
+ its image data has a forced origin</dt>
+
+ <dd>The <a href=#origin>origin</a> is the image data's forced origin.
+ (This occurs when the image was successfully obtained using
+ CORS.)</dd>
+
+
+ <dt>If an image was served over the network and has an address
+ that uses a URL scheme with a server-based naming authority</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ image's <a href=#url>URL</a>.</dd>
+
+
+ <dt>If an image was generated from a <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a> that was
+ returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a>.</dd>
+
+
+ <dt>If an image was generated from a <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a> found in another
+ <code><a href=#document>Document</a></code> or in a script</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <code><a href=#document>Document</a></code> or script that loaded that image.</dd>
+
+
+ <dt>If an image was obtained in some other manner (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
+ typed in by the user)</dt>
+
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+
+ </dl></dd>
+
+
<dt>For <code><a href=#the-audio-element>audio</a></code> and <code><a href=#the-video-element>video</a></code> elements</dt>
<dd>
- <p>If value of the <a href=#media-element>media element</a>'s <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code> attribute is the
- empty string, the <a href=#origin>origin</a> is the same as the
+ <p>The <a href=#origin>origin</a> is always the same as the
<a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>.</p>
+ <a href=#origin>origin</a>, as <a href=#media-resource title="media resource">media
+ resources</a> cannot be fetched cross-origin without the
+ server's permission (using CORS).</p>
- <p>Otherwise, the <a href=#origin>origin</a> is equal to the
- <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> given by the
- <a href=#media-element>media element</a>'s <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code> attribute.</p>
-
</dd>
@@ -95399,6 +95532,7 @@
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>;
@@ -95803,6 +95937,7 @@
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-img-alt><a href=#attr-img-alt>alt</a></code>;
<code title=attr-img-src><a href=#attr-img-src>src</a></code>;
+ <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code>;
<code title=attr-dim-width><a href=#attr-dim-width>width</a></code>;
@@ -96439,6 +96574,7 @@
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-video-poster><a href=#attr-video-poster>poster</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
@@ -96913,6 +97049,12 @@
<td> <code title=attr-area-coords><a href=#attr-area-coords>area</a></code>
<td> Coordinates for the shape to be created in an <a href=#image-map>image map</a>
<td> <a href=#valid-list-of-integers>Valid list of integers</a>*
+ <tr><th> <code title="">cross-origin</code>
+ <td> <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>audio</a></code>;
+ <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>img</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>video</a></code>
+ <td> How the element handles cross-origin requests.
+ <td> "<code title=attr-cross-origin-anonymous-keyword><a href=#attr-cross-origin-anonymous-keyword>anonymous</a></code>"; "<code title=attr-cross-origin-use-credentials-keyword><a href=#attr-cross-origin-use-credentials-keyword>use-credentials</a></code>"
<tr><th> <code title="">data</code>
<td> <code title=attr-object-data><a href=#attr-object-data>object</a></code>
<td> Address of the resource
Modified: index
===================================================================
--- index 2011-05-16 23:52:45 UTC (rev 6141)
+++ index 2011-05-18 01:09:32 UTC (rev 6142)
@@ -243,7 +243,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 16 May 2011</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 18 May 2011</h2>
</hgroup><dl><dt><strong>Web developer edition</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -360,7 +360,8 @@
<li><a href=#concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</a></li>
<li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
<li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
- <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></ol></li>
+ <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3485,6 +3486,16 @@
</dd>
+ <dt>CORS</dt>
+
+ <dd>
+
+ <p>The following terms are defined in the CORS specification:</p>
+
+ <ul class=brief><li><dfn id=cross-origin-request>cross-origin request</dfn>
+ <li><dfn id=cross-origin-request-status>cross-origin request status</dfn>
+ </ul></dd>
+
<dt>CSS modules</dt>
<dd>
@@ -7206,7 +7217,30 @@
</div>
+ <h4 id=cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</h4>
+ <p>A <dfn id=cors-settings-attribute>CORS settings attribute</dfn> is an <a href=#enumerated-attribute>enumerated
+ attribute</a>. The following table lists the keywords and states
+ for the attribute — the keywords in the left column map to the
+ states in the cell in the second column on the same row as the
+ keyword.</p>
+
+ <table><thead><tr><th> Keyword
+ <th> State
+ <th> Brief description
+ <tbody><tr><td><dfn id=attr-cross-origin-anonymous-keyword title=attr-cross-origin-anonymous-keyword><code>anonymous</code></dfn>
+ <td><dfn id=attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</dfn>
+ <td>Cross-origin CORS requests for the element will not have the <i>credentials flag</i> set.
+ <tr><td><dfn id=attr-cross-origin-use-credentials-keyword title=attr-cross-origin-use-credentials-keyword><code>use-credentials</code></dfn>
+ <td><dfn id=attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</dfn>
+ <td>Cross-origin CORS requests for the element will have the <i>credentials flag</i> set.
+ </table><p>The empty string is also a valid keyword, and maps to the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
+ attribute's <i>invalid value default</i> is the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a> state. The
+ <i>missing value default</i>, used when the attribute is omitted, is
+ the <dfn id=attr-cross-origin-none title=attr-cross-origin-none>No CORS</dfn> state.</p>
+
+
+
<h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
<h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
@@ -21984,6 +22018,7 @@
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-img-alt><a href=#attr-img-alt>alt</a></code></dd>
<dd><code title=attr-img-src><a href=#attr-img-src>src</a></code></dd>
+ <dd><code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code></dd>
<dd><code title=attr-dim-width><a href=#attr-dim-width>width</a></code></dd>
@@ -21996,6 +22031,7 @@
interface <dfn id=htmlimageelement>HTMLImageElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-img-alt title=dom-img-alt>alt</a>;
attribute DOMString <a href=#dom-img-src title=dom-img-src>src</a>;
+ attribute DOMString <a href=#dom-img-crossorigin title=dom-img-crossOrigin>crossOrigin</a>;
attribute DOMString <a href=#dom-img-usemap title=dom-img-useMap>useMap</a>;
attribute boolean <a href=#dom-img-ismap title=dom-img-isMap>isMap</a>;
attribute unsigned long <a href=#dom-img-width title=dom-img-width>width</a>;
@@ -22057,6 +22093,9 @@
display transparent images, as they rarely convey meaning and rarely
add anything useful to the document.</p>
+ <p>The <dfn id=attr-img-cross-origin title=attr-img-cross-origin><code>cross-origin</code></dfn>
+ attribute is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>
+
<div class=impl>
<hr><p>An <code><a href=#the-img-element>img</a></code> is always in one of the following states:</p>
@@ -22124,12 +22163,32 @@
<li>
- <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the value
+ <p><a href=#resolve-a-url title="resolve a url">Resolve</a> the value
of the element's <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute,
- relative to the element, and, if that is successful,
- <a href=#fetch>fetch</a> that resource.</p> <!-- http-origin privacy
- sensitive -->
+ relative to the element.</p>
+ <p>If that is not successful, abort these steps.</p>
+
+ <p>Otherwise, if the <a href=#origin>origin</a> of the resulting
+ <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same origin</a> as
+ the <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>, and the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
+ perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
+ URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
+ <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
+ <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
+ the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ If the <a href=#cross-origin-request-status>cross-origin request status</a> is set to
+ <i>success</i>, then the element's image data's
+ <a href=#origin>origin</a> is forced to be the <code><a href=#the-img-element>img</a></code> element's
+ <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
+ URL</a>.</p> <!-- http-origin privacy sensitive -->
+
<p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
element's image data.</p>
@@ -22370,10 +22429,20 @@
<div class=impl>
- <p>The IDL attributes <dfn id=dom-img-alt title=dom-img-alt><code>alt</code></dfn>, <dfn id=dom-img-src title=dom-img-src><code>src</code></dfn>, <dfn id=dom-img-usemap title=dom-img-useMap><code>useMap</code></dfn>, and <dfn id=dom-img-ismap title=dom-img-isMap><code>isMap</code></dfn> each must
+ <p>The <dfn id=dom-img-alt title=dom-img-alt><code>alt</code></dfn> and <dfn id=dom-img-src title=dom-img-src><code>src</code></dfn> IDL attributes must
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-img-crossorigin title=dom-img-crossOrigin><code>crossOrigin</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
+ attribute.</p>
+
+ <p>The <dfn id=dom-img-usemap title=dom-img-useMap><code>useMap</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-usemap>usemap</code> content attribute.</p>
+
+ <p>The <dfn id=dom-img-ismap title=dom-img-isMap><code>isMap</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> content attribute.</p>
+
</div>
<dl class=domintro><dt><var title="">image</var> . <code title=dom-img-width><a href=#dom-img-width>width</a></code> [ = <var title="">value</var> ]</dt>
@@ -25418,6 +25487,7 @@
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
+ <dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-video-poster><a href=#attr-video-poster>poster</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
@@ -25752,6 +25822,7 @@
<dt>Content attributes:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-media-src><a href=#attr-media-src>src</a></code></dd>
+ <dd><code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code></dd>
<dd><code title=attr-media-preload><a href=#attr-media-preload>preload</a></code></dd>
<dd><code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code></dd>
<dd><code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code></dd>
@@ -26256,6 +26327,7 @@
// network state
attribute DOMString <a href=#dom-media-src title=dom-media-src>src</a>;
readonly attribute DOMString <a href=#dom-media-currentsrc title=dom-media-currentSrc>currentSrc</a>;
+ attribute DOMString <a href=#dom-media-crossorigin title=dom-media-crossOrigin>crossOrigin</a>;
const unsigned short <a href=#dom-media-network_empty title=dom-media-NETWORK_EMPTY>NETWORK_EMPTY</a> = 0;
const unsigned short <a href=#dom-media-network_idle title=dom-media-NETWORK_IDLE>NETWORK_IDLE</a> = 1;
const unsigned short <a href=#dom-media-network_loading title=dom-media-NETWORK_LOADING>NETWORK_LOADING</a> = 2;
@@ -26310,7 +26382,7 @@
<a href=#mutabletexttrack>MutableTextTrack</a> <a href=#dom-media-addtexttrack title=dom-media-addTextTrack>addTextTrack</a>(in DOMString kind, in optional DOMString label, in optional DOMString language);
};</pre>
- <p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
+ <p>The <dfn id=media-element-attributes>media element attributes</dfn>, <code title=attr-media-src><a href=#attr-media-src>src</a></code>, <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>, <code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>, <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>,
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>,
<code title=attr-media-loop><a href=#attr-media-loop>loop</a></code>,
<code title=attr-media-muted><a href=#attr-media-muted>muted</a></code>, and <code title=attr-media-controls><a href=#attr-media-controls>controls</a></code>, apply to all <a href=#media-element title="media element">media elements</a>. They are defined in
@@ -26465,6 +26537,10 @@
attribute, if present, must contain a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>
+ <p>The <dfn id=attr-media-cross-origin title=attr-media-cross-origin><code>cross-origin</code></dfn>
+ content attribute on <a href=#media-element title="media element">media
+ elements</a> is a <a href=#cors-settings-attribute>CORS settings attribute</a>.</p>
+
<div class=impl>
<p>If a <code title=attr-media-src><a href=#attr-media-src>src</a></code> attribute of a
@@ -26477,6 +26553,10 @@
attribute on <a href=#media-element title="media element">media elements</a> must
<a href=#reflect>reflect</a> the content attribute of the same name.</p>
+ <p>The <dfn id=dom-media-crossorigin title=dom-media-crossOrigin><code>crossOrigin</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute.</p>
+
</div>
<dl class=domintro><dt><var title="">media</var> . <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code></dt>
@@ -27070,11 +27150,27 @@
<li>
- <p>Begin to <a href=#fetch>fetch</a> the <var title="">current media
+ <p>If the <a href=#origin>origin</a> of <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same
+ origin</a> as the <a href=#media-element>media element</a>'s
+ <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, and the <a href=#media-element>media
+ element</a> has a <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute,
+ then perform a <a href=#cross-origin-request>cross-origin request</a>, with the
+ <i>request URL</i> set to <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a>, the <i>source
+ origin</i> set to the <a href=#origin>origin</a> of the <a href=#media-element>media
+ element</a>'s <code><a href=#document>Document</a></code>, and the <i>credentials
+ flag</i> set unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <a href=#fetch>fetch</a> the <var title="">current media
resource</var>, from the <a href=#media-element>media element</a>'s
<code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with the <i>force
same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive (looking forward to CORS here) -->
+ sensitive -->
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -27465,17 +27561,11 @@
<dd>
- <p>If the <a href=#media-resource>media resource</a>'s <a href=#origin>origin</a> is
- the <a href=#same-origin>same origin</a> as the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, <a href=#queue-a-task>queue a
- task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
+ <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
media-resource-specific text track</a> with the relevant
- data.</p> <!-- CORS -->
+ data.</p>
- <p class=note>Cross-origin files do not expose their subtitles
- in the DOM, for security reasons. However, user agents may still
- provide the user with access to such data in their user
- interface.</p>
+ <!-- only allow this if the video is same-origin or CORS-protected -->
</dd>
@@ -30594,13 +30684,29 @@
<li>
- <p><i>Download</i>: If <var title="">URL</var> is not the empty
- string, and its <a href=#origin>origin</a> is the same as the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, then
+ <p><i>Download</i>: At this point, the text track is downloaded.</p>
+
+ <p>If <var title="">URL</var> is not the empty string, and its
+ <a href=#origin>origin</a> is not the <a href=#same-origin>same origin</a> as the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>, and the <a href=#media-element>media element</a> has a
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>
+ attribute, then perform a <a href=#cross-origin-request>cross-origin request</a>, with
+ the <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
+ <i>credentials flag</i> set unless the <a href=#media-element>media
+ element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
+ state. Discard any data fetched in this way unless the
+ <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
+ <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, if <var title="">URL</var> is not the empty string,
<a href=#fetch>fetch</a> <var title="">URL</var>, from the <a href=#media-element>media
element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with
the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive (looking forward to CORS here) -->
+ privacy sensitive -->
<p>The <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue
a task">queued</a> by the <a href=#fetch title=fetch>fetching
@@ -33695,27 +33801,17 @@
<hr><p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. The API does expose some
- information: the existence of the media, its type, its duration, its
- size, and the performance characteristics of its host. Such
- information is already potentially problematic, but in practice the
- same information can more or less be obtained using the
- <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>
+ would not otherwise have access to. To avoid this, the API will not
+ allow videos to be shown cross-origin unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
+ present and the remote server opts-in to cross-origin requsts. <a href=#refsCORS>[CORS]</a></p>
- <p>However, significantly more sensitive information could be
- obtained if the user agent further exposes metadata within the
- content such as subtitles or chapter titles. This version of the API
- does not expose such information. Future extensions to this API will
- likely reuse a mechanism such as CORS to check that the embedded
- content's site has opted in to exposing such information. <a href=#refsCORS>[CORS]</a></p> <!-- v2 -->
+ <p class=example>Without this restriction, an attacker could trick
+ a user running within a corporate network into visiting a site that
+ attempts to load a video from a previously leaked location on the
+ corporation's intranet. If such a video included confidential plans
+ for a new product, then being able to read the subtitles would
+ present a serious confidentiality breach.</p>
- <p class=example>An attacker could trick a user running within a
- corporate network into visiting a site that attempts to load a video
- from a previously leaked location on the corporation's intranet. If
- such a video included confidential plans for a new product, then
- being able to read the subtitles would present a confidentiality
- breach.</p>
-
</div>
@@ -61617,7 +61713,7 @@
</dd>
- <dt>For <code><a href=#document>Document</a></code> objects and images</dt>
+ <dt>For <code><a href=#document>Document</a></code> objects</dt>
<dd>
@@ -61633,8 +61729,7 @@
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code>
URL</a></dt>
<dd>The <a href=#origin>origin</a> is equal to the <a href=#origin>origin</a>
@@ -61642,31 +61737,25 @@
protocol"><code>javascript:</code> URL</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was served over the
- network and has an address that uses a URL scheme with a
- server-based naming authority</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was served over the network and
+ has an address that uses a URL scheme with a server-based naming
+ authority</dt>
- <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
- <a href="#the-document's-address" title="the document's address">address</a> of the
- <code><a href=#document>Document</a></code> or the <a href=#url>URL</a> of the image, as
- appropriate.</dd>
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of
+ <a href="#the-document's-address">the <code>Document</code>'s address</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#data-protocol title="data protocol"><code title="">data:</code>
- URL</a> that was returned as the location of an HTTP redirect
- (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>
- in other protocols)</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> that
+ was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
protocol"><code title="">data:</code> URL</a>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was generated from a
- <a href=#data-protocol title="data protocol"><code title="">data:</code>
- URL</a> found in another <code><a href=#document>Document</a></code> or in a
- script</dt>
+ <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
+ found in another <code><a href=#document>Document</a></code> or in a script</dt>
<dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
<code><a href=#document>Document</a></code> or script that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</dd>
@@ -61688,13 +61777,14 @@
<code><a href=#document>Document</a></code>.</dd>
- <dt>If a <code><a href=#document>Document</a></code> or image was obtained in some
- other manner (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a> typed in by the user, a
- <code><a href=#document>Document</a></code> created using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
+ <dt>If a <code><a href=#document>Document</a></code> was obtained in some other manner
+ (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code>
+ URL</a> typed in by the user, a <code><a href=#document>Document</a></code> created
+ using the <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>
API, etc)</dt>
<dd>The <a href=#origin>origin</a> is a globally unique identifier
- assigned when the <code><a href=#document>Document</a></code> or image is created.</dd>
+ assigned when the <code><a href=#document>Document</a></code> is created.</dd>
</dl><p>When a <code><a href=#document>Document</a></code> is created, its <a href=#effective-script-origin>effective
script origin</a> is initialized to the <a href=#origin>origin</a> of
@@ -61704,19 +61794,62 @@
</dd>
+ <dt>For images</dt>
+
+ <dd>
+
+ <dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
+ its image data has a forced origin</dt>
+
+ <dd>The <a href=#origin>origin</a> is the image data's forced origin.
+ (This occurs when the image was successfully obtained using
+ CORS.)</dd>
+
+
+ <dt>If an image was served over the network and has an address
+ that uses a URL scheme with a server-based naming authority</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ image's <a href=#url>URL</a>.</dd>
+
+
+ <dt>If an image was generated from a <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a> that was
+ returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in
+ other protocols)</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <a href=#url>URL</a> that redirected to the <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a>.</dd>
+
+
+ <dt>If an image was generated from a <a href=#data-protocol title="data
+ protocol"><code title="">data:</code> URL</a> found in another
+ <code><a href=#document>Document</a></code> or in a script</dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <code><a href=#document>Document</a></code> or script that loaded that image.</dd>
+
+
+ <dt>If an image was obtained in some other manner (e.g. a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a>
+ typed in by the user)</dt>
+
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+
+ </dl></dd>
+
+
<dt>For <code><a href=#the-audio-element>audio</a></code> and <code><a href=#the-video-element>video</a></code> elements</dt>
<dd>
- <p>If value of the <a href=#media-element>media element</a>'s <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code> attribute is the
- empty string, the <a href=#origin>origin</a> is the same as the
+ <p>The <a href=#origin>origin</a> is always the same as the
<a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>.</p>
+ <a href=#origin>origin</a>, as <a href=#media-resource title="media resource">media
+ resources</a> cannot be fetched cross-origin without the
+ server's permission (using CORS).</p>
- <p>Otherwise, the <a href=#origin>origin</a> is equal to the
- <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> given by the
- <a href=#media-element>media element</a>'s <code title=dom-media-currentSrc><a href=#dom-media-currentsrc>currentSrc</a></code> attribute.</p>
-
</dd>
@@ -91372,6 +91505,7 @@
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
<code title=attr-media-mediagroup><a href=#attr-media-mediagroup>mediagroup</a></code>;
@@ -91776,6 +91910,7 @@
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-img-alt><a href=#attr-img-alt>alt</a></code>;
<code title=attr-img-src><a href=#attr-img-src>src</a></code>;
+ <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code>;
<code title=attr-dim-width><a href=#attr-dim-width>width</a></code>;
@@ -92412,6 +92547,7 @@
<a href=#transparent>transparent</a>*</td>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-media-src><a href=#attr-media-src>src</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>;
<code title=attr-video-poster><a href=#attr-video-poster>poster</a></code>;
<code title=attr-media-preload><a href=#attr-media-preload>preload</a></code>;
<code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code>;
@@ -92886,6 +93022,12 @@
<td> <code title=attr-area-coords><a href=#attr-area-coords>area</a></code>
<td> Coordinates for the shape to be created in an <a href=#image-map>image map</a>
<td> <a href=#valid-list-of-integers>Valid list of integers</a>*
+ <tr><th> <code title="">cross-origin</code>
+ <td> <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>audio</a></code>;
+ <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>img</a></code>;
+ <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>video</a></code>
+ <td> How the element handles cross-origin requests.
+ <td> "<code title=attr-cross-origin-anonymous-keyword><a href=#attr-cross-origin-anonymous-keyword>anonymous</a></code>"; "<code title=attr-cross-origin-use-credentials-keyword><a href=#attr-cross-origin-use-credentials-keyword>use-credentials</a></code>"
<tr><th> <code title="">data</code>
<td> <code title=attr-object-data><a href=#attr-object-data>object</a></code>
<td> Address of the resource
Modified: source
===================================================================
--- source 2011-05-16 23:52:45 UTC (rev 6141)
+++ source 2011-05-18 01:09:32 UTC (rev 6142)
@@ -2492,6 +2492,19 @@
</dd>
+ <dt>CORS</dt>
+
+ <dd>
+
+ <p>The following terms are defined in the CORS specification:</p>
+
+ <ul class="brief">
+ <li><dfn>cross-origin request</dfn>
+ <li><dfn>cross-origin request status</dfn>
+ </ul>
+
+ </dd>
+
<dt>CSS modules</dt>
<dd>
@@ -7034,7 +7047,40 @@
</div>
+ <h4>CORS settings attributes</h4>
+ <p>A <dfn>CORS settings attribute</dfn> is an <span>enumerated
+ attribute</span>. The following table lists the keywords and states
+ for the attribute — the keywords in the left column map to the
+ states in the cell in the second column on the same row as the
+ keyword.</p>
+
+ <table>
+ <thead>
+ <tr>
+ <th> Keyword
+ <th> State
+ <th> Brief description
+ <tbody>
+ <tr>
+ <td><dfn title="attr-cross-origin-anonymous-keyword"><code>anonymous</code></dfn>
+ <td><dfn title="attr-cross-origin-anonymous">Anonymous</dfn>
+ <td>Cross-origin CORS requests for the element will not have the <i>credentials flag</i> set.
+ <tr>
+ <td><dfn title="attr-cross-origin-use-credentials-keyword"><code>use-credentials</code></dfn>
+ <td><dfn title="attr-cross-origin-use-credentials">Use Credentials</dfn>
+ <td>Cross-origin CORS requests for the element will have the <i>credentials flag</i> set.
+ </table>
+
+ <p>The empty string is also a valid keyword, and maps to the <span
+ title="attr-cross-origin-anonymous">Anonymous</span> state. The
+ attribute's <i>invalid value default</i> is the <span
+ title="attr-cross-origin-anonymous">Anonymous</span> state. The
+ <i>missing value default</i>, used when the attribute is omitted, is
+ the <dfn title="attr-cross-origin-none">No CORS</dfn> state.</p>
+
+
+
<h3>Common DOM interfaces</h3>
<h4>Reflecting content attributes in IDL attributes</h4>
@@ -23648,6 +23694,7 @@
<dd><span>Global attributes</span></dd>
<dd><code title="attr-img-alt">alt</code></dd>
<dd><code title="attr-img-src">src</code></dd>
+ <dd><code title="attr-img-cross-origin">cross-origin</code></dd>
<dd><code title="attr-hyperlink-usemap">usemap</code></dd>
<dd><code title="attr-img-ismap">ismap</code></dd>
<dd><code title="attr-dim-width">width</code></dd>
@@ -23660,6 +23707,7 @@
interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
attribute DOMString <span title="dom-img-alt">alt</span>;
attribute DOMString <span title="dom-img-src">src</span>;
+ attribute DOMString <span title="dom-img-crossOrigin">crossOrigin</span>;
attribute DOMString <span title="dom-img-useMap">useMap</span>;
attribute boolean <span title="dom-img-isMap">isMap</span>;
attribute unsigned long <span title="dom-img-width">width</span>;
@@ -23725,6 +23773,10 @@
display transparent images, as they rarely convey meaning and rarely
add anything useful to the document.</p>
+ <p>The <dfn
+ title="attr-img-cross-origin"><code>cross-origin</code></dfn>
+ attribute is a <span>CORS settings attribute</span>.</p>
+
<div class="impl">
<hr>
@@ -23809,12 +23861,35 @@
<li>
- <p>Otherwise, <span title="resolve a url">resolve</span> the value
+ <p><span title="resolve a url">Resolve</span> the value
of the element's <code title="attr-img-src">src</code> attribute,
- relative to the element, and, if that is successful,
- <span>fetch</span> that resource.</p> <!-- http-origin privacy
- sensitive -->
+ relative to the element.</p>
+ <p>If that is not successful, abort these steps.</p>
+
+ <p>Otherwise, if the <span>origin</span> of the resulting
+ <span>absolute URL</span> is not the <span>same origin</span> as
+ the <code>img</code> element's <code>Document</code>'s
+ <span>origin</span>, and the <code>img</code> element has a <code
+ title="attr-img-cross-origin">cross-origin</code> attribute, then
+ perform a <span>cross-origin request</span>, with the <i>request
+ URL</i> set to the resulting <span>absolute URL</span>, the
+ <i>source origin</i> set to the <span>origin</span> of the
+ <code>img</code> element's <code>Document</code>, and the
+ <i>credentials flag</i> set unless the <code
+ title="attr-img-cross-origin">cross-origin</code> attribute is in
+ the <span title="attr-cross-origin-anonymous">Anonymous</span>
+ state. Discard any data fetched in this way unless the
+ <span>cross-origin request status</span> is set to <i>success</i>.
+ If the <span>cross-origin request status</span> is set to
+ <i>success</i>, then the element's image data's
+ <span>origin</span> is forced to be the <code>img</code> element's
+ <code>Document</code>'s <span>origin</span>. <a
+ href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <span>fetch</span> the resulting <span>absolute
+ URL</span>.</p> <!-- http-origin privacy sensitive -->
+
<p>The resouce obtained in this fashion is the <code>img</code>
element's image data.</p>
@@ -24097,14 +24172,25 @@
<div class="impl">
- <p>The IDL attributes <dfn
- title="dom-img-alt"><code>alt</code></dfn>, <dfn
- title="dom-img-src"><code>src</code></dfn>, <dfn
- title="dom-img-useMap"><code>useMap</code></dfn>, and <dfn
- title="dom-img-isMap"><code>isMap</code></dfn> each must
+ <p>The <dfn title="dom-img-alt"><code>alt</code></dfn> and <dfn
+ title="dom-img-src"><code>src</code></dfn> IDL attributes must
<span>reflect</span> the respective content attributes of the same
name.</p>
+ <p>The <dfn
+ title="dom-img-crossOrigin"><code>crossOrigin</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-img-cross-origin">cross-origin</code> content
+ attribute.</p>
+
+ <p>The <dfn title="dom-img-useMap"><code>useMap</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-img-usemap">usemap</code> content attribute.</p>
+
+ <p>The <dfn title="dom-img-isMap"><code>isMap</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-img-ismap">ismap</code> content attribute.</p>
+
</div>
<dl class="domintro">
@@ -27460,6 +27546,7 @@
<dt>Content attributes:</dt>
<dd><span>Global attributes</span></dd>
<dd><code title="attr-media-src">src</code></dd>
+ <dd><code title="attr-media-cross-origin">cross-origin</code></dd>
<dd><code title="attr-video-poster">poster</code></dd>
<dd><code title="attr-media-preload">preload</code></dd>
<dd><code title="attr-media-autoplay">autoplay</code></dd>
@@ -27834,6 +27921,7 @@
<dt>Content attributes:</dt>
<dd><span>Global attributes</span></dd>
<dd><code title="attr-media-src">src</code></dd>
+ <dd><code title="attr-media-cross-origin">cross-origin</code></dd>
<dd><code title="attr-media-preload">preload</code></dd>
<dd><code title="attr-media-autoplay">autoplay</code></dd>
<dd><code title="attr-media-mediagroup">mediagroup</code></dd>
@@ -28407,6 +28495,7 @@
// network state
attribute DOMString <span title="dom-media-src">src</span>;
readonly attribute DOMString <span title="dom-media-currentSrc">currentSrc</span>;
+ attribute DOMString <span title="dom-media-crossOrigin">crossOrigin</span>;
const unsigned short <span title="dom-media-NETWORK_EMPTY">NETWORK_EMPTY</span> = 0;
const unsigned short <span title="dom-media-NETWORK_IDLE">NETWORK_IDLE</span> = 1;
const unsigned short <span title="dom-media-NETWORK_LOADING">NETWORK_LOADING</span> = 2;
@@ -28463,6 +28552,7 @@
<p>The <dfn>media element attributes</dfn>, <code
title="attr-media-src">src</code>, <code
+ title="attr-media-cross-origin">cross-origin</code>, <code
title="attr-media-preload">preload</code>, <code
title="attr-media-autoplay">autoplay</code>,
<code title="attr-media-mediagroup">mediagroup</code>,
@@ -28639,6 +28729,11 @@
attribute, if present, must contain a <span>valid non-empty
URL potentially surrounded by spaces</span>.</p>
+ <p>The <dfn
+ title="attr-media-cross-origin"><code>cross-origin</code></dfn>
+ content attribute on <span title="media element">media
+ elements</span> is a <span>CORS settings attribute</span>.</p>
+
<div class="impl">
<p>If a <code title="attr-media-src">src</code> attribute of a
@@ -28652,6 +28747,12 @@
attribute on <span title="media element">media elements</span> must
<span>reflect</span> the content attribute of the same name.</p>
+ <p>The <dfn
+ title="dom-media-crossOrigin"><code>crossOrigin</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-media-cross-origin">cross-origin</code> content
+ attribute.</p>
+
</div>
<dl class="domintro">
@@ -29377,11 +29478,29 @@
<li>
- <p>Begin to <span>fetch</span> the <var title="">current media
+ <p>If the <span>origin</span> of <var title="">current media
+ resource</var>'s <span>absolute URL</span> is not the <span>same
+ origin</span> as the <span>media element</span>'s
+ <code>Document</code>'s <span>origin</span>, and the <span>media
+ element</span> has a <code
+ title="attr-media-cross-origin">cross-origin</code> attribute,
+ then perform a <span>cross-origin request</span>, with the
+ <i>request URL</i> set to <var title="">current media
+ resource</var>'s <span>absolute URL</span>, the <i>source
+ origin</i> set to the <span>origin</span> of the <span>media
+ element</span>'s <code>Document</code>, and the <i>credentials
+ flag</i> set unless the <code
+ title="attr-media-cross-origin">cross-origin</code> attribute is
+ in the <span title="attr-cross-origin-anonymous">Anonymous</span>
+ state. Discard any data fetched in this way unless the
+ <span>cross-origin request status</span> is set to <i>success</i>.
+ <a href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, <span>fetch</span> the <var title="">current media
resource</var>, from the <span>media element</span>'s
<code>Document</code>'s <span>origin</span>, with the <i>force
same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive (looking forward to CORS here) -->
+ sensitive -->
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <span>queue a task</span> to
@@ -29848,17 +29967,11 @@
<dd>
- <p>If the <span>media resource</span>'s <span>origin</span> is
- the <span>same origin</span> as the <span>media element</span>'s
- <code>Document</code>'s <span>origin</span>, <span>queue a
- task</span> to run the <span>steps to expose a
+ <p><span>Queue a task</span> to run the <span>steps to expose a
media-resource-specific text track</span> with the relevant
- data.</p> <!-- CORS -->
+ data.</p>
- <p class="note">Cross-origin files do not expose their subtitles
- in the DOM, for security reasons. However, user agents may still
- provide the user with access to such data in their user
- interface.</p>
+ <!-- only allow this if the video is same-origin or CORS-protected -->
</dd>
@@ -33473,13 +33586,30 @@
<li>
- <p><i>Download</i>: If <var title="">URL</var> is not the empty
- string, and its <span>origin</span> is the same as the <span>media
- element</span>'s <code>Document</code>'s <span>origin</span>, then
+ <p><i>Download</i>: At this point, the text track is downloaded.</p>
+
+ <p>If <var title="">URL</var> is not the empty string, and its
+ <span>origin</span> is not the <span>same origin</span> as the
+ <span>media element</span>'s <code>Document</code>'s
+ <span>origin</span>, and the <span>media element</span> has a
+ <code title="attr-media-cross-origin">cross-origin</code>
+ attribute, then perform a <span>cross-origin request</span>, with
+ the <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to the <span>origin</span> of the
+ <span>media element</span>'s <code>Document</code>, and the
+ <i>credentials flag</i> set unless the <span>media
+ element</span>'s <code
+ title="attr-media-cross-origin">cross-origin</code> attribute is
+ in the <span title="attr-cross-origin-anonymous">Anonymous</span>
+ state. Discard any data fetched in this way unless the
+ <span>cross-origin request status</span> is set to <i>success</i>.
+ <a href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+
+ <p>Otherwise, if <var title="">URL</var> is not the empty string,
<span>fetch</span> <var title="">URL</var>, from the <span>media
element</span>'s <code>Document</code>'s <span>origin</span>, with
the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive (looking forward to CORS here) -->
+ privacy sensitive -->
<p>The <span title="concept-task">tasks</span> <span title="queue
a task">queued</span> by the <span title="fetch">fetching
@@ -37164,28 +37294,19 @@
<p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. The API does expose some
- information: the existence of the media, its type, its duration, its
- size, and the performance characteristics of its host. Such
- information is already potentially problematic, but in practice the
- same information can more or less be obtained using the
- <code>img</code> element, and so it has been deemed acceptable.</p>
+ would not otherwise have access to. To avoid this, the API will not
+ allow videos to be shown cross-origin unless the <code
+ title="attr-media-cross-origin">cross-origin</code> attribute is
+ present and the remote server opts-in to cross-origin requsts. <a
+ href="#refsCORS">[CORS]</a></p>
- <p>However, significantly more sensitive information could be
- obtained if the user agent further exposes metadata within the
- content such as subtitles or chapter titles. This version of the API
- does not expose such information. Future extensions to this API will
- likely reuse a mechanism such as CORS to check that the embedded
- content's site has opted in to exposing such information. <a
- href="#refsCORS">[CORS]</a></p> <!-- v2 -->
+ <p class="example">Without this restriction, an attacker could trick
+ a user running within a corporate network into visiting a site that
+ attempts to load a video from a previously leaked location on the
+ corporation's intranet. If such a video included confidential plans
+ for a new product, then being able to read the subtitles would
+ present a serious confidentiality breach.</p>
- <p class="example">An attacker could trick a user running within a
- corporate network into visiting a site that attempts to load a video
- from a previously leaked location on the corporation's intranet. If
- such a video included confidential plans for a new product, then
- being able to read the subtitles would present a confidentiality
- breach.</p>
-
</div>
@@ -70164,7 +70285,7 @@
</dd>
- <dt>For <code>Document</code> objects and images</dt>
+ <dt>For <code>Document</code> objects</dt>
<dd>
@@ -70182,8 +70303,8 @@
assigned when the <code>Document</code> is created.</dd>
- <dt>If a <code>Document</code> or image was generated from a
- <span title="javascript protocol"><code>javascript:</code>
+ <dt>If a <code>Document</code> was generated from a <span
+ title="javascript protocol"><code>javascript:</code>
URL</span></dt>
<dd>The <span>origin</span> is equal to the <span>origin</span>
@@ -70191,31 +70312,28 @@
protocol"><code>javascript:</code> URL</span>.</dd>
- <dt>If a <code>Document</code> or image was served over the
- network and has an address that uses a URL scheme with a
- server-based naming authority</dt>
+ <dt>If a <code>Document</code> was served over the network and
+ has an address that uses a URL scheme with a server-based naming
+ authority</dt>
- <dd>The <span>origin</span> is the <span>origin</span> of the
- <span title="the document's address">address</span> of the
- <code>Document</code> or the <span>URL</span> of the image, as
- appropriate.</dd>
+ <dd>The <span>origin</span> is the <span>origin</span> of
+ <span>the <code>Document</code>'s address</span>.</dd>
- <dt>If a <code>Document</code> or image was generated from a
- <span title="data protocol"><code title="">data:</code>
- URL</span> that was returned as the location of an HTTP redirect
- (<span title="concept-http-equivalent-codes">or equivalent</span>
- in other protocols)</dt>
+ <dt>If a <code>Document</code> was generated from a <span
+ title="data protocol"><code title="">data:</code> URL</span> that
+ was returned as the location of an HTTP redirect (<span
+ title="concept-http-equivalent-codes">or equivalent</span> in
+ other protocols)</dt>
<dd>The <span>origin</span> is the <span>origin</span> of the
<span>URL</span> that redirected to the <span title="data
protocol"><code title="">data:</code> URL</span>.</dd>
- <dt>If a <code>Document</code> or image was generated from a
- <span title="data protocol"><code title="">data:</code>
- URL</span> found in another <code>Document</code> or in a
- script</dt>
+ <dt>If a <code>Document</code> was generated from a <span
+ title="data protocol"><code title="">data:</code> URL</span>
+ found in another <code>Document</code> or in a script</dt>
<dd>The <span>origin</span> is the <span>origin</span> of the
<code>Document</code> or script that initiated the <span
@@ -70240,15 +70358,15 @@
<code>Document</code>.</dd>
- <dt>If a <code>Document</code> or image was obtained in some
- other manner (e.g. a <span title="data protocol"><code
- title="">data:</code> URL</span> typed in by the user, a
- <code>Document</code> created using the <code
+ <dt>If a <code>Document</code> was obtained in some other manner
+ (e.g. a <span title="data protocol"><code title="">data:</code>
+ URL</span> typed in by the user, a <code>Document</code> created
+ using the <code
title="dom-DOMImplementation-createDocument">createDocument()</code>
API, etc)</dt>
<dd>The <span>origin</span> is a globally unique identifier
- assigned when the <code>Document</code> or image is created.</dd>
+ assigned when the <code>Document</code> is created.</dd>
</dl>
@@ -70261,21 +70379,68 @@
</dd>
+ <dt>For images</dt>
+
+ <dd>
+
+ <dl class="switch">
+
+ <dt>If an image is the image of an <code>img</code> element and
+ its image data has a forced origin</dt>
+
+ <dd>The <span>origin</span> is the image data's forced origin.
+ (This occurs when the image was successfully obtained using
+ CORS.)</dd>
+
+
+ <dt>If an image was served over the network and has an address
+ that uses a URL scheme with a server-based naming authority</dt>
+
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ image's <span>URL</span>.</dd>
+
+
+ <dt>If an image was generated from a <span title="data
+ protocol"><code title="">data:</code> URL</span> that was
+ returned as the location of an HTTP redirect (<span
+ title="concept-http-equivalent-codes">or equivalent</span> in
+ other protocols)</dt>
+
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ <span>URL</span> that redirected to the <span title="data
+ protocol"><code title="">data:</code> URL</span>.</dd>
+
+
+ <dt>If an image was generated from a <span title="data
+ protocol"><code title="">data:</code> URL</span> found in another
+ <code>Document</code> or in a script</dt>
+
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ <code>Document</code> or script that loaded that image.</dd>
+
+
+ <dt>If an image was obtained in some other manner (e.g. a <span
+ title="data protocol"><code title="">data:</code> URL</span>
+ typed in by the user)</dt>
+
+ <dd>The <span>origin</span> is a globally unique identifier
+ assigned when the image is created.</dd>
+
+ </dl>
+
+ </dd>
+
+
<dt>For <code>audio</code> and <code>video</code> elements</dt>
<dd>
- <p>If value of the <span>media element</span>'s <code
- title="dom-media-currentSrc">currentSrc</code> attribute is the
- empty string, the <span>origin</span> is the same as the
+ <p>The <span>origin</span> is always the same as the
<span>origin</span> of the element's <code>Document</code>'s
- <span>origin</span>.</p>
+ <span>origin</span>, as <span title="media resource">media
+ resources</span> cannot be fetched cross-origin without the
+ server's permission (using CORS).</p>
- <p>Otherwise, the <span>origin</span> is equal to the
- <span>origin</span> of the <span>absolute URL</span> given by the
- <span>media element</span>'s <code
- title="dom-media-currentSrc">currentSrc</code> attribute.</p>
-
</dd>
@@ -108434,6 +108599,7 @@
<span>transparent</span>*</td>
<td><span title="global attributes">globals</span>;
<code title="attr-media-src">src</code>;
+ <code title="attr-media-cross-origin">cross-origin</code>;
<code title="attr-media-preload">preload</code>;
<code title="attr-media-autoplay">autoplay</code>;
<code title="attr-media-mediagroup">mediagroup</code>;
@@ -108955,6 +109121,7 @@
<td><span title="global attributes">globals</span>;
<code title="attr-img-alt">alt</code>;
<code title="attr-img-src">src</code>;
+ <code title="attr-img-cross-origin">cross-origin</code>;
<code title="attr-hyperlink-usemap">usemap</code>;
<code title="attr-img-ismap">ismap</code>;
<code title="attr-dim-width">width</code>;
@@ -109759,6 +109926,7 @@
<span>transparent</span>*</td>
<td><span title="global attributes">globals</span>;
<code title="attr-media-src">src</code>;
+ <code title="attr-media-cross-origin">cross-origin</code>;
<code title="attr-video-poster">poster</code>;
<code title="attr-media-preload">preload</code>;
<code title="attr-media-autoplay">autoplay</code>;
@@ -110289,6 +110457,13 @@
<td> Coordinates for the shape to be created in an <span>image map</span>
<td> <span>Valid list of integers</span>*
<tr>
+ <th> <code title="">cross-origin</code>
+ <td> <code title="attr-media-cross-origin">audio</code>;
+ <code title="attr-img-cross-origin">img</code>;
+ <code title="attr-media-cross-origin">video</code>
+ <td> How the element handles cross-origin requests.
+ <td> "<code title="attr-cross-origin-anonymous-keyword">anonymous</code>"; "<code title="attr-cross-origin-use-credentials-keyword">use-credentials</code>"
+ <tr>
<th> <code title="">data</code>
<td> <code title="attr-object-data">object</code>
<td> Address of the resource
More information about the Commit-Watchers
mailing list