[html5] r6144 - [giow] (0) Update how CORS works with <img> and <video> (and <audio> and <track>).
whatwg at whatwg.org
whatwg at whatwg.org
Mon May 23 13:43:03 PDT 2011
Author: ianh
Date: 2011-05-23 13:43:02 -0700 (Mon, 23 May 2011)
New Revision: 6144
Modified:
complete.html
index
source
Log:
[giow] (0) Update how CORS works with <img> and <video> (and <audio> and <track>).
Modified: complete.html
===================================================================
--- complete.html 2011-05-20 20:12:52 UTC (rev 6143)
+++ complete.html 2011-05-23 20:43:02 UTC (rev 6144)
@@ -239,7 +239,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1>Web Applications 1.0</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 20 May 2011</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 23 May 2011</h2>
</hgroup><dl><dt>Multiple-page version:</dt>
<dd><a href=http://www.whatwg.org/specs/web-apps/current-work/complete/>http://www.whatwg.org/specs/web-apps/current-work/complete/</a></dd>
<dt>One-page version:</dt>
@@ -361,7 +361,8 @@
<li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
<li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
<li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
- <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></ol></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></li>
+ <li><a href=#cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3477,6 +3478,9 @@
<ul class=brief><li><dfn id=cross-origin-request>cross-origin request</dfn>
<li><dfn id=cross-origin-request-status>cross-origin request status</dfn>
+ <li><dfn id=redirect-steps>redirect steps</dfn>
+ <li><dfn id=credential-flag>credential flag</dfn>
+ <li><dfn id=resource-sharing-check>resource sharing check</dfn>
</ul></dd>
<dt>CSS modules</dt>
@@ -6976,7 +6980,11 @@
<dd>
<p>Continue, using the fetched resource (the redirect) as the
- result of the algorithm.</p>
+ result of the algorithm. If the calling algorithm subsequently
+ requires the user agent to <dfn id=transparently-follow-the-redirect>transparently follow the
+ redirect</dfn>, then the user agent must resume this algorithm
+ from the <i>main step</i>, but using the target of the redirect
+ as the resource to fetch, rather than the original resource.</p>
</dd>
@@ -7223,10 +7231,166 @@
the <dfn id=attr-cross-origin-none title=attr-cross-origin-none>No CORS</dfn> state.</p>
+ <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
+ <p>When the user agent is required to perform a <dfn id=potentially-cors-enabled-fetch>potentially
+ CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
+ either "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>", "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>", or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</a>",
+ an <a href=#origin>origin</a> <var title="">origin</var>, and a default
+ origin behaviour <var title="">default</var> which is either
+ "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
+ set of steps from the following list. The default origin behaviour
+ is only used if <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>". This algorithm wraps
+ the <a href=#fetch>fetch</a> algorithm above, and labels the obtained
+ resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
+ <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
- <h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
+ <dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>"</dt>
+ <dd>
+
+ <p>Run these substeps:</p>
+
+ <ol><li><p>Let <var title="">result</var> have no value.</li>
+
+ <li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
+ <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
+ sensitive -->
+
+ <li><p><i>Loop</i>: Wait for the <a href=#fetch>fetch</a> algorithm
+ to know if the result is a redirect or not.</li>
+
+ <li>
+
+ <p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
+ <var title="">result</var> still has no value, then apply the
+ CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
+ <a href=#credential-flag>credential flag</a> set to true and the <i>request
+ rules</i> being that the user agent continue to follow these
+ steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
+ return to the <i>loop</i> step. If it failed due to a failure
+ of the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
+ labeled <i>end</i>; if <var title="">default</var> is
+ <i>taint</i>, then set <var title="">result</var> to
+ <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a>
+ but with the <i>manual redirect flag</i> no longer set, and
+ jump to the step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, if the resource is not available (e.g. there is
+ a network error) then set <var title="">result</var> to the
+ same value as <var title="">default</var>, and jump to the
+ step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, perform a <a href=#resource-sharing-check>resource sharing check</a>,
+ with the CORS <a href=#credential-flag>credential flag</a> set to true. If it
+ returns fail, then set <var title="">result</var> to the same
+ value as <var title="">default</var>; otherwise, set <var title="">result</var> to <i>success</i>. Then, jump to the
+ step labeled <i>end</i> below.</p>
+
+ </li>
+
+ <li>
+
+ <p><i>End</i>: Jump to the appropriate step from the following
+ list:</p>
+
+ <dl class=switch><dt>If <var title="">result</var> is <i>fail</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
+ algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. The user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>taint</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, but for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
+ cross-origin resource access failure to the user (e.g. in a
+ debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-same-origin>CORS-same-origin</a>.</p>
+
+ </dd>
+
+ </dl></li>
+
+ </ol></dd>
+
+
+ <dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>" or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
+ Credentials</a>"</dt>
+
+ <dd>
+
+ <p>Run these steps:</p>
+
+ <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the
+ <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to <var title="">origin</var>, and the
+ <i>credentials flag</i> set to true if <var title="">mode</var>
+ is "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
+ Credentials</a>" and set to false otherwise. <a href=#refsCORS>[CORS]</a></li>
+
+ <li><p>Wait for the CORS <a href=#cross-origin-request-status>cross-origin request status</a>
+ to have a value.</li>
+
+ <li>
+
+ <p>Jump to the appropriate step from the following list:</p>
+
+ <dl class=switch><dt>If the CORS <a href=#cross-origin-request-status>cross-origin request status</a> is not <i>success</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
+ algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. If a CORS <a href=#resource-sharing-check>resource sharing check</a>
+ failed, the user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If the CORS <a href=#cross-origin-request-status>cross-origin request status</a> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-same-origin>CORS-same-origin</a>.</p>
+
+ </dd>
+
+ </dl></li>
+
+ </ol></dd>
+
+ </dl><h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
+
<h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
<p>Some IDL attributes are defined to <dfn id=reflect>reflect</dfn> a
@@ -22153,32 +22317,19 @@
<p>If that is not successful, abort these steps.</p>
- <p>Otherwise, if the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
- perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
- URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
- <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <p>Otherwise, do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of
+ the resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being the state of the element's <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
- <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
- the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>
- by the <a href=#cross-origin-request>cross-origin request</a> algorithm. If the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>,
- then the element's image data's <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
- <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!--
- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
- URL</a>. If the returned resource has an <code title=http-Access-Control-Allow-Origin>Access-Control-Allow-Origin</code>
- response header, and its value is the literal "<code title="">*</code>" character, then the element's image data's
- <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
- <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>.</p> <!-- http-origin privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, is the
+ <code><a href=#the-img-element>img</a></code> element's image data. It can be either
+ <a href=#cors-same-origin>CORS-same-origin</a> or <a href=#cors-cross-origin>CORS-cross-origin</a>;
+ this affects the <a href=#origin>origin</a> of the image itself (e.g.
+ when used on a <code><a href=#the-canvas-element>canvas</a></code>).</p>
- <p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
- element's image data.</p>
-
<!-- same text in <input type=image> section and similar text
elsewhere --> <p>Fetching the image must <a href=#delay-the-load-event>delay the load
event</a> of the element's document until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
@@ -27134,27 +27285,21 @@
<li>
- <p>If the <a href=#origin>origin</a> of <var title="">current media
- resource</var>'s <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same
- origin</a> as the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, and the <a href=#media-element>media
- element</a> has a <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute,
- then perform a <a href=#cross-origin-request>cross-origin request</a>, with the
- <i>request URL</i> set to <var title="">current media
- resource</var>'s <a href=#absolute-url>absolute URL</a>, the <i>source
- origin</i> set to the <a href=#origin>origin</a> of the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>, and the <i>credentials
- flag</i> set unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
- <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+ <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
+ <var title="">current media resource</var>'s <a href=#absolute-url>absolute
+ URL</a>, with the <i>mode</i> being the state of the
+ <a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the <var title="">current media
- resource</var>, from the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with the <i>force
- same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ <a href=#media-data>media data</a>. It can be <a href=#cors-same-origin>CORS-same-origin</a>
+ or <a href=#cors-cross-origin>CORS-cross-origin</a>; this affects whether subtitles
+ referenced in the <a href=#media-data>media data</a> are exposed in the API
+ and, for <code><a href=#the-video-element>video</a></code> elements, whether a
+ <code><a href=#the-canvas-element>canvas</a></code> gets tainted when the video is drawn on
+ it.</p>
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -27545,11 +27690,15 @@
<dd>
- <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
- media-resource-specific text track</a> with the relevant
- data.</p>
+ <p>If the <a href=#media-data>media data</a> is
+ <a href=#cors-same-origin>CORS-same-origin</a>, <a href=#queue-a-task>queue a task</a> to run
+ the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a media-resource-specific text
+ track</a> with the relevant data.</p>
- <!-- only allow this if the video is same-origin or CORS-protected -->
+ <p class=note>Cross-origin videos do not expose their
+ subtitles, since that would allow attacks such as hostile sites
+ reading subtitles from confidential videos on a user's
+ intranet.</p>
</dd>
@@ -30670,27 +30819,17 @@
<p><i>Download</i>: At this point, the text track is downloaded.</p>
- <p>If <var title="">URL</var> is not the empty string, and its
- <a href=#origin>origin</a> is not the <a href=#same-origin>same origin</a> as the
- <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>, and the <a href=#media-element>media element</a> has a
- <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>
- attribute, then perform a <a href=#cross-origin-request>cross-origin request</a>, with
- the <i>request URL</i> set to <var title="">URL</var>, the
- <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <p>If <var title="">URL</var> is not the empty string, perform a
+ <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being the state of the
+ <a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
- <i>credentials flag</i> set unless the <a href=#media-element>media
- element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
- <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>fail</i>.</p>
- <p>Otherwise, if <var title="">URL</var> is not the empty string,
- <a href=#fetch>fetch</a> <var title="">URL</var>, from the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with
- the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ text track data. If any data is obtained, it is by definition
+ <a href=#cors-same-origin>CORS-same-origin</a> (cross-origin resources that are not
+ suitably CORS-enabled do not get this far).</p>
<p>The <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue
a task">queued</a> by the <a href=#fetch title=fetch>fetching
@@ -30712,14 +30851,13 @@
<p>If the <a href=#fetch title=fetch>fetching algorithm</a> fails for
any reason (network error, the server returns an error code, a
- cross-origin check fails, etc), or if <var title="">URL</var> is
- the empty string or has the wrong <a href=#origin>origin</a> as
- determined by the condition at the start of this step, or if the
- fetched resource is not in a supported format, then <a href=#queue-a-task>queue a
- task</a> to first change the <a href=#text-track-readiness-state>text track readiness
- state</a> to <a href=#text-track-failed-to-load title="text track failed to load">failed to
- load</a> and then <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at the <code><a href=#the-track-element>track</a></code>
- element; and then, once that <a href=#concept-task title=concept-task>task</a> is <a href=#queue-a-task title="queue a
+ cross-origin check fails, etc), if <var title="">URL</var> is the
+ empty string, or if the fetched resource is not in a supported
+ format, then <a href=#queue-a-task>queue a task</a> to first change the
+ <a href=#text-track-readiness-state>text track readiness state</a> to <a href=#text-track-failed-to-load title="text track
+ failed to load">failed to load</a> and then <a href=#fire-a-simple-event>fire a simple
+ event</a> named <code title=event-error>error</code> at the
+ <code><a href=#the-track-element>track</a></code> element; and then, once that <a href=#concept-task title=concept-task>task</a> is <a href=#queue-a-task title="queue a
task">queued</a>, move on to the step below labeled
<i>monitoring</i>.</p>
@@ -33785,10 +33923,20 @@
<hr><p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. To avoid this, the API will not
- allow videos to be shown cross-origin unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- present and the remote server opts-in to cross-origin requsts. <a href=#refsCORS>[CORS]</a></p>
+ would not otherwise have access to. The API does expose some
+ information: the existence of the media, its type, its duration, its
+ size, and the performance characteristics of its host. Such
+ information is already potentially problematic, but in practice the
+ same information can more or less be obtained using the
+ <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>
+ <p>However, significantly more sensitive information could be
+ obtained if the user agent further exposes metadata within the
+ content such as subtitles or chapter titles. Such information is
+ therefore only exposed if the video resource passes a CORS
+ <a href=#resource-sharing-check>resource sharing check</a>. The <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute allows
+ authors to control how this check is performed. <a href=#refsCORS>[CORS]</a></p>
+
<p class=example>Without this restriction, an attacker could trick
a user running within a corporate network into visiting a site that
attempts to load a video from a previously leaked location on the
@@ -61783,12 +61931,21 @@
<dd>
<dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
- its image data has a <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced origin</a></dt>
+ its image data is <a href=#cors-cross-origin>CORS-cross-origin</a></dt>
- <dd>The <a href=#origin>origin</a> is the image data's <dfn id=concept-origin-forced-img title=concept-origin-forced-img>forced origin</dfn>. (This
- occurs when the image was successfully obtained using CORS.)</dd>
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+ <dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
+ its image data is <a href=#cors-same-origin>CORS-same-origin</a></dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>.</dd>
+
+
+<!-- does anything depend on the origin of an image other than from <img>? If not, we can cut out the remainder of this <dl>: -->
+
<dt>If an image was served over the network and has an address
that uses a URL scheme with a server-based naming authority</dt>
@@ -61827,22 +61984,32 @@
<dd>
- <p>The <a href=#origin>origin</a> is always the same as the
- <a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>, as <a href=#media-resource title="media resource">media
- resources</a> cannot be fetched cross-origin without the
- server's permission (using CORS).</p>
+ <dl class=switch><dt>If the <a href=#media-data>media data</a> is
+ <a href=#cors-cross-origin>CORS-cross-origin</a></dt>
- </dd>
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+ <dt>If the <a href=#media-data>media data</a> is
+ <a href=#cors-same-origin>CORS-same-origin</a></dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>.</dd>
+
+ </dl></dd>
+
+
<dt>For fonts</dt>
<dd>
<p>The <a href=#origin>origin</a> of a downloadable Web font is equal to
the <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
- obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p>
+ obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p> <!-- this means you can
+ get data from a remote site if you can make it redirect to your
+ own site in some fashion controlled by the data you want to read
+ -->
<p>The <a href=#origin>origin</a> of a locally installed system font is
equal to the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in
Modified: index
===================================================================
--- index 2011-05-20 20:12:52 UTC (rev 6143)
+++ index 2011-05-23 20:43:02 UTC (rev 6144)
@@ -243,7 +243,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 20 May 2011</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 23 May 2011</h2>
</hgroup><dl><dt><strong>Web developer edition</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -361,7 +361,8 @@
<li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
<li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
<li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
- <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></ol></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></li>
+ <li><a href=#cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3494,6 +3495,9 @@
<ul class=brief><li><dfn id=cross-origin-request>cross-origin request</dfn>
<li><dfn id=cross-origin-request-status>cross-origin request status</dfn>
+ <li><dfn id=redirect-steps>redirect steps</dfn>
+ <li><dfn id=credential-flag>credential flag</dfn>
+ <li><dfn id=resource-sharing-check>resource sharing check</dfn>
</ul></dd>
<dt>CSS modules</dt>
@@ -6993,7 +6997,11 @@
<dd>
<p>Continue, using the fetched resource (the redirect) as the
- result of the algorithm.</p>
+ result of the algorithm. If the calling algorithm subsequently
+ requires the user agent to <dfn id=transparently-follow-the-redirect>transparently follow the
+ redirect</dfn>, then the user agent must resume this algorithm
+ from the <i>main step</i>, but using the target of the redirect
+ as the resource to fetch, rather than the original resource.</p>
</dd>
@@ -7240,10 +7248,166 @@
the <dfn id=attr-cross-origin-none title=attr-cross-origin-none>No CORS</dfn> state.</p>
+ <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
+ <p>When the user agent is required to perform a <dfn id=potentially-cors-enabled-fetch>potentially
+ CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
+ either "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>", "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>", or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use Credentials</a>",
+ an <a href=#origin>origin</a> <var title="">origin</var>, and a default
+ origin behaviour <var title="">default</var> which is either
+ "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
+ set of steps from the following list. The default origin behaviour
+ is only used if <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>". This algorithm wraps
+ the <a href=#fetch>fetch</a> algorithm above, and labels the obtained
+ resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
+ <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
- <h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
+ <dl class=switch><dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-none title=attr-cross-origin-none>No CORS</a>"</dt>
+ <dd>
+
+ <p>Run these substeps:</p>
+
+ <ol><li><p>Let <var title="">result</var> have no value.</li>
+
+ <li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
+ <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
+ sensitive -->
+
+ <li><p><i>Loop</i>: Wait for the <a href=#fetch>fetch</a> algorithm
+ to know if the result is a redirect or not.</li>
+
+ <li>
+
+ <p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
+ <var title="">result</var> still has no value, then apply the
+ CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
+ <a href=#credential-flag>credential flag</a> set to true and the <i>request
+ rules</i> being that the user agent continue to follow these
+ steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
+ return to the <i>loop</i> step. If it failed due to a failure
+ of the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
+ labeled <i>end</i>; if <var title="">default</var> is
+ <i>taint</i>, then set <var title="">result</var> to
+ <i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a>
+ but with the <i>manual redirect flag</i> no longer set, and
+ jump to the step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, if the resource is not available (e.g. there is
+ a network error) then set <var title="">result</var> to the
+ same value as <var title="">default</var>, and jump to the
+ step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, perform a <a href=#resource-sharing-check>resource sharing check</a>,
+ with the CORS <a href=#credential-flag>credential flag</a> set to true. If it
+ returns fail, then set <var title="">result</var> to the same
+ value as <var title="">default</var>; otherwise, set <var title="">result</var> to <i>success</i>. Then, jump to the
+ step labeled <i>end</i> below.</p>
+
+ </li>
+
+ <li>
+
+ <p><i>End</i>: Jump to the appropriate step from the following
+ list:</p>
+
+ <dl class=switch><dt>If <var title="">result</var> is <i>fail</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
+ algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. The user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>taint</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, but for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
+ cross-origin resource access failure to the user (e.g. in a
+ debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-same-origin>CORS-same-origin</a>.</p>
+
+ </dd>
+
+ </dl></li>
+
+ </ol></dd>
+
+
+ <dt>If <var title="">mode</var> is "<a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>" or "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
+ Credentials</a>"</dt>
+
+ <dd>
+
+ <p>Run these steps:</p>
+
+ <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the
+ <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to <var title="">origin</var>, and the
+ <i>credentials flag</i> set to true if <var title="">mode</var>
+ is "<a href=#attr-cross-origin-use-credentials title=attr-cross-origin-use-credentials>Use
+ Credentials</a>" and set to false otherwise. <a href=#refsCORS>[CORS]</a></li>
+
+ <li><p>Wait for the CORS <a href=#cross-origin-request-status>cross-origin request status</a>
+ to have a value.</li>
+
+ <li>
+
+ <p>Jump to the appropriate step from the following list:</p>
+
+ <dl class=switch><dt>If the CORS <a href=#cross-origin-request-status>cross-origin request status</a> is not <i>success</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
+ algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. If a CORS <a href=#resource-sharing-check>resource sharing check</a>
+ failed, the user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If the CORS <a href=#cross-origin-request-status>cross-origin request status</a> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <a href=#concept-task title=concept-task>tasks</a> from the
+ <a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
+ task">queued</a> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <a href=#cors-same-origin>CORS-same-origin</a>.</p>
+
+ </dd>
+
+ </dl></li>
+
+ </ol></dd>
+
+ </dl><h3 id=common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</h3>
+
<h4 id=reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</h4>
<p>Some IDL attributes are defined to <dfn id=reflect>reflect</dfn> a
@@ -22170,32 +22334,19 @@
<p>If that is not successful, abort these steps.</p>
- <p>Otherwise, if the <code><a href=#the-img-element>img</a></code> element has a <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute, then
- perform a <a href=#cross-origin-request>cross-origin request</a>, with the <i>request
- URL</i> set to the resulting <a href=#absolute-url>absolute URL</a>, the
- <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <p>Otherwise, do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of
+ the resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being the state of the element's <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
- <i>credentials flag</i> set unless the <code title=attr-img-cross-origin><a href=#attr-img-cross-origin>cross-origin</a></code> attribute is in
- the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>
- by the <a href=#cross-origin-request>cross-origin request</a> algorithm. If the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>,
- then the element's image data's <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
- <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>. <a href=#refsCORS>[CORS]</a></p> <!--
- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
- URL</a>. If the returned resource has an <code title=http-Access-Control-Allow-Origin>Access-Control-Allow-Origin</code>
- response header, and its value is the literal "<code title="">*</code>" character, then the element's image data's
- <a href=#origin>origin</a> is <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced</a> to be the
- <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>.</p> <!-- http-origin privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, is the
+ <code><a href=#the-img-element>img</a></code> element's image data. It can be either
+ <a href=#cors-same-origin>CORS-same-origin</a> or <a href=#cors-cross-origin>CORS-cross-origin</a>;
+ this affects the <a href=#origin>origin</a> of the image itself (e.g.
+ when used on a <code><a href=#the-canvas-element>canvas</a></code>).</p>
- <p>The resouce obtained in this fashion is the <code><a href=#the-img-element>img</a></code>
- element's image data.</p>
-
<!-- same text in <input type=image> section and similar text
elsewhere --> <p>Fetching the image must <a href=#delay-the-load-event>delay the load
event</a> of the element's document until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
@@ -27154,27 +27305,21 @@
<li>
- <p>If the <a href=#origin>origin</a> of <var title="">current media
- resource</var>'s <a href=#absolute-url>absolute URL</a> is not the <a href=#same-origin>same
- origin</a> as the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, and the <a href=#media-element>media
- element</a> has a <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute,
- then perform a <a href=#cross-origin-request>cross-origin request</a>, with the
- <i>request URL</i> set to <var title="">current media
- resource</var>'s <a href=#absolute-url>absolute URL</a>, the <i>source
- origin</i> set to the <a href=#origin>origin</a> of the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>, and the <i>credentials
- flag</i> set unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
- <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+ <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
+ <var title="">current media resource</var>'s <a href=#absolute-url>absolute
+ URL</a>, with the <i>mode</i> being the state of the
+ <a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the <var title="">current media
- resource</var>, from the <a href=#media-element>media element</a>'s
- <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with the <i>force
- same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ <a href=#media-data>media data</a>. It can be <a href=#cors-same-origin>CORS-same-origin</a>
+ or <a href=#cors-cross-origin>CORS-cross-origin</a>; this affects whether subtitles
+ referenced in the <a href=#media-data>media data</a> are exposed in the API
+ and, for <code><a href=#the-video-element>video</a></code> elements, whether a
+ <code><a href=#the-canvas-element>canvas</a></code> gets tainted when the video is drawn on
+ it.</p>
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <a href=#queue-a-task>queue a task</a> to
@@ -27565,11 +27710,15 @@
<dd>
- <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a
- media-resource-specific text track</a> with the relevant
- data.</p>
+ <p>If the <a href=#media-data>media data</a> is
+ <a href=#cors-same-origin>CORS-same-origin</a>, <a href=#queue-a-task>queue a task</a> to run
+ the <a href=#steps-to-expose-a-media-resource-specific-text-track>steps to expose a media-resource-specific text
+ track</a> with the relevant data.</p>
- <!-- only allow this if the video is same-origin or CORS-protected -->
+ <p class=note>Cross-origin videos do not expose their
+ subtitles, since that would allow attacks such as hostile sites
+ reading subtitles from confidential videos on a user's
+ intranet.</p>
</dd>
@@ -30690,27 +30839,17 @@
<p><i>Download</i>: At this point, the text track is downloaded.</p>
- <p>If <var title="">URL</var> is not the empty string, and its
- <a href=#origin>origin</a> is not the <a href=#same-origin>same origin</a> as the
- <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>, and the <a href=#media-element>media element</a> has a
- <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code>
- attribute, then perform a <a href=#cross-origin-request>cross-origin request</a>, with
- the <i>request URL</i> set to <var title="">URL</var>, the
- <i>source origin</i> set to the <a href=#origin>origin</a> of the
+ <p>If <var title="">URL</var> is not the empty string, perform a
+ <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being the state of the
+ <a href=#media-element>media element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> content
+ attribute, the <i><a href=#origin>origin</a></i> being the <a href=#origin>origin</a> of the
<a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
- <i>credentials flag</i> set unless the <a href=#media-element>media
- element</a>'s <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- in the <a href=#attr-cross-origin-anonymous title=attr-cross-origin-anonymous>Anonymous</a>
- state. Discard any data fetched in this way unless the
- <a href=#cross-origin-request-status>cross-origin request status</a> is set to <i>success</i>.
- <a href=#refsCORS>[CORS]</a></p> <!-- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>fail</i>.</p>
- <p>Otherwise, if <var title="">URL</var> is not the empty string,
- <a href=#fetch>fetch</a> <var title="">URL</var>, from the <a href=#media-element>media
- element</a>'s <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, with
- the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ text track data. If any data is obtained, it is by definition
+ <a href=#cors-same-origin>CORS-same-origin</a> (cross-origin resources that are not
+ suitably CORS-enabled do not get this far).</p>
<p>The <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue
a task">queued</a> by the <a href=#fetch title=fetch>fetching
@@ -30732,14 +30871,13 @@
<p>If the <a href=#fetch title=fetch>fetching algorithm</a> fails for
any reason (network error, the server returns an error code, a
- cross-origin check fails, etc), or if <var title="">URL</var> is
- the empty string or has the wrong <a href=#origin>origin</a> as
- determined by the condition at the start of this step, or if the
- fetched resource is not in a supported format, then <a href=#queue-a-task>queue a
- task</a> to first change the <a href=#text-track-readiness-state>text track readiness
- state</a> to <a href=#text-track-failed-to-load title="text track failed to load">failed to
- load</a> and then <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at the <code><a href=#the-track-element>track</a></code>
- element; and then, once that <a href=#concept-task title=concept-task>task</a> is <a href=#queue-a-task title="queue a
+ cross-origin check fails, etc), if <var title="">URL</var> is the
+ empty string, or if the fetched resource is not in a supported
+ format, then <a href=#queue-a-task>queue a task</a> to first change the
+ <a href=#text-track-readiness-state>text track readiness state</a> to <a href=#text-track-failed-to-load title="text track
+ failed to load">failed to load</a> and then <a href=#fire-a-simple-event>fire a simple
+ event</a> named <code title=event-error>error</code> at the
+ <code><a href=#the-track-element>track</a></code> element; and then, once that <a href=#concept-task title=concept-task>task</a> is <a href=#queue-a-task title="queue a
task">queued</a>, move on to the step below labeled
<i>monitoring</i>.</p>
@@ -33805,10 +33943,20 @@
<hr><p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. To avoid this, the API will not
- allow videos to be shown cross-origin unless the <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute is
- present and the remote server opts-in to cross-origin requsts. <a href=#refsCORS>[CORS]</a></p>
+ would not otherwise have access to. The API does expose some
+ information: the existence of the media, its type, its duration, its
+ size, and the performance characteristics of its host. Such
+ information is already potentially problematic, but in practice the
+ same information can more or less be obtained using the
+ <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>
+ <p>However, significantly more sensitive information could be
+ obtained if the user agent further exposes metadata within the
+ content such as subtitles or chapter titles. Such information is
+ therefore only exposed if the video resource passes a CORS
+ <a href=#resource-sharing-check>resource sharing check</a>. The <code title=attr-media-cross-origin><a href=#attr-media-cross-origin>cross-origin</a></code> attribute allows
+ authors to control how this check is performed. <a href=#refsCORS>[CORS]</a></p>
+
<p class=example>Without this restriction, an attacker could trick
a user running within a corporate network into visiting a site that
attempts to load a video from a previously leaked location on the
@@ -61803,12 +61951,21 @@
<dd>
<dl class=switch><dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
- its image data has a <a href=#concept-origin-forced-img title=concept-origin-forced-img>forced origin</a></dt>
+ its image data is <a href=#cors-cross-origin>CORS-cross-origin</a></dt>
- <dd>The <a href=#origin>origin</a> is the image data's <dfn id=concept-origin-forced-img title=concept-origin-forced-img>forced origin</dfn>. (This
- occurs when the image was successfully obtained using CORS.)</dd>
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+ <dt>If an image is the image of an <code><a href=#the-img-element>img</a></code> element and
+ its image data is <a href=#cors-same-origin>CORS-same-origin</a></dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>.</dd>
+
+
+<!-- does anything depend on the origin of an image other than from <img>? If not, we can cut out the remainder of this <dl>: -->
+
<dt>If an image was served over the network and has an address
that uses a URL scheme with a server-based naming authority</dt>
@@ -61847,22 +62004,32 @@
<dd>
- <p>The <a href=#origin>origin</a> is always the same as the
- <a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>'s
- <a href=#origin>origin</a>, as <a href=#media-resource title="media resource">media
- resources</a> cannot be fetched cross-origin without the
- server's permission (using CORS).</p>
+ <dl class=switch><dt>If the <a href=#media-data>media data</a> is
+ <a href=#cors-cross-origin>CORS-cross-origin</a></dt>
- </dd>
+ <dd>The <a href=#origin>origin</a> is a globally unique identifier
+ assigned when the image is created.</dd>
+ <dt>If the <a href=#media-data>media data</a> is
+ <a href=#cors-same-origin>CORS-same-origin</a></dt>
+
+ <dd>The <a href=#origin>origin</a> is the <a href=#origin>origin</a> of the
+ <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>.</dd>
+
+ </dl></dd>
+
+
<dt>For fonts</dt>
<dd>
<p>The <a href=#origin>origin</a> of a downloadable Web font is equal to
the <a href=#origin>origin</a> of the <a href=#absolute-url>absolute URL</a> used to
- obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p>
+ obtain the font (after any redirects). <a href=#refsCSSFONTS>[CSSFONTS]</a></p> <!-- this means you can
+ get data from a remote site if you can make it redirect to your
+ own site in some fashion controlled by the data you want to read
+ -->
<p>The <a href=#origin>origin</a> of a locally installed system font is
equal to the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> in
Modified: source
===================================================================
--- source 2011-05-20 20:12:52 UTC (rev 6143)
+++ source 2011-05-23 20:43:02 UTC (rev 6144)
@@ -2501,6 +2501,9 @@
<ul class="brief">
<li><dfn>cross-origin request</dfn>
<li><dfn>cross-origin request status</dfn>
+ <li><dfn>redirect steps</dfn>
+ <li><dfn>credential flag</dfn>
+ <li><dfn>resource sharing check</dfn>
</ul>
</dd>
@@ -6802,7 +6805,11 @@
<dd>
<p>Continue, using the fetched resource (the redirect) as the
- result of the algorithm.</p>
+ result of the algorithm. If the calling algorithm subsequently
+ requires the user agent to <dfn>transparently follow the
+ redirect</dfn>, then the user agent must resume this algorithm
+ from the <i>main step</i>, but using the target of the redirect
+ as the resource to fetch, rather than the original resource.</p>
</dd>
@@ -7080,8 +7087,201 @@
the <dfn title="attr-cross-origin-none">No CORS</dfn> state.</p>
+ <h4>CORS-enabled fetch</h4>
+ <p>When the user agent is required to perform a <dfn>potentially
+ CORS-enabled fetch</dfn> of an <span>absolute URL</span> <var
+ title="">URL</var>, with a mode <var title="">mode</var> that is
+ either "<span title="attr-cross-origin-none">No CORS</span>", "<span
+ title="attr-cross-origin-anonymous">Anonymous</span>", or "<span
+ title="attr-cross-origin-use-credentials">Use Credentials</span>",
+ an <span>origin</span> <var title="">origin</var>, and a default
+ origin behaviour <var title="">default</var> which is either
+ "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
+ set of steps from the following list. The default origin behaviour
+ is only used if <var title="">mode</var> is "<span
+ title="attr-cross-origin-none">No CORS</span>". This algorithm wraps
+ the <span>fetch</span> algorithm above, and labels the obtained
+ resource as either <dfn>CORS-same-origin</dfn> or
+ <dfn>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
+ <dl class="switch">
+
+ <dt>If <var title="">mode</var> is "<span
+ title="attr-cross-origin-none">No CORS</span>"</dt>
+
+ <dd>
+
+ <p>Run these substeps:</p>
+
+ <ol>
+
+ <li><p>Let <var title="">result</var> have no value.</p></li>
+
+ <li><p><span>Fetch</span> <var title="">URL</var>, with the
+ <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
+ sensitive -->
+
+ <li><p><i>Loop</i>: Wait for the <span>fetch</span> algorithm
+ to know if the result is a redirect or not.</p></li>
+
+ <li>
+
+ <p>If the result of the <span>fetch</span> is a redirect, and
+ <var title="">result</var> still has no value, then apply the
+ CORS <span>redirect steps</span>, with the CORS
+ <span>credential flag</span> set to true and the <i>request
+ rules</i> being that the user agent continue to follow these
+ steps. If this resumes the <span>fetch</span> algorithm, then
+ return to the <i>loop</i> step. If it failed due to a failure
+ of the CORS <span>resource sharing check</span>, then: if <var
+ title="">default</var> is <i>fail</i>, then set <var
+ title="">result</var> to <i>fail</i> and jump to the step
+ labeled <i>end</i>; if <var title="">default</var> is
+ <i>taint</i>, then set <var title="">result</var> to
+ <i>taint</i>, <span>transparently follow the redirect</span>
+ but with the <i>manual redirect flag</i> no longer set, and
+ jump to the step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, if the resource is not available (e.g. there is
+ a network error) then set <var title="">result</var> to the
+ same value as <var title="">default</var>, and jump to the
+ step labeled <i>end</i> below.</p>
+
+ <p>Otherwise, perform a <span>resource sharing check</span>,
+ with the CORS <span>credential flag</span> set to true. If it
+ returns fail, then set <var title="">result</var> to the same
+ value as <var title="">default</var>; otherwise, set <var
+ title="">result</var> to <i>success</i>. Then, jump to the
+ step labeled <i>end</i> below.</p>
+
+ </li>
+
+ <li>
+
+ <p><i>End</i>: Jump to the appropriate step from the following
+ list:</p>
+
+ <dl class="switch">
+
+ <dt>If <var title="">result</var> is <i>fail</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <span
+ title="concept-task">tasks</span> from the <span>fetch</span>
+ algorithm from being <span title="queue a task">queued</span>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. The user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>taint</i></dt>
+
+ <dd>
+
+ <p>Tbe <span title="concept-task">tasks</span> from the
+ <span>fetch</span> algorithm are <span title="queue a
+ task">queued</span> normally, but for the purposes of the
+ calling algorithm, the obtained resource is
+ <span>CORS-cross-origin</span>. The user agent may report a
+ cross-origin resource access failure to the user (e.g. in a
+ debugging console).</p>
+
+ </dd>
+
+ <dt>If <var title="">result</var> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <span title="concept-task">tasks</span> from the
+ <span>fetch</span> algorithm are <span title="queue a
+ task">queued</span> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <span>CORS-same-origin</span>.</p>
+
+ </dd>
+
+ </dl>
+
+ </li>
+
+ </ol>
+
+ </dd>
+
+
+ <dt>If <var title="">mode</var> is "<span
+ title="attr-cross-origin-anonymous">Anonymous</span>" or "<span
+ title="attr-cross-origin-use-credentials">Use
+ Credentials</span>"</dt>
+
+ <dd>
+
+ <p>Run these steps:</p>
+
+ <ol>
+
+ <li><p>Perform a <span>cross-origin request</span> with the
+ <i>request URL</i> set to <var title="">URL</var>, the
+ <i>source origin</i> set to <var title="">origin</var>, and the
+ <i>credentials flag</i> set to true if <var title="">mode</var>
+ is "<span title="attr-cross-origin-use-credentials">Use
+ Credentials</span>" and set to false otherwise. <a
+ href="#refsCORS">[CORS]</a></p></li>
+
+ <li><p>Wait for the CORS <span>cross-origin request status</span>
+ to have a value.</p></li>
+
+ <li>
+
+ <p>Jump to the appropriate step from the following list:</p>
+
+ <dl class="switch">
+
+ <dt>If the CORS <span>cross-origin request status</span> is not <i>success</i></dt>
+
+ <dd>
+
+ <p>Discard all fetched data and prevent any <span
+ title="concept-task">tasks</span> from the <span>fetch</span>
+ algorithm from being <span title="queue a task">queued</span>.
+ For the purposes of the calling algorithm, the user agent must
+ act as if there was a fatal network error and no resource was
+ obtained. If a CORS <span>resource sharing check</span>
+ failed, the user agent may report a cross-origin resource
+ access failure to the user (e.g. in a debugging console).</p>
+
+ </dd>
+
+ <dt>If the CORS <span>cross-origin request status</span> is <i>success</i></dt>
+
+ <dd>
+
+ <p>Tbe <span title="concept-task">tasks</span> from the
+ <span>fetch</span> algorithm are <span title="queue a
+ task">queued</span> normally, and for the purposes of the
+ calling algorithm, the obtained resource is
+ <span>CORS-same-origin</span>.</p>
+
+ </dd>
+
+ </dl>
+
+ </li>
+
+ </ol>
+
+ </dd>
+
+ </dl>
+
+
+
+
+
<h3>Common DOM interfaces</h3>
<h4>Reflecting content attributes in IDL attributes</h4>
@@ -23868,38 +24068,20 @@
<p>If that is not successful, abort these steps.</p>
- <p>Otherwise, if the <code>img</code> element has a <code
- title="attr-img-cross-origin">cross-origin</code> attribute, then
- perform a <span>cross-origin request</span>, with the <i>request
- URL</i> set to the resulting <span>absolute URL</span>, the
- <i>source origin</i> set to the <span>origin</span> of the
+ <p>Otherwise, do a <span>potentially CORS-enabled fetch</span> of
+ the resulting <span>absolute URL</span>, with the <i>mode</i>
+ being the state of the element's <code
+ title="attr-img-cross-origin">cross-origin</code> content
+ attribute, the <i>origin</i> being the <span>origin</span> of the
<code>img</code> element's <code>Document</code>, and the
- <i>credentials flag</i> set unless the <code
- title="attr-img-cross-origin">cross-origin</code> attribute is in
- the <span title="attr-cross-origin-anonymous">Anonymous</span>
- state. Discard any data fetched in this way unless the
- <span>cross-origin request status</span> is set to <i>success</i>
- by the <span>cross-origin request</span> algorithm. If the
- <span>cross-origin request status</span> is set to <i>success</i>,
- then the element's image data's <span>origin</span> is <span
- title="concept-origin-forced-img">forced</span> to be the
- <code>img</code> element's <code>Document</code>'s
- <span>origin</span>. <a href="#refsCORS">[CORS]</a></p> <!--
- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <span>fetch</span> the resulting <span>absolute
- URL</span>. If the returned resource has an <code
- title="http-Access-Control-Allow-Origin">Access-Control-Allow-Origin</code>
- response header, and its value is the literal "<code
- title="">*</code>" character, then the element's image data's
- <span>origin</span> is <span
- title="concept-origin-forced-img">forced</span> to be the
- <code>img</code> element's <code>Document</code>'s
- <span>origin</span>.</p> <!-- http-origin privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, is the
+ <code>img</code> element's image data. It can be either
+ <span>CORS-same-origin</span> or <span>CORS-cross-origin</span>;
+ this affects the <span>origin</span> of the image itself (e.g.
+ when used on a <code>canvas</code>).</p>
- <p>The resouce obtained in this fashion is the <code>img</code>
- element's image data.</p>
-
<!-- same text in <input type=image> section and similar text
elsewhere --> <p>Fetching the image must <span>delay the load
event</span> of the element's document until the <span
@@ -29485,29 +29667,22 @@
<li>
- <p>If the <span>origin</span> of <var title="">current media
- resource</var>'s <span>absolute URL</span> is not the <span>same
- origin</span> as the <span>media element</span>'s
- <code>Document</code>'s <span>origin</span>, and the <span>media
- element</span> has a <code
- title="attr-media-cross-origin">cross-origin</code> attribute,
- then perform a <span>cross-origin request</span>, with the
- <i>request URL</i> set to <var title="">current media
- resource</var>'s <span>absolute URL</span>, the <i>source
- origin</i> set to the <span>origin</span> of the <span>media
- element</span>'s <code>Document</code>, and the <i>credentials
- flag</i> set unless the <code
- title="attr-media-cross-origin">cross-origin</code> attribute is
- in the <span title="attr-cross-origin-anonymous">Anonymous</span>
- state. Discard any data fetched in this way unless the
- <span>cross-origin request status</span> is set to <i>success</i>.
- <a href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+ <p>Perform a <span>potentially CORS-enabled fetch</span> of the
+ <var title="">current media resource</var>'s <span>absolute
+ URL</span>, with the <i>mode</i> being the state of the
+ <span>media element</span>'s <code
+ title="attr-media-cross-origin">cross-origin</code> content
+ attribute, the <i>origin</i> being the <span>origin</span> of the
+ <span>media element</span>'s <code>Document</code>, and the
+ <i>default origin behaviour</i> set to <i>taint</i>.</p>
- <p>Otherwise, <span>fetch</span> the <var title="">current media
- resource</var>, from the <span>media element</span>'s
- <code>Document</code>'s <span>origin</span>, with the <i>force
- same-origin flag</i> set.</p> <!-- not http-origin privacy
- sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ <span>media data</span>. It can be <span>CORS-same-origin</span>
+ or <span>CORS-cross-origin</span>; this affects whether subtitles
+ referenced in the <span>media data</span> are exposed in the API
+ and, for <code>video</code> elements, whether a
+ <code>canvas</code> gets tainted when the video is drawn on
+ it.</p>
<p>Every 350ms (±200ms) or for every byte received, whichever
is <em>least</em> frequent, <span>queue a task</span> to
@@ -29974,11 +30149,15 @@
<dd>
- <p><span>Queue a task</span> to run the <span>steps to expose a
- media-resource-specific text track</span> with the relevant
- data.</p>
+ <p>If the <span>media data</span> is
+ <span>CORS-same-origin</span>, <span>queue a task</span> to run
+ the <span>steps to expose a media-resource-specific text
+ track</span> with the relevant data.</p>
- <!-- only allow this if the video is same-origin or CORS-protected -->
+ <p class="note">Cross-origin videos do not expose their
+ subtitles, since that would allow attacks such as hostile sites
+ reading subtitles from confidential videos on a user's
+ intranet.</p>
</dd>
@@ -33595,28 +33774,19 @@
<p><i>Download</i>: At this point, the text track is downloaded.</p>
- <p>If <var title="">URL</var> is not the empty string, and its
- <span>origin</span> is not the <span>same origin</span> as the
- <span>media element</span>'s <code>Document</code>'s
- <span>origin</span>, and the <span>media element</span> has a
- <code title="attr-media-cross-origin">cross-origin</code>
- attribute, then perform a <span>cross-origin request</span>, with
- the <i>request URL</i> set to <var title="">URL</var>, the
- <i>source origin</i> set to the <span>origin</span> of the
+ <p>If <var title="">URL</var> is not the empty string, perform a
+ <span>potentially CORS-enabled fetch</span> of <var
+ title="">URL</var>, with the <i>mode</i> being the state of the
+ <span>media element</span>'s <code
+ title="attr-media-cross-origin">cross-origin</code> content
+ attribute, the <i>origin</i> being the <span>origin</span> of the
<span>media element</span>'s <code>Document</code>, and the
- <i>credentials flag</i> set unless the <span>media
- element</span>'s <code
- title="attr-media-cross-origin">cross-origin</code> attribute is
- in the <span title="attr-cross-origin-anonymous">Anonymous</span>
- state. Discard any data fetched in this way unless the
- <span>cross-origin request status</span> is set to <i>success</i>.
- <a href="#refsCORS">[CORS]</a></p> <!-- http-origin CORS -->
+ <i>default origin behaviour</i> set to <i>fail</i>.</p>
- <p>Otherwise, if <var title="">URL</var> is not the empty string,
- <span>fetch</span> <var title="">URL</var>, from the <span>media
- element</span>'s <code>Document</code>'s <span>origin</span>, with
- the <i>force same-origin flag</i> set.</p> <!-- not http-origin
- privacy sensitive -->
+ <p>The resource obtained in this fashion, if any, contains the
+ text track data. If any data is obtained, it is by definition
+ <span>CORS-same-origin</span> (cross-origin resources that are not
+ suitably CORS-enabled do not get this far).</p>
<p>The <span title="concept-task">tasks</span> <span title="queue
a task">queued</span> by the <span title="fetch">fetching
@@ -33640,15 +33810,13 @@
<p>If the <span title="fetch">fetching algorithm</span> fails for
any reason (network error, the server returns an error code, a
- cross-origin check fails, etc), or if <var title="">URL</var> is
- the empty string or has the wrong <span>origin</span> as
- determined by the condition at the start of this step, or if the
- fetched resource is not in a supported format, then <span>queue a
- task</span> to first change the <span>text track readiness
- state</span> to <span title="text track failed to load">failed to
- load</span> and then <span>fire a simple event</span> named <code
- title="event-error">error</code> at the <code>track</code>
- element; and then, once that <span
+ cross-origin check fails, etc), if <var title="">URL</var> is the
+ empty string, or if the fetched resource is not in a supported
+ format, then <span>queue a task</span> to first change the
+ <span>text track readiness state</span> to <span title="text track
+ failed to load">failed to load</span> and then <span>fire a simple
+ event</span> named <code title="event-error">error</code> at the
+ <code>track</code> element; and then, once that <span
title="concept-task">task</span> is <span title="queue a
task">queued</span>, move on to the step below labeled
<i>monitoring</i>.</p>
@@ -37301,10 +37469,20 @@
<p>If a hostile page embeds victim content, the threat is that the
embedding page could obtain information from the content that it
- would not otherwise have access to. To avoid this, the API will not
- allow videos to be shown cross-origin unless the <code
- title="attr-media-cross-origin">cross-origin</code> attribute is
- present and the remote server opts-in to cross-origin requsts. <a
+ would not otherwise have access to. The API does expose some
+ information: the existence of the media, its type, its duration, its
+ size, and the performance characteristics of its host. Such
+ information is already potentially problematic, but in practice the
+ same information can more or less be obtained using the
+ <code>img</code> element, and so it has been deemed acceptable.</p>
+
+ <p>However, significantly more sensitive information could be
+ obtained if the user agent further exposes metadata within the
+ content such as subtitles or chapter titles. Such information is
+ therefore only exposed if the video resource passes a CORS
+ <span>resource sharing check</span>. The <code
+ title="attr-media-cross-origin">cross-origin</code> attribute allows
+ authors to control how this check is performed. <a
href="#refsCORS">[CORS]</a></p>
<p class="example">Without this restriction, an attacker could trick
@@ -70393,14 +70571,21 @@
<dl class="switch">
<dt>If an image is the image of an <code>img</code> element and
- its image data has a <span
- title="concept-origin-forced-img">forced origin</span></dt>
+ its image data is <span>CORS-cross-origin</span></dt>
- <dd>The <span>origin</span> is the image data's <dfn
- title="concept-origin-forced-img">forced origin</dfn>. (This
- occurs when the image was successfully obtained using CORS.)</dd>
+ <dd>The <span>origin</span> is a globally unique identifier
+ assigned when the image is created.</dd>
+ <dt>If an image is the image of an <code>img</code> element and
+ its image data is <span>CORS-same-origin</span></dt>
+
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ <code>img</code> element's <code>Document</code>.</dd>
+
+
+<!-- does anything depend on the origin of an image other than from <img>? If not, we can cut out the remainder of this <dl>: -->
+
<dt>If an image was served over the network and has an address
that uses a URL scheme with a server-based naming authority</dt>
@@ -70443,12 +70628,23 @@
<dd>
- <p>The <span>origin</span> is always the same as the
- <span>origin</span> of the element's <code>Document</code>'s
- <span>origin</span>, as <span title="media resource">media
- resources</span> cannot be fetched cross-origin without the
- server's permission (using CORS).</p>
+ <dl class="switch">
+ <dt>If the <span>media data</span> is
+ <span>CORS-cross-origin</span></dt>
+
+ <dd>The <span>origin</span> is a globally unique identifier
+ assigned when the image is created.</dd>
+
+
+ <dt>If the <span>media data</span> is
+ <span>CORS-same-origin</span></dt>
+
+ <dd>The <span>origin</span> is the <span>origin</span> of the
+ <span>media element</span>'s <code>Document</code>.</dd>
+
+ </dl>
+
</dd>
@@ -70459,7 +70655,10 @@
<p>The <span>origin</span> of a downloadable Web font is equal to
the <span>origin</span> of the <span>absolute URL</span> used to
obtain the font (after any redirects). <a
- href="#refsCSSFONTS">[CSSFONTS]</a></p>
+ href="#refsCSSFONTS">[CSSFONTS]</a></p> <!-- this means you can
+ get data from a remote site if you can make it redirect to your
+ own site in some fashion controlled by the data you want to read
+ -->
<p>The <span>origin</span> of a locally installed system font is
equal to the <span>origin</span> of the <code>Document</code> in
More information about the Commit-Watchers
mailing list