[html5] r7341 - [giow] (3) Attempt to actually define what Referer headers are used for a whole [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Sep 12 16:14:46 PDT 2012
Author: ianh
Date: 2012-09-12 16:14:45 -0700 (Wed, 12 Sep 2012)
New Revision: 7341
Modified:
complete.html
index
source
Log:
[giow] (3) Attempt to actually define what Referer headers are used for a whole host of things that were poorly defined. Also: cleanup of a bunch of editorial mistakes I found from past such attempts. Mark every fetch algorithm use for sanity in the future. Block data:, javascript:, and about:blank referrers. Note: This relies on not-yet-done changes to CORS and XHR.
Affected topics: DOM APIs, HTML, Offline Web Applications, Server-Sent Events, Video Text Tracks, Video and Audio, Web Workers
Modified: complete.html
===================================================================
--- complete.html 2012-09-12 07:21:58 UTC (rev 7340)
+++ complete.html 2012-09-12 23:14:45 UTC (rev 7341)
@@ -365,12 +365,13 @@
<li><a href=#interfaces-for-url-manipulation><span class=secno>2.6.7 </span>Interfaces for URL manipulation</a></ol></li>
<li><a href=#fetching-resources><span class=secno>2.7 </span>Fetching resources</a>
<ol>
- <li><a href=#concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</a></li>
- <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
- <li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
- <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
- <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></li>
- <li><a href=#cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</a></ol></li>
+ <li><a href=#terminology-1><span class=secno>2.7.1 </span>Terminology</a></li>
+ <li><a href=#processing-model><span class=secno>2.7.2 </span>Processing model</a></li>
+ <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.3 </span>Encrypted HTTP and related security concerns</a></li>
+ <li><a href=#content-type-sniffing><span class=secno>2.7.4 </span>Determining the type of a resource</a></li>
+ <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.5 </span>Extracting encodings from <code>meta</code> elements</a></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.6 </span>CORS settings attributes</a></li>
+ <li><a href=#cors-enabled-fetch><span class=secno>2.7.7 </span>CORS-enabled fetch</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -635,7 +636,7 @@
<li><a href=#image-maps><span class=secno>4.8.14 </span>Image maps</a>
<ol>
<li><a href=#authoring><span class=secno>4.8.14.1 </span>Authoring</a></li>
- <li><a href=#processing-model><span class=secno>4.8.14.2 </span>Processing model</a></ol></li>
+ <li><a href=#processing-model-0><span class=secno>4.8.14.2 </span>Processing model</a></ol></li>
<li><a href=#mathml><span class=secno>4.8.15 </span>MathML</a></li>
<li><a href=#svg-0><span class=secno>4.8.16 </span>SVG</a></li>
<li><a href=#dimension-attributes><span class=secno>4.8.17 </span>Dimension attributes</a></ol></li>
@@ -655,7 +656,7 @@
<li><a href=#the-td-element><span class=secno>4.9.9 </span>The <code>td</code> element</a></li>
<li><a href=#the-th-element><span class=secno>4.9.10 </span>The <code>th</code> element</a></li>
<li><a href=#attributes-common-to-td-and-th-elements><span class=secno>4.9.11 </span>Attributes common to <code>td</code> and <code>th</code> elements</a></li>
- <li><a href=#processing-model-0><span class=secno>4.9.12 </span>Processing model</a>
+ <li><a href=#processing-model-1><span class=secno>4.9.12 </span>Processing model</a>
<ol>
<li><a href=#forming-a-table><span class=secno>4.9.12.1 </span>Forming a table</a></li>
<li><a href=#header-and-data-cell-semantics><span class=secno>4.9.12.2 </span>Forming relationships between data cells and header cells</a></ol></li>
@@ -936,7 +937,7 @@
<ol>
<li><a href=#introduction-6><span class=secno>7.1.1 </span>Introduction</a></li>
<li><a href=#enabling-and-disabling-scripting><span class=secno>7.1.2 </span>Enabling and disabling scripting</a></li>
- <li><a href=#processing-model-1><span class=secno>7.1.3 </span>Processing model</a>
+ <li><a href=#processing-model-2><span class=secno>7.1.3 </span>Processing model</a>
<ol>
<li><a href=#definitions-0><span class=secno>7.1.3.1 </span>Definitions</a></li>
<li><a href=#calling-scripts><span class=secno>7.1.3.2 </span>Calling scripts</a></li>
@@ -948,7 +949,7 @@
<li><a href=#event-loops><span class=secno>7.1.4 </span>Event loops</a>
<ol>
<li><a href=#definitions-1><span class=secno>7.1.4.1 </span>Definitions</a></li>
- <li><a href=#processing-model-2><span class=secno>7.1.4.2 </span>Processing model</a></li>
+ <li><a href=#processing-model-3><span class=secno>7.1.4.2 </span>Processing model</a></li>
<li><a href=#generic-task-sources><span class=secno>7.1.4.3 </span>Generic task sources</a></ol></li>
<li><a href=#javascript-protocol><span class=secno>7.1.5 </span>The <code title="">javascript:</code> URL scheme</a></li>
<li><a href=#events><span class=secno>7.1.6 </span>Events</a>
@@ -991,7 +992,7 @@
<ol>
<li><a href=#introduction-7><span class=secno>8.5.1 </span>Introduction</a></li>
<li><a href=#the-accesskey-attribute><span class=secno>8.5.2 </span>The <code>accesskey</code> attribute</a></li>
- <li><a href=#processing-model-3><span class=secno>8.5.3 </span>Processing model</a></ol></li>
+ <li><a href=#processing-model-4><span class=secno>8.5.3 </span>Processing model</a></ol></li>
<li><a href=#editing-0><span class=secno>8.6 </span>Editing</a>
<ol>
<li><a href=#contenteditable><span class=secno>8.6.1 </span>Making document regions editable: The <code title=attr-contenteditable>contenteditable</code> content
@@ -1040,7 +1041,7 @@
<li><a href=#shared-workers-and-the-sharedworkerglobalscope-interface><span class=secno>9.2.1.3 </span>Shared workers and the <code>SharedWorkerGlobalScope</code> interface</a></ol></li>
<li><a href=#the-event-loop><span class=secno>9.2.2 </span>The event loop</a></li>
<li><a href="#the-worker's-lifetime"><span class=secno>9.2.3 </span>The worker's lifetime</a></li>
- <li><a href=#processing-model-4><span class=secno>9.2.4 </span>Processing model</a></li>
+ <li><a href=#processing-model-5><span class=secno>9.2.4 </span>Processing model</a></li>
<li><a href=#runtime-script-errors-0><span class=secno>9.2.5 </span>Runtime script errors</a></li>
<li><a href=#creating-workers><span class=secno>9.2.6 </span>Creating workers</a>
<ol>
@@ -1060,7 +1061,7 @@
<ol>
<li><a href=#server-sent-events-intro><span class=secno>10.2.1 </span>Introduction</a></li>
<li><a href=#the-eventsource-interface><span class=secno>10.2.2 </span>The <code>EventSource</code> interface</a></li>
- <li><a href=#processing-model-5><span class=secno>10.2.3 </span>Processing model</a></li>
+ <li><a href=#processing-model-6><span class=secno>10.2.3 </span>Processing model</a></li>
<li><a href=#parsing-an-event-stream><span class=secno>10.2.4 </span>Parsing an event stream</a></li>
<li><a href=#event-stream-interpretation><span class=secno>10.2.5 </span>Interpreting an event stream</a></li>
<li><a href=#notes><span class=secno>10.2.6 </span>Notes</a></li>
@@ -4248,9 +4249,10 @@
<p>This specification references the XMLHttpRequest specification
to define how the two specifications interact. The terms
<dfn id=document-response-entity-body>document response entity body</dfn>,
- <dfn id=xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</dfn>, and
- <dfn id=xmlhttprequest-origin><code>XMLHttpRequest</code> origin</dfn> are defined in that
- specification. <a href=#refsXHR>[XHR]</a></p>
+ <dfn id=xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</dfn>,
+ <dfn id=xmlhttprequest-origin><code>XMLHttpRequest</code> origin</dfn>, and
+ <dfn id=xmlhttprequest-referrer-source><code>XMLHttpRequest</code> referrer source</dfn> are defined
+ in that specification. <a href=#refsXHR>[XHR]</a></p>
</dd>
@@ -8308,8 +8310,38 @@
<h3 id=fetching-resources><span class=secno>2.7 </span>Fetching resources</h3>
- <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
- <a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
+ <h4 id=terminology-1><span class=secno>2.7.1 </span>Terminology</h4>
+
+ <p id=concept-http-equivalent>User agents can implement a variety
+ of transfer protocols, but this specification mostly defines
+ behavior in terms of HTTP. <a href=#refsHTTP>[HTTP]</a></p>
+
+ <p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.</p>
+
+ <p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.</p>
+
+ <p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.</p>
+
+ <hr><p>A <dfn id=referrer-source>referrer source</dfn> is either a <code><a href=#document>Document</a></code> or
+ a <a href=#url>URL</a>.</p>
+
+
+ <h4 id=processing-model><span class=secno>2.7.2 </span>Processing model</h4>
+
+ <p>When a user agent is to <dfn id=fetch>fetch</dfn><!--FETCH--> a resource
+ or <a href=#url>URL</a>, optionally <strong>from</strong> an origin <i title="">origin</i>, optionally <strong>using</strong> a specific
+ <a href=#referrer-source>referrer source</a> as an <i>override referrer source</i>,
and optionally with a <i>synchronous flag</i>, a <i>manual redirect
flag</i>, a <i>force same-origin flag</i>, and/or a <i>block cookies
flag</i>, the following steps must be run. (When a <em>URL</em> is
@@ -8330,25 +8362,32 @@
<!-- "block cookies" is currently only used by XHR -->
- <ol><li>
+ <ol><li><p>If there is a specific <i>override referrer source</i>, and
+ it is a <a href=#url>URL</a>, then let <var title="">referrer</var> be
+ the <i>override referrer source</i>, and jump to the step labeled
+ <i>clean referrer</i>.</li>
+ <li>
+
<p>Let <var title="">document</var> be the appropriate
<code><a href=#document>Document</a></code> as given by the following list:</p>
- <dl class=switch><dt>When <a href=#navigate title=navigate>navigating</a></dt>
+ <dl class=switch><dt>If there is a specific <i>override referrer source</i></dt>
+ <dd>The <i>override referrer source</i>.</dd>
+
+
+ <dt>When <a href=#navigate title=navigate>navigating</a></dt>
+
<dd>The <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
context</a>.</dd>
+
<dt>When fetching resources for an element</dt>
<dd>The element's <code><a href=#document>Document</a></code>.</dd>
- <dt>When fetching resources in response to a call to an API</dt>
- <dd>The <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
- document">document</a>.</dd>
-
</dl></li>
<li>
@@ -8363,22 +8402,40 @@
<li>
- <p>Generate the <i>address of the resource from which Request-URIs
- are obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic) header from <a href="#the-document's-address">the
- document's address</a> of <var title="">document</var>. <a href=#refsHTTP>[HTTP]</a></p>
+ <p>If the <a href=#origin>origin</a> of <var title="">Document</var> is
+ not a scheme/host/port tuple, then set <var title="">referrer</var> to the empty string and jump to the step
+ labeled <i>clean referrer</i>.</p>
- <p>Remove any <a href=#url-fragment title=url-fragment><fragment></a>
- component from the generated <i>address of the resource from which
- Request-URIs are obtained</i>.</p> <!-- RFC2616 says "The URI MUST
- NOT include a fragment." (section 14.36) -->
+ </li>
- <p>If the <a href=#origin>origin</a> of the appropriate
- <code><a href=#document>Document</a></code> is not a scheme/host/port tuple, then the
- <code title=http-referer>Referer</code> (sic) header must be
- omitted, regardless of its value.</p>
+ <li>
+ <p>Let <var title="">referrer</var> be <a href="#the-document's-address">the document's
+ address</a> of <var title="">document</var>.</p>
+
</li>
+ <li>
+
+ <p><i>Clean referrer</i>: Remove any <a href=#url-fragment title=url-fragment><fragment></a> component from <var title="">referrer</var>.</p> <!-- RFC2616 says "The URI MUST NOT
+ include a fragment." (section 14.36) -->
+
+ </li>
+
+ <li>
+
+ <p>If <var title="">referrer</var> is not the empty string, is not
+ a <a href=#data-protocol title="data protocol"><code title="">data:</code>
+ URL</a>, is not a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and is not the
+ <a href=#url>URL</a> "<code><a href=#about:blank>about:blank</a></code>", then generate the
+ <i>address of the resource from which Request-URIs are
+ obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic) header from <var title="">referrer</var>. <a href=#refsHTTP>[HTTP]</a></p>
+
+ <p>Otherwise, the <code title=http-referer>Referer</code> (sic)
+ header must be omitted, regardless of its value.</p>
+
+ </li>
+
<li><p>If the algorithm was not invoked with the <i>synchronous
flag</i>, perform the remaining steps asynchronously.</li>
@@ -8541,31 +8598,8 @@
applicable.</p>
- <h4 id=concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</h4>
-
- <p>User agents can implement a variety of transfer protocols, but
- this specification mostly defines behavior in terms of HTTP. <a href=#refsHTTP>[HTTP]</a></p>
-
- <p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
- method</dfn> is equivalent to the default retrieval action of the
- protocol. For example, RETR in FTP. Such actions are idempotent and
- safe, in HTTP terms.</p>
-
- <p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
- codes</dfn> are equivalent to statuses in other protocols that have
- the same basic meanings. For example, a "file not found" error is
- equivalent to a 404 code, a server error is equivalent to a 5xx
- code, and so on.</p>
-
- <p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
- headers</dfn> are equivalent to fields in other protocols that have
- the same basic meaning. For example, the HTTP authentication
- headers are equivalent to the authentication aspects of the FTP
- protocol.</p>
-
-
<!--ADD-TOPIC:Security-->
- <h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</h4>
+ <h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.7.3 </span>Encrypted HTTP and related security concerns</h4>
<p>Anything in this specification that refers to HTTP also applies
to HTTP-over-TLS, as represented by <a href=#url title=url>URLs</a>
@@ -8612,7 +8646,7 @@
<!--REMOVE-TOPIC:Security-->
- <h4 id=content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</h4>
+ <h4 id=content-type-sniffing><span class=secno>2.7.4 </span>Determining the type of a resource</h4>
<p>The <dfn id=content-type title=Content-Type>Content-Type metadata</dfn> of a
resource must be obtained and interpreted in a manner consistent
@@ -8639,7 +8673,7 @@
Media Type Sniffing specification. <a href=#refsMIMESNIFF>[MIMESNIFF]</a></p>
- <h4 id=extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code><a href=#the-meta-element>meta</a></code> elements</h4>
+ <h4 id=extracting-encodings-from-meta-elements><span class=secno>2.7.5 </span>Extracting encodings from <code><a href=#the-meta-element>meta</a></code> elements</h4>
<p>The <dfn id=algorithm-for-extracting-an-encoding-from-a-meta-element>algorithm for extracting an encoding from a
<code>meta</code> element</dfn>, given a string <var title="">s</var>, is as follows. It either returns an encoding or
@@ -8697,7 +8731,7 @@
</div>
- <h4 id=cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</h4>
+ <h4 id=cors-settings-attributes><span class=secno>2.7.6 </span>CORS settings attributes</h4>
<p>A <dfn id=cors-settings-attribute>CORS settings attribute</dfn> is an <a href=#enumerated-attribute>enumerated
attribute</a>. The following table lists the keywords and states
@@ -8721,19 +8755,19 @@
<div class=impl>
- <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
+ <h4 id=cors-enabled-fetch><span class=secno>2.7.7 </span>CORS-enabled fetch</h4>
<p>When the user agent is required to perform a <dfn id=potentially-cors-enabled-fetch>potentially
- CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
+ CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var> with a mode <var title="">mode</var> that is
either "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>", or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use Credentials</a>",
- an <a href=#origin>origin</a> <var title="">origin</var>, and a default
- origin behaviour <var title="">default</var> which is either
- "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
- set of steps from the following list. The default origin behaviour
- is only used if <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>". This algorithm wraps
- the <a href=#fetch>fetch</a> algorithm above, and labels the obtained
- resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
- <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
+ optionally using a <a href=#referrer-source>referrer source</a> <var title="">referrer source</var>, with an <a href=#origin>origin</a> <var title="">origin</var>, and with a default origin behaviour <var title="">default</var> which is either "<i>taint</i>" or
+ "<i>fail</i>", it must run the first applicable set of steps from
+ the following list. The default origin behaviour is only used if
+ <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No
+ CORS</a>". This algorithm wraps the <a href=#fetch>fetch</a> algorithm
+ above, and labels the obtained resource as either
+ <dfn id=cors-same-origin>CORS-same-origin</dfn> or <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or
+ blocks the resource entirely.</p>
<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
@@ -8744,9 +8778,10 @@
<p>Run these substeps:</p>
- <ol><li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
- <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
- sensitive -->
+ <ol><li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var>,
+ using <var title="">referrer source</var> if one was specified,
+ with the <i>manual redirect flag</i> set.</li> <!-- http-origin
+ privacy sensitive -->
<li><p><i>Loop</i>: Wait for the <a href=#fetch>fetch</a> algorithm
to know if the result is a redirect or not.</li>
@@ -8810,7 +8845,8 @@
<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>
- <p><a href=#fetch>Fetch</a> <var title="">URL</var>.</p> <!--
+ <p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified.</p> <!--
http-origin privacy sensitive -->
<p>The <a href=#concept-task title=concept-task>tasks</a> from the
@@ -8854,10 +8890,11 @@
<p>Run these steps:</p>
- <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the
- <i>request URL</i> set to <var title="">URL</var>, the <i>source
- origin</i> set to <var title="">origin</var>, and the <i><a href=#omit-credentials-flag>omit
- credentials flag</a></i> set if <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" and not set
+ <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a><!--FETCH-->
+ with the <i>request URL</i> set to <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified, with
+ the <i>source origin</i> set to <var title="">origin</var>, and
+ with the <i><a href=#omit-credentials-flag>omit credentials flag</a></i> set if <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" and not set
otherwise. <a href=#refsCORS>[CORS]</a></li>
<li><p>Wait for the CORS <a href=#cross-origin-request-status>cross-origin request status</a>
@@ -10893,9 +10930,12 @@
<li><p>Let <var title="">success</var> be false.</li>
- <li><p><a href=#fetch>Fetch</a> <var title="">url</var> from the
- <a href=#origin>origin</a> of <var title="">document</var>, with the <i title="">synchronous flag</i> set and the <i title="">force
- same-origin flag</i> set.</li>
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">url</var> from
+ the <a href=#origin>origin</a> of <var title="">document</var>, using the
+ <a href=#entry-script>entry script</a>'s <a href="#script's-referrer-source" title="script's referrer
+ source">referrer source</a>, with the <i title="">synchronous
+ flag</i> set and the <i title="">force same-origin flag</i>
+ set.</li>
<li>
@@ -14871,7 +14911,7 @@
<li><p>If the previous step fails, then abort these steps.</li>
- <li><p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
URL</a>.</li> <!-- http-origin privacy sensitive -->
</ol><p>User agents may opt to only try to obtain such resources when
@@ -16914,7 +16954,7 @@
attribute whose value is not the empty string, then the value of
that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a>
relative to the element, and if that is successful, the specified
- resource must then be <a href=#fetch title=fetch>fetched</a>, from the
+ resource must then be <a href=#fetch title=fetch>fetched</a><!--FETCH-->, from the
<a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>.</p>
<!-- not http-origin privacy sensitive -->
@@ -24559,8 +24599,8 @@
<li>
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- <a href=#absolute-url>absolute URL</a> that resulted from the earlier step,
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the <a href=#absolute-url>absolute URL</a> that resulted from the earlier step,
with the <i>mode</i> being the state of the element's <code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code> content attribute,
the <i title="">origin</i> being the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
@@ -24944,10 +24984,10 @@
<li>
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being
- <var title="">CORS mode</var>, the <i title="">origin</i> being
- the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being <var title="">CORS mode</var>, the <i title="">origin</i>
+ being the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
<code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
to <i>taint</i>.</p>
@@ -27183,16 +27223,17 @@
<p>The user agent must <a href=#resolve-a-url title="resolve a url">resolve</a>
the value of the element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code>
attribute, relative to the element. If that is successful, the
- user agent should <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
- URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
- origin</a> if it has one<!-- potentially http-origin privacy
- sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is
- <a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking
- task source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> must find and instantiate an
- appropriate <a href=#plugin>plugin</a> based on the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and hand that
- <a href=#plugin>plugin</a> the content of the resource, replacing any
- previously instantiated plugin for the element.</p> <!-- Note that
- this doesn't happen when the base URL changes. -->
+ user agent should <a href=#fetch>fetch</a><!--FETCH--> the resulting
+ <a href=#absolute-url>absolute URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing
+ context scope origin</a> if it has one<!-- potentially
+ http-origin privacy sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
+ task">queued</a> by the <a href=#networking-task-source>networking task source</a>
+ once the resource has been <a href=#fetch title=fetch>fetched</a> must
+ find and instantiate an appropriate <a href=#plugin>plugin</a> based on
+ the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and
+ hand that <a href=#plugin>plugin</a> the content of the resource,
+ replacing any previously instantiated plugin for the element.</p>
+ <!-- Note that this doesn't happen when the base URL changes. -->
<p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a> of
the element's document.</p>
@@ -27592,15 +27633,17 @@
<li>
- <p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute URL</a>,
- from the element's <a href=#browsing-context-scope-origin>browsing context scope origin</a> if
- it has one<!-- potentially http-origin privacy sensitive
- -->.</p>
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
+ origin</a> if it has one<!-- potentially http-origin privacy
+ sensitive -->.</p>
- <!-- similar text in various places --> <p>Fetching the resource
- must <a href=#delay-the-load-event>delay the load event</a> of the element's document
- until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking task
- source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> (defined next) has been run.</p>
+ <!-- similar text in various places -->
+ <p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a>
+ of the element's document until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
+ task">queued</a> by the <a href=#networking-task-source>networking task source</a>
+ once the resource has been <a href=#fetch title=fetch>fetched</a>
+ (defined next) has been run.</p>
<p>For the purposes of the <a href=#application-cache>application cache</a>
networking model, this <a href=#fetch>fetch</a> operation is not for a
@@ -28373,10 +28416,10 @@
to the element. If this fails, then there is no <a href=#poster-frame>poster
frame</a>; abort these steps.</li>
- <li><p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute URL</a>,
- from the element's <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>.
- This must <a href=#delay-the-load-event>delay the load event</a> of the element's
- document.</li>
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>, from the element's <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>. This must <a href=#delay-the-load-event>delay the load event</a> of
+ the element's document.</li>
<!-- could define how to sniff for an image here -->
@@ -30064,13 +30107,14 @@
<li>
- <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- <var title="">current media resource</var>'s <a href=#absolute-url>absolute
- URL</a>, with the <i>mode</i> being the state of the
- <a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
- attribute, the <i title="">origin</i> being the <a href=#origin>origin</a> of the
- <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
- <i>default origin behaviour</i> set to <i>taint</i>.</p>
+ <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+ fetch</a><!--FETCH--> of the <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being the state of the <a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
+ attribute, the <i title="">origin</i> being the
+ <a href=#origin>origin</a> of the <a href=#media-element>media element</a>'s
+ <code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
+ to <i>taint</i>.</p>
<p>The resource obtained in this fashion, if any, contains the
<a href=#media-data>media data</a>. It can be <a href=#cors-same-origin>CORS-same-origin</a>
@@ -34434,7 +34478,7 @@
<li>
<p>If <var title="">URL</var> is not the empty string, perform a
- <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being <var title="">CORS
+ <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of <var title="">URL</var>, with the <i>mode</i> being <var title="">CORS
mode</var>, the <i title="">origin</i> being the
<a href=#origin>origin</a> of the <code><a href=#the-track-element>track</a></code> element's
<code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
@@ -42440,7 +42484,7 @@
<div class=impl>
- <h5 id=processing-model><span class=secno>4.8.14.2 </span>Processing model</h5>
+ <h5 id=processing-model-0><span class=secno>4.8.14.2 </span>Processing model</h5>
<p>If an <code><a href=#the-img-element>img</a></code> element or an <code><a href=#the-object-element>object</a></code> element
representing an image has a <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code> attribute specified,
@@ -44244,7 +44288,7 @@
<div class=impl>
- <h4 id=processing-model-0><span class=secno>4.9.12 </span>Processing model</h4>
+ <h4 id=processing-model-1><span class=secno>4.9.12 </span>Processing model</h4>
<p>The various table elements and their content attributes together
define the <dfn id=table-model>table model</dfn>.</p>
@@ -51156,10 +51200,10 @@
or the user agent only fetches elements on demand, or the <code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute's value is the empty
string, the user agent must <a href=#resolve-a-url title="resolve a
url">resolve</a> the value of the <code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute, relative to the
- element, and if that is successful, must <a href=#fetch>fetch</a> the
- resulting <a href=#absolute-url>absolute URL</a>:</p> <!-- Note how this does NOT
- happen when the base URL changes. --> <!-- http-origin privacy
- sensitive -->
+ element, and if that is successful, must
+ <a href=#fetch>fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>:</p> <!-- Note how this does NOT happen when the base URL
+ changes. --> <!-- http-origin privacy sensitive -->
<ul><li>The <code><a href=#the-input-element>input</a></code> element's <code title=attr-input-type><a href=#attr-input-type>type</a></code> attribute is first set to the
<a href="#image-button-state-(type=image)" title=attr-input-type-image>Image Button</a> state
@@ -59112,13 +59156,13 @@
<dd>Append the command to the menu, respecting its <a href=#concept-facet title=concept-facet>facets</a><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span> (this
- would be http-origin privacy-sensitive), and then that image should
- be associated with the command, such that each command only has its
- image fetched once, to prevent changes to the base URL from having
- effects after the image has been fetched once. (no need to resolve
- the Icon facet, it's an absolute URL) -->. <!--If the element is a
- <code>command</code> element with a <code
+ command, it should be <span title="fetch">fetched</span><!- -FETCH-
+ -> (this would be http-origin privacy-sensitive), and then that
+ image should be associated with the command, such that each command
+ only has its image fetched once, to prevent changes to the base URL
+ from having effects after the image has been fetched once. (no need
+ to resolve the Icon facet, it's an absolute URL) -->. <!--If the
+ element is a <code>command</code> element with a <code
title="attr-command-default">default</code> attribute, mark the
command as being a default command.--></dd>
@@ -60744,9 +60788,9 @@
<li><p>Return to whatever algorithm invoked these steps and continue
these steps asynchronously.</li>
- <li><p><a href=#fetch>Fetch</a> <var title="">URL</var> and handle the
- resulting resource <a href=#as-a-download>as a download</a>.</li> <!--
- http-origin privacy sensitive -->
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var> and
+ handle the resulting resource <a href=#as-a-download>as a download</a>.</li>
+ <!-- http-origin privacy sensitive -->
</ol><p>When a user agent is to handle a resource obtained from a
<a href=#fetch>fetch</a> algorithm <dfn id=as-a-download>as a download</dfn>, it should
@@ -60927,9 +60971,7 @@
</div>
-<!--DOWNLOAD-->
-
<!--PING-->
<div class=impl>
@@ -60941,11 +60983,12 @@
follows the hyperlink, and the value of the element's <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code> attribute can be <a href=#resolve-a-url title="resolve a url">resolved</a>, relative to the element,
without failure, then the user agent must take the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute's value, <a href=#split-a-string-on-spaces title="split a string on spaces">split that string on spaces</a>,
<a href=#resolve-a-url title="resolve a url">resolve</a> each resulting token
- relative to the element, and then should send a request (as
- described below) to each of the resulting <a href=#absolute-url title="absolute
- URL">absolute URLs</a>. (Tokens that fail to resolve are
- ignored.) This may be done in parallel with the primary request, and
- is independent of the result of that request.</p>
+ relative to the element, and then each of the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a> should be <a href=#fetch title=fetch>fetched</a><!--FETCH--> from the
+ <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> containing the
+ <a href=#hyperlink>hyperlink</a> <!-- not http-origin privacy sensitive -->
+ (as described below). (Tokens that fail to resolve are ignored.)
+ This may be done in parallel with the primary request, and is
+ independent of the result of that request.</p>
<p>User agents should allow the user to adjust this behavior, for
example in conjunction with a setting that disables the sending of
@@ -60955,13 +60998,10 @@
or selectively ignore URLs in the list (e.g. ignoring any
third-party URLs).</p>
- <p>For URLs that are HTTP URLs, the requests must be performed by
- <a href=#fetch title=fetch>fetching</a> the specified URLs using the
- POST method, with an entity body with the <a href=#mime-type>MIME type</a>
+ <p>For URLs that are HTTP URLs, the requests must be performed using
+ the POST method, with an entity body with the <a href=#mime-type>MIME type</a>
<code><a href=#text/ping>text/ping</a></code> consisting of the four-character string
- "<code title="">PING</code>", from the <a href=#origin>origin</a> of the
- <code><a href=#document>Document</a></code> containing the <a href=#hyperlink>hyperlink</a>. <!--
- not http-origin privacy sensitive --> All relevant cookie and HTTP
+ "<code title="">PING</code>". All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -61006,10 +61046,6 @@
responses. User agents may close the connection prematurely once
they start receiving an entity body. <a href=#refsCOOKIES>[COOKIES]</a></p>
- <p>For URLs that are not HTTP URLs, the requests must be performed
- by <a href=#fetch title=fetch>fetching</a> the specified URL normally,
- and discarding the results.</p>
-
<p>When the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute is
present, user agents should clearly indicate to the user that
following the hyperlink will also cause secondary requests to be
@@ -61052,7 +61088,6 @@
<!-- resolving ping urls happens at audit time, so base URL changes
affect the values of ping attributes -->
-<!--PING-->
@@ -61539,8 +61574,9 @@
<p>In the absence of a <code><a href=#the-link-element>link</a></code> with the <code title=rel-icon><a href=#rel-icon>icon</a></code> keyword, for <code><a href=#document>Document</a></code>s
obtained over HTTP or HTTPS, user agents may instead attempt to
- <a href=#fetch>fetch</a> and use an icon with the <a href=#absolute-url>absolute
- URL</a> obtained by resolving the <a href=#url>URL</a> "<code title="">/favicon.ico</code>" against <a href="#the-document's-address">the document's
+ <a href=#fetch>fetch</a><!--FETCH--> and use an icon with the
+ <a href=#absolute-url>absolute URL</a> obtained by resolving the <a href=#url>URL</a>
+ "<code title="">/favicon.ico</code>" against <a href="#the-document's-address">the document's
address</a>, as if the page had declared that icon using the
<code title=rel-icon><a href=#rel-icon>icon</a></code> keyword.</p>
@@ -70403,8 +70439,8 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the new resource, with the
- <i>manual redirect flag</i> set.</p>
+ <p>Otherwise, <a href=#fetch>fetch</a><!--FETCH--> the new resource,
+ with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
@@ -72967,12 +73003,12 @@
<li>
- <p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a> the resource
- from <var title="">manifest URL</var> with the <i>synchronous
- flag</i> set, and let <var title="">manifest</var> be that
- resource. HTTP caching semantics should be honored for this
- request.</p> <!-- http-origin privacy sensitive, though it doesn't
- matter, since this can never be cross-origin -->
+ <p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a><!--FETCH-->
+ the resource from <var title="">manifest URL</var> with the
+ <i>synchronous flag</i> set, and let <var title="">manifest</var>
+ be that resource. HTTP caching semantics should be honored for
+ this request.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
<p>Parse <var title="">manifest</var> according to the <a href=#parse-a-manifest title="parse a manifest">rules for parsing manifests</a>,
obtaining a list of <a href=#concept-appcache-explicit title=concept-appcache-explicit>explicit entries</a>, <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback entries</a> and the
@@ -73214,10 +73250,9 @@
<li>
- <p><a href=#fetch>Fetch</a> the resource, from the <a href=#origin>origin</a>
- of the <a href=#url>URL</a> <var title="">manifest URL</var>, with
- the <i>synchronous flag</i> set and the <i>manual redirect
- flag</i> set. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resource, from the
+ <a href=#origin>origin</a> of the <a href=#url>URL</a> <var title="">manifest URL</var>, with the <i>synchronous flag</i>
+ set and the <i>manual redirect flag</i> set. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a>
<a href=#application-cache>application cache</a> in <var title="">cache
group</var> as an HTTP cache, and honor HTTP caching semantics
@@ -73427,12 +73462,11 @@
<li>
- <p><a href=#fetch>Fetch</a> the resource from <var title="">manifest
- URL</var> again, with the <i>synchronous flag</i> set, and let
- <var title="">second manifest</var> be that resource. HTTP caching
- semantics should again be honored for this request.</p> <!--
- http-origin privacy sensitive, though it doesn't matter, since
- this can never be cross-origin -->
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resource from <var title="">manifest URL</var> again, with the <i>synchronous
+ flag</i> set, and let <var title="">second manifest</var> be that
+ resource. HTTP caching semantics should again be honored for this
+ request.</p> <!-- http-origin privacy sensitive, though it doesn't
+ matter, since this can never be cross-origin -->
<p class=note>Since caching can be honored, authors are
encouraged to avoid setting the cache headers on the manifest in
@@ -73711,7 +73745,7 @@
following steps instead of immediately invoking the mechanisms
appropriate to that resource's scheme:</p>
- <ol><li><p>If the resource is not to be fetched using the HTTP GET
+ <ol><!--FETCH--><li><p>If the resource is not to be fetched using the HTTP GET
mechanism <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
equivalent</a>, or if its <a href=#url>URL</a> has a different <a href=#url-scheme title=url-scheme><scheme></a> component than the
<a href=#application-cache>application cache</a>'s <a href=#concept-appcache-manifest title=concept-appcache-manifest>manifest</a>, then
@@ -74217,7 +74251,7 @@
<div class=impl>
<!-- SCRIPT EXEC (marks areas related to creation of scripts) -->
- <h4 id=processing-model-1><span class=secno>7.1.3 </span>Processing model</h4>
+ <h4 id=processing-model-2><span class=secno>7.1.3 </span>Processing model</h4>
<h5 id=definitions-0><span class=secno>7.1.3.1 </span>Definitions</h5>
@@ -74322,12 +74356,25 @@
<p>A <code><a href=#document>Document</a></code> that is assigned responsibility for
actions taken by the script.</p>
- <p class=example>When a script <a href=#fetch title=fetch>fetches</a> a resource, the <a href="#the-document's-address" title="the
- document's address">address</a> of the <a href="#script's-document">script's
- document</a> will be used to set the <code title=http-referer>Referer</code> (sic) header.</p>
+ <p class=example>For example, the <a href="#the-document's-address" title="the document's
+ address">address</a> of the <a href="#script's-document">script's document</a> is
+ used to set the <a href="#the-document's-address" title="the document's
+ address">address</a> of any <code><a href=#document>Document</a></code> elements
+ created using <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>.</p>
</dd>
+ <dt>The <dfn id="script's-referrer-source">script's referrer source</dfn></dt>
+
+ <dd>
+
+ <p>Either a <code><a href=#document>Document</a></code> (specifically, the
+ <a href="#script's-document">script's document</a>), or a <a href=#url>URL</a>, which is
+ used by some APIs to determine what value to use for the <code title=http-referer>Referer</code> (sic) header in calls to the
+ <a href=#fetch title=fetch>fetching</a> algorithm.</p>
+
+ </dd>
+
<dt>A <dfn id="script's-url-character-encoding" title="script's URL character encoding">URL character encoding</dfn></dt>
<dd>
@@ -74394,8 +74441,8 @@
<p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a
script">created</dfn>, given some script source, a script source
URL, its scripting language, a global object, a browsing context, a
- URL character encoding, and a base URL, the user agent must run the
- following steps:</p>
+ document, a referrer source, a URL character encoding, and a base
+ URL, the user agent must run the following steps:</p>
<ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
@@ -74415,9 +74462,10 @@
<li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
<a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
- document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
- and the <a href="#script's-base-url">script's base URL</a> from the settings passed to
- this algorithm.</li>
+ document</a>, the <a href="#script's-referrer-source">script's referrer source</a>, the
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and the
+ <a href="#script's-base-url">script's base URL</a> from the settings passed to this
+ algorithm.</li>
<li>
@@ -74440,9 +74488,9 @@
browsing context, the user agent must <a href=#create-a-script>create a script</a>,
using the given script source, URL, and scripting language, using a
new empty object as the global object, and using the given browsing
- context as the browsing context. The URL character encoding and base
- URL for the resulting <a href=#concept-script title=concept-script>script</a> are
- not important as no APIs are exposed to the script.</p>
+ context as the browsing context. The referrer source, URL character
+ encoding, and base URL for the resulting <a href=#concept-script title=concept-script>script</a> are not important as no APIs
+ are exposed to the script.</p>
<hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a
script from a node">created from a node</dfn> <var title="">node</var>, given some script source, its URL, and its
@@ -74457,12 +74505,15 @@
<code><a href=#document>Document</a></code> of <var title="">node</var> (or <var title="">node</var> itself if it is a
<code><a href=#document>Document</a></code>).</li>
+ <li><p>The global object is the <code><a href=#window>Window</a></code> object of <var title="">document</var>.</li>
+
<li><p>The browsing context is the <a href=#browsing-context>browsing context</a> of
<var title="">document</var>.</p>
- <li><p>The global object is the <code><a href=#window>Window</a></code> object of
- <var title="">document</var>.</li>
+ <li><p>The document is <var title="">document</var>.</p>
+ <li><p>The referrer source is <var title="">document</var>.</p>
+
<li><p>The URL character encoding is the <a href="#document's-character-encoding" title="document's
character encoding">character encoding</a> of <var title="">document</var>. (<a href=#sce-not-copy>This is a
reference, not a copy</a>.)</li>
@@ -74727,7 +74778,7 @@
release the <a href=#storage-mutex>storage mutex</a>.</p>
- <h5 id=processing-model-2><span class=secno>7.1.4.2 </span>Processing model</h5>
+ <h5 id=processing-model-3><span class=secno>7.1.4.2 </span>Processing model</h5>
<p>An <a href=#event-loop>event loop</a> must continually run through the
following steps for as long as it exists:</p>
@@ -75243,10 +75294,11 @@
<li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
<a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
- document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
- and the <a href="#script's-base-url">script's base URL</a> from <a href=#the-script-settings-determined-from-the-node>the script
- settings determined from the node</a> on which the attribute is
- being set.</li>
+ document</a>, the <a href="#script's-referrer-source">script's referrer source</a>, the
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and the
+ <a href="#script's-base-url">script's base URL</a> from <a href=#the-script-settings-determined-from-the-node>the script settings
+ determined from the node</a> on which the attribute is being
+ set.</li>
<li><p>Set the corresponding <a href=#event-handlers title="event handlers">event
handler</a> to the aforementioned function.</li>
@@ -76158,25 +76210,27 @@
object, let <var title="">global object</var> be the <a href=#method-context>method
context</a>, let <var title="">browsing context</var> be the
<a href=#browsing-context>browsing context</a> with which <var title="">global
- object</var> is associated, let <var title="">character
- encoding</var> be the <a href="#document's-character-encoding" title="document's character
- encoding">character encoding</a> of the <code><a href=#document>Document</a></code>
- associated with <var title="">global object</var> (<a href=#sce-not-copy>this is a reference, not a copy</a>), and let
- <var title="">base URL</var> be the <a href=#document-base-url title="document base
- URL">base URL</a> of the <code><a href=#document>Document</a></code> associated with
- <var title="">global object</var> (<a href=#sbu-not-copy>this is
- a reference, not a copy</a>).</p>
+ object</var> is associated, let <var title="">document</var> and
+ <var title="">referrer source</var> be the <code><a href=#document>Document</a></code>
+ associated with <var title="">global object</var>, let <var title="">character encoding</var> be the <a href="#document's-character-encoding" title="document's
+ character encoding">character encoding</a> of the
+ <code><a href=#document>Document</a></code> associated with <var title="">global
+ object</var> (<a href=#sce-not-copy>this is a reference, not a
+ copy</a>), and let <var title="">base URL</var> be the <a href=#document-base-url title="document base URL">base URL</a> of the
+ <code><a href=#document>Document</a></code> associated with <var title="">global
+ object</var> (<a href=#sbu-not-copy>this is a reference, not a
+ copy</a>).</p>
<p>Otherwise, if the <a href=#method-context>method context</a> is a
<code><a href=#workerutils>WorkerUtils</a></code> object, let <var title="">global
- object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">character encoding</var>,
- and <var title="">base URL</var> be the <a href="#script's-global-object">script's global
- object</a>, <a href="#script's-browsing-context">script's browsing context</a>,
- <a href="#script's-document">script's document</a>, <a href="#script's-url-character-encoding">script's URL character
- encoding</a>, and <a href="#script's-base-url">script's base URL</a> (respectively)
- of the <a href=#concept-script title=concept-script>script</a> that the
- <a href=#run-a-worker>run a worker</a> algorithm created when it created the
- <a href=#method-context>method context</a>.</p>
+ object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">referrer source</var>, <var title="">character encoding</var>, and <var title="">base
+ URL</var> be the <a href="#script's-global-object">script's global object</a>,
+ <a href="#script's-browsing-context">script's browsing context</a>, <a href="#script's-document">script's
+ document</a>, <a href="#script's-referrer-source">script's referrer source</a>,
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and <a href="#script's-base-url">script's
+ base URL</a> (respectively) of the <a href=#concept-script title=concept-script>script</a> that the <a href=#run-a-worker>run a
+ worker</a> algorithm created when it created the <a href=#method-context>method
+ context</a>.</p>
<p>Otherwise, act as described in the specification that defines
that the <code><a href=#windowtimers>WindowTimers</a></code> interface is implemented by
@@ -76189,7 +76243,8 @@
<a href=#url>URL</a> where <var title="">script source</var> can be
found, <var title="">scripting language</var> as the scripting
language, <var title="">global object</var> as the global object,
- <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">character
+ <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">referrer
+ source</var> as the referrer source, <var title="">character
encoding</var> as the URL character encoding, and <var title="">base URL</var> as the base URL.</li>
</ol><hr><p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <dfn id=timer-task-source>timer task
@@ -78386,7 +78441,7 @@
<div class=impl>
- <h4 id=processing-model-3><span class=secno>8.5.3 </span>Processing model</h4>
+ <h4 id=processing-model-4><span class=secno>8.5.3 </span>Processing model</h4>
<p>An element's <dfn id=assigned-access-key>assigned access key</dfn> is a key combination
derived from the element's <code title=attr-accesskey><a href=#the-accesskey-attribute>accesskey</a></code> content attribute.
@@ -82587,7 +82642,7 @@
<a href=#permissible-worker>permissible worker</a>.</p>
- <h4 id=processing-model-4><span class=secno>9.2.4 </span>Processing model</h4>
+ <h4 id=processing-model-5><span class=secno>9.2.4 </span>Processing model</h4>
<p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with
<a href=#url>URL</a> <var title="">url</var>, a <a href=#browsing-context>browsing
@@ -82616,10 +82671,12 @@
<li>
- <p>Attempt to <a href=#fetch>fetch</a> the resource identified by <var title="">url</var>, from the <var title="">owner origin</var>,
- with the <i>synchronous flag</i> set and the <i>force same-origin
- flag</i> set.</p> <!-- not http-origin privacy sensitive (looking
- forward to CORS) -->
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> the resource
+ identified by <var title="">url</var>, from the <var title="">owner origin</var>, using <var title="">owner
+ document</var> as the <a href=#referrer-source>referrer source</a>, with the
+ <i>synchronous flag</i> set and the <i>force same-origin flag</i>
+ set.</p> <!-- not http-origin privacy sensitive (looking forward
+ to CORS) -->
<p>If the attempt fails, then for each <code><a href=#worker>Worker</a></code> or
<code><a href=#sharedworker>SharedWorker</a></code> object associated with <var title="">worker global scope</var>, <a href=#queue-a-task>queue a task</a> to
@@ -82669,6 +82726,8 @@
<p>Set the <a href="#script's-document">script's document</a> to <var title="">owner
document</var>.</p>
+ <p>Set the <a href="#script's-referrer-source">script's referrer source</a> to <var title="">url</var>.</p>
+
<p>Set the <a href="#script's-url-character-encoding">script's URL character encoding</a> to
UTF-8. (This is just used for encoding non-ASCII characters in the
query component of URLs.)</p>
@@ -83404,10 +83463,11 @@
<li>
- <p>Attempt to <a href=#fetch>fetch</a> each resource identified by the
- resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from
- the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, with the
- <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource
+ identified by the resulting <a href=#absolute-url title="absolute URL">absolute
+ URLs</a>, from the <a href=#entry-script>entry script</a>'s
+ <a href=#origin>origin</a>, using the <a href=#entry-script>entry script</a>'s <a href="#script's-referrer-source" title="script's referrer source">referrer source</a>, and with
+ the <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
sensitive -->
</li>
@@ -83443,8 +83503,8 @@
<p><a href=#create-a-script>Create a script</a>, using <var title="">source</var> as the script source, the <a href=#url>URL</a>
from which <var title="">source</var> was obtained, and <var title="">language</var> as the scripting language, using the
- same global object, browsing context, URL character encoding,
- base URL, and script group as the <a href=#concept-script title=concept-script>script</a> that was created by the
+ same global object, browsing context, document, referrer source,
+ URL character encoding, and base URL as the <a href=#concept-script title=concept-script>script</a> that was created by the
worker's <a href=#run-a-worker>run a worker</a> algorithm.</p>
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
@@ -83504,7 +83564,9 @@
null. The <a href=#xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</a> is the
<a href="#script's-base-url">script's base URL</a>; the
<a href=#xmlhttprequest-origin><code>XMLHttpRequest</code> origin</a> is the script's
- <a href=#origin>origin</a>. <a href=#refsXHR>[XHR]</a></li>
+ <a href=#origin>origin</a>, and the <a href=#xmlhttprequest-referrer-source><code>XMLHttpRequest</code>
+ referrer source</a> is the <a href="#script's-referrer-source">script's referrer
+ source</a>. <a href=#refsXHR>[XHR]</a></li>
<li><p>The interface objects and constructors defined by this
specification, except where is further restricted by explicit
@@ -83821,14 +83883,15 @@
<li><!-- if you change this, don't forget to update the
reconnecting fetch lower down as well! -->
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being
- <var title="">CORS mode</var>, and the <i title="">origin</i>
- being the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a><!--, and
- the <i>default origin behaviour</i> set to <i>fail</i> (though it
- has no effect in the "Anonymous" and "Use Credentials" modes)-->,
- and process the resource obtained in this fashion, if any, as
- described below.</p>
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the resulting <a href=#absolute-url>absolute URL</a> using the <a href=#entry-script>entry
+ script</a>'s <a href="#script's-referrer-source" title="script's referrer source">referrer
+ source</a>, with the <i>mode</i> being <var title="">CORS
+ mode</var>, and the <i title="">origin</i> being the <a href=#entry-script>entry
+ script</a>'s <a href=#origin>origin</a><!--, and the <i>default origin
+ behaviour</i> set to <i>fail</i> (though it has no effect in the
+ "Anonymous" and "Use Credentials" modes)-->, and process the
+ resource obtained in this fashion, if any, as described below.</p>
<p class=note>The definition of the <a href=#fetch title=fetch>fetching</a> algorithm (which is used by CORS) is
such that if the browser is already fetching the resource
@@ -83909,7 +83972,7 @@
</ul><p>These values are not currently exposed on the interface.</p>
- <h4 id=processing-model-5><span class=secno>10.2.3 </span>Processing model</h4>
+ <h4 id=processing-model-6><span class=secno>10.2.3 </span>Processing model</h4>
<p>The resource indicated in the argument to the <code title=dom-EventSource><a href=#dom-eventsource>EventSource</a></code> constructor is <a href=#fetch title=fetch>fetched</a> when the constructor is run.</p>
@@ -84031,11 +84094,12 @@
not set to <code title=dom-EventSource-CONNECTING><a href=#dom-eventsource-connecting>CONNECTING</a></code>, abort these
steps.</li>
- <li><p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of
- the <a href=#absolute-url>absolute URL</a> of the event source resource, with
- the <i>mode</i><!--, the <i>default origin behaviour</i>,--> and
- the <i title="">origin</i> being the same as those used in the
- original request triggered by the <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor, and
+ <li><p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+ fetch</a><!--FETCH--> of the <a href=#absolute-url>absolute URL</a> of the
+ event source resource, using the same <i><a href=#referrer-source>referrer source</a></i>, and
+ with the same <i>mode</i><!--, <i>default origin
+ behaviour</i>,--> and <i title="">origin</i>, as those used in
+ the original request triggered by the <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor, and
process the resource obtained in this fashion, if any, as
described earlier in this section.</li>
Modified: index
===================================================================
--- index 2012-09-12 07:21:58 UTC (rev 7340)
+++ index 2012-09-12 23:14:45 UTC (rev 7341)
@@ -365,12 +365,13 @@
<li><a href=#interfaces-for-url-manipulation><span class=secno>2.6.7 </span>Interfaces for URL manipulation</a></ol></li>
<li><a href=#fetching-resources><span class=secno>2.7 </span>Fetching resources</a>
<ol>
- <li><a href=#concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</a></li>
- <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
- <li><a href=#content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</a></li>
- <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
- <li><a href=#cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</a></li>
- <li><a href=#cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</a></ol></li>
+ <li><a href=#terminology-1><span class=secno>2.7.1 </span>Terminology</a></li>
+ <li><a href=#processing-model><span class=secno>2.7.2 </span>Processing model</a></li>
+ <li><a href=#encrypted-http-and-related-security-concerns><span class=secno>2.7.3 </span>Encrypted HTTP and related security concerns</a></li>
+ <li><a href=#content-type-sniffing><span class=secno>2.7.4 </span>Determining the type of a resource</a></li>
+ <li><a href=#extracting-encodings-from-meta-elements><span class=secno>2.7.5 </span>Extracting encodings from <code>meta</code> elements</a></li>
+ <li><a href=#cors-settings-attributes><span class=secno>2.7.6 </span>CORS settings attributes</a></li>
+ <li><a href=#cors-enabled-fetch><span class=secno>2.7.7 </span>CORS-enabled fetch</a></ol></li>
<li><a href=#common-dom-interfaces><span class=secno>2.8 </span>Common DOM interfaces</a>
<ol>
<li><a href=#reflecting-content-attributes-in-idl-attributes><span class=secno>2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -635,7 +636,7 @@
<li><a href=#image-maps><span class=secno>4.8.14 </span>Image maps</a>
<ol>
<li><a href=#authoring><span class=secno>4.8.14.1 </span>Authoring</a></li>
- <li><a href=#processing-model><span class=secno>4.8.14.2 </span>Processing model</a></ol></li>
+ <li><a href=#processing-model-0><span class=secno>4.8.14.2 </span>Processing model</a></ol></li>
<li><a href=#mathml><span class=secno>4.8.15 </span>MathML</a></li>
<li><a href=#svg-0><span class=secno>4.8.16 </span>SVG</a></li>
<li><a href=#dimension-attributes><span class=secno>4.8.17 </span>Dimension attributes</a></ol></li>
@@ -655,7 +656,7 @@
<li><a href=#the-td-element><span class=secno>4.9.9 </span>The <code>td</code> element</a></li>
<li><a href=#the-th-element><span class=secno>4.9.10 </span>The <code>th</code> element</a></li>
<li><a href=#attributes-common-to-td-and-th-elements><span class=secno>4.9.11 </span>Attributes common to <code>td</code> and <code>th</code> elements</a></li>
- <li><a href=#processing-model-0><span class=secno>4.9.12 </span>Processing model</a>
+ <li><a href=#processing-model-1><span class=secno>4.9.12 </span>Processing model</a>
<ol>
<li><a href=#forming-a-table><span class=secno>4.9.12.1 </span>Forming a table</a></li>
<li><a href=#header-and-data-cell-semantics><span class=secno>4.9.12.2 </span>Forming relationships between data cells and header cells</a></ol></li>
@@ -936,7 +937,7 @@
<ol>
<li><a href=#introduction-6><span class=secno>7.1.1 </span>Introduction</a></li>
<li><a href=#enabling-and-disabling-scripting><span class=secno>7.1.2 </span>Enabling and disabling scripting</a></li>
- <li><a href=#processing-model-1><span class=secno>7.1.3 </span>Processing model</a>
+ <li><a href=#processing-model-2><span class=secno>7.1.3 </span>Processing model</a>
<ol>
<li><a href=#definitions-0><span class=secno>7.1.3.1 </span>Definitions</a></li>
<li><a href=#calling-scripts><span class=secno>7.1.3.2 </span>Calling scripts</a></li>
@@ -948,7 +949,7 @@
<li><a href=#event-loops><span class=secno>7.1.4 </span>Event loops</a>
<ol>
<li><a href=#definitions-1><span class=secno>7.1.4.1 </span>Definitions</a></li>
- <li><a href=#processing-model-2><span class=secno>7.1.4.2 </span>Processing model</a></li>
+ <li><a href=#processing-model-3><span class=secno>7.1.4.2 </span>Processing model</a></li>
<li><a href=#generic-task-sources><span class=secno>7.1.4.3 </span>Generic task sources</a></ol></li>
<li><a href=#javascript-protocol><span class=secno>7.1.5 </span>The <code title="">javascript:</code> URL scheme</a></li>
<li><a href=#events><span class=secno>7.1.6 </span>Events</a>
@@ -991,7 +992,7 @@
<ol>
<li><a href=#introduction-7><span class=secno>8.5.1 </span>Introduction</a></li>
<li><a href=#the-accesskey-attribute><span class=secno>8.5.2 </span>The <code>accesskey</code> attribute</a></li>
- <li><a href=#processing-model-3><span class=secno>8.5.3 </span>Processing model</a></ol></li>
+ <li><a href=#processing-model-4><span class=secno>8.5.3 </span>Processing model</a></ol></li>
<li><a href=#editing-0><span class=secno>8.6 </span>Editing</a>
<ol>
<li><a href=#contenteditable><span class=secno>8.6.1 </span>Making document regions editable: The <code title=attr-contenteditable>contenteditable</code> content
@@ -1040,7 +1041,7 @@
<li><a href=#shared-workers-and-the-sharedworkerglobalscope-interface><span class=secno>9.2.1.3 </span>Shared workers and the <code>SharedWorkerGlobalScope</code> interface</a></ol></li>
<li><a href=#the-event-loop><span class=secno>9.2.2 </span>The event loop</a></li>
<li><a href="#the-worker's-lifetime"><span class=secno>9.2.3 </span>The worker's lifetime</a></li>
- <li><a href=#processing-model-4><span class=secno>9.2.4 </span>Processing model</a></li>
+ <li><a href=#processing-model-5><span class=secno>9.2.4 </span>Processing model</a></li>
<li><a href=#runtime-script-errors-0><span class=secno>9.2.5 </span>Runtime script errors</a></li>
<li><a href=#creating-workers><span class=secno>9.2.6 </span>Creating workers</a>
<ol>
@@ -1060,7 +1061,7 @@
<ol>
<li><a href=#server-sent-events-intro><span class=secno>10.2.1 </span>Introduction</a></li>
<li><a href=#the-eventsource-interface><span class=secno>10.2.2 </span>The <code>EventSource</code> interface</a></li>
- <li><a href=#processing-model-5><span class=secno>10.2.3 </span>Processing model</a></li>
+ <li><a href=#processing-model-6><span class=secno>10.2.3 </span>Processing model</a></li>
<li><a href=#parsing-an-event-stream><span class=secno>10.2.4 </span>Parsing an event stream</a></li>
<li><a href=#event-stream-interpretation><span class=secno>10.2.5 </span>Interpreting an event stream</a></li>
<li><a href=#notes><span class=secno>10.2.6 </span>Notes</a></li>
@@ -4248,9 +4249,10 @@
<p>This specification references the XMLHttpRequest specification
to define how the two specifications interact. The terms
<dfn id=document-response-entity-body>document response entity body</dfn>,
- <dfn id=xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</dfn>, and
- <dfn id=xmlhttprequest-origin><code>XMLHttpRequest</code> origin</dfn> are defined in that
- specification. <a href=#refsXHR>[XHR]</a></p>
+ <dfn id=xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</dfn>,
+ <dfn id=xmlhttprequest-origin><code>XMLHttpRequest</code> origin</dfn>, and
+ <dfn id=xmlhttprequest-referrer-source><code>XMLHttpRequest</code> referrer source</dfn> are defined
+ in that specification. <a href=#refsXHR>[XHR]</a></p>
</dd>
@@ -8308,8 +8310,38 @@
<h3 id=fetching-resources><span class=secno>2.7 </span>Fetching resources</h3>
- <p>When a user agent is to <dfn id=fetch>fetch</dfn> a resource or
- <a href=#url>URL</a>, optionally from an origin <i title="">origin</i>,
+ <h4 id=terminology-1><span class=secno>2.7.1 </span>Terminology</h4>
+
+ <p id=concept-http-equivalent>User agents can implement a variety
+ of transfer protocols, but this specification mostly defines
+ behavior in terms of HTTP. <a href=#refsHTTP>[HTTP]</a></p>
+
+ <p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.</p>
+
+ <p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.</p>
+
+ <p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.</p>
+
+ <hr><p>A <dfn id=referrer-source>referrer source</dfn> is either a <code><a href=#document>Document</a></code> or
+ a <a href=#url>URL</a>.</p>
+
+
+ <h4 id=processing-model><span class=secno>2.7.2 </span>Processing model</h4>
+
+ <p>When a user agent is to <dfn id=fetch>fetch</dfn><!--FETCH--> a resource
+ or <a href=#url>URL</a>, optionally <strong>from</strong> an origin <i title="">origin</i>, optionally <strong>using</strong> a specific
+ <a href=#referrer-source>referrer source</a> as an <i>override referrer source</i>,
and optionally with a <i>synchronous flag</i>, a <i>manual redirect
flag</i>, a <i>force same-origin flag</i>, and/or a <i>block cookies
flag</i>, the following steps must be run. (When a <em>URL</em> is
@@ -8330,25 +8362,32 @@
<!-- "block cookies" is currently only used by XHR -->
- <ol><li>
+ <ol><li><p>If there is a specific <i>override referrer source</i>, and
+ it is a <a href=#url>URL</a>, then let <var title="">referrer</var> be
+ the <i>override referrer source</i>, and jump to the step labeled
+ <i>clean referrer</i>.</li>
+ <li>
+
<p>Let <var title="">document</var> be the appropriate
<code><a href=#document>Document</a></code> as given by the following list:</p>
- <dl class=switch><dt>When <a href=#navigate title=navigate>navigating</a></dt>
+ <dl class=switch><dt>If there is a specific <i>override referrer source</i></dt>
+ <dd>The <i>override referrer source</i>.</dd>
+
+
+ <dt>When <a href=#navigate title=navigate>navigating</a></dt>
+
<dd>The <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing
context</a>.</dd>
+
<dt>When fetching resources for an element</dt>
<dd>The element's <code><a href=#document>Document</a></code>.</dd>
- <dt>When fetching resources in response to a call to an API</dt>
- <dd>The <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
- document">document</a>.</dd>
-
</dl></li>
<li>
@@ -8363,22 +8402,40 @@
<li>
- <p>Generate the <i>address of the resource from which Request-URIs
- are obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic) header from <a href="#the-document's-address">the
- document's address</a> of <var title="">document</var>. <a href=#refsHTTP>[HTTP]</a></p>
+ <p>If the <a href=#origin>origin</a> of <var title="">Document</var> is
+ not a scheme/host/port tuple, then set <var title="">referrer</var> to the empty string and jump to the step
+ labeled <i>clean referrer</i>.</p>
- <p>Remove any <a href=#url-fragment title=url-fragment><fragment></a>
- component from the generated <i>address of the resource from which
- Request-URIs are obtained</i>.</p> <!-- RFC2616 says "The URI MUST
- NOT include a fragment." (section 14.36) -->
+ </li>
- <p>If the <a href=#origin>origin</a> of the appropriate
- <code><a href=#document>Document</a></code> is not a scheme/host/port tuple, then the
- <code title=http-referer>Referer</code> (sic) header must be
- omitted, regardless of its value.</p>
+ <li>
+ <p>Let <var title="">referrer</var> be <a href="#the-document's-address">the document's
+ address</a> of <var title="">document</var>.</p>
+
</li>
+ <li>
+
+ <p><i>Clean referrer</i>: Remove any <a href=#url-fragment title=url-fragment><fragment></a> component from <var title="">referrer</var>.</p> <!-- RFC2616 says "The URI MUST NOT
+ include a fragment." (section 14.36) -->
+
+ </li>
+
+ <li>
+
+ <p>If <var title="">referrer</var> is not the empty string, is not
+ a <a href=#data-protocol title="data protocol"><code title="">data:</code>
+ URL</a>, is not a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and is not the
+ <a href=#url>URL</a> "<code><a href=#about:blank>about:blank</a></code>", then generate the
+ <i>address of the resource from which Request-URIs are
+ obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic) header from <var title="">referrer</var>. <a href=#refsHTTP>[HTTP]</a></p>
+
+ <p>Otherwise, the <code title=http-referer>Referer</code> (sic)
+ header must be omitted, regardless of its value.</p>
+
+ </li>
+
<li><p>If the algorithm was not invoked with the <i>synchronous
flag</i>, perform the remaining steps asynchronously.</li>
@@ -8541,31 +8598,8 @@
applicable.</p>
- <h4 id=concept-http-equivalent><span class=secno>2.7.1 </span>Protocol concepts</h4>
-
- <p>User agents can implement a variety of transfer protocols, but
- this specification mostly defines behavior in terms of HTTP. <a href=#refsHTTP>[HTTP]</a></p>
-
- <p>The <dfn id=concept-http-equivalent-get title=concept-http-equivalent-get>HTTP GET
- method</dfn> is equivalent to the default retrieval action of the
- protocol. For example, RETR in FTP. Such actions are idempotent and
- safe, in HTTP terms.</p>
-
- <p>The <dfn id=concept-http-equivalent-codes title=concept-http-equivalent-codes>HTTP response
- codes</dfn> are equivalent to statuses in other protocols that have
- the same basic meanings. For example, a "file not found" error is
- equivalent to a 404 code, a server error is equivalent to a 5xx
- code, and so on.</p>
-
- <p>The <dfn id=concept-http-equivalent-headers title=concept-http-equivalent-headers>HTTP
- headers</dfn> are equivalent to fields in other protocols that have
- the same basic meaning. For example, the HTTP authentication
- headers are equivalent to the authentication aspects of the FTP
- protocol.</p>
-
-
<!--ADD-TOPIC:Security-->
- <h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.7.2 </span>Encrypted HTTP and related security concerns</h4>
+ <h4 id=encrypted-http-and-related-security-concerns><span class=secno>2.7.3 </span>Encrypted HTTP and related security concerns</h4>
<p>Anything in this specification that refers to HTTP also applies
to HTTP-over-TLS, as represented by <a href=#url title=url>URLs</a>
@@ -8612,7 +8646,7 @@
<!--REMOVE-TOPIC:Security-->
- <h4 id=content-type-sniffing><span class=secno>2.7.3 </span>Determining the type of a resource</h4>
+ <h4 id=content-type-sniffing><span class=secno>2.7.4 </span>Determining the type of a resource</h4>
<p>The <dfn id=content-type title=Content-Type>Content-Type metadata</dfn> of a
resource must be obtained and interpreted in a manner consistent
@@ -8639,7 +8673,7 @@
Media Type Sniffing specification. <a href=#refsMIMESNIFF>[MIMESNIFF]</a></p>
- <h4 id=extracting-encodings-from-meta-elements><span class=secno>2.7.4 </span>Extracting encodings from <code><a href=#the-meta-element>meta</a></code> elements</h4>
+ <h4 id=extracting-encodings-from-meta-elements><span class=secno>2.7.5 </span>Extracting encodings from <code><a href=#the-meta-element>meta</a></code> elements</h4>
<p>The <dfn id=algorithm-for-extracting-an-encoding-from-a-meta-element>algorithm for extracting an encoding from a
<code>meta</code> element</dfn>, given a string <var title="">s</var>, is as follows. It either returns an encoding or
@@ -8697,7 +8731,7 @@
</div>
- <h4 id=cors-settings-attributes><span class=secno>2.7.5 </span>CORS settings attributes</h4>
+ <h4 id=cors-settings-attributes><span class=secno>2.7.6 </span>CORS settings attributes</h4>
<p>A <dfn id=cors-settings-attribute>CORS settings attribute</dfn> is an <a href=#enumerated-attribute>enumerated
attribute</a>. The following table lists the keywords and states
@@ -8721,19 +8755,19 @@
<div class=impl>
- <h4 id=cors-enabled-fetch><span class=secno>2.7.6 </span>CORS-enabled fetch</h4>
+ <h4 id=cors-enabled-fetch><span class=secno>2.7.7 </span>CORS-enabled fetch</h4>
<p>When the user agent is required to perform a <dfn id=potentially-cors-enabled-fetch>potentially
- CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
+ CORS-enabled fetch</dfn> of an <a href=#absolute-url>absolute URL</a> <var title="">URL</var> with a mode <var title="">mode</var> that is
either "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>", or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use Credentials</a>",
- an <a href=#origin>origin</a> <var title="">origin</var>, and a default
- origin behaviour <var title="">default</var> which is either
- "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
- set of steps from the following list. The default origin behaviour
- is only used if <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>". This algorithm wraps
- the <a href=#fetch>fetch</a> algorithm above, and labels the obtained
- resource as either <dfn id=cors-same-origin>CORS-same-origin</dfn> or
- <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
+ optionally using a <a href=#referrer-source>referrer source</a> <var title="">referrer source</var>, with an <a href=#origin>origin</a> <var title="">origin</var>, and with a default origin behaviour <var title="">default</var> which is either "<i>taint</i>" or
+ "<i>fail</i>", it must run the first applicable set of steps from
+ the following list. The default origin behaviour is only used if
+ <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No
+ CORS</a>". This algorithm wraps the <a href=#fetch>fetch</a> algorithm
+ above, and labels the obtained resource as either
+ <dfn id=cors-same-origin>CORS-same-origin</dfn> or <dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or
+ blocks the resource entirely.</p>
<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
@@ -8744,9 +8778,10 @@
<p>Run these substeps:</p>
- <ol><li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
- <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
- sensitive -->
+ <ol><li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var>,
+ using <var title="">referrer source</var> if one was specified,
+ with the <i>manual redirect flag</i> set.</li> <!-- http-origin
+ privacy sensitive -->
<li><p><i>Loop</i>: Wait for the <a href=#fetch>fetch</a> algorithm
to know if the result is a redirect or not.</li>
@@ -8810,7 +8845,8 @@
<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>
- <p><a href=#fetch>Fetch</a> <var title="">URL</var>.</p> <!--
+ <p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified.</p> <!--
http-origin privacy sensitive -->
<p>The <a href=#concept-task title=concept-task>tasks</a> from the
@@ -8854,10 +8890,11 @@
<p>Run these steps:</p>
- <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the
- <i>request URL</i> set to <var title="">URL</var>, the <i>source
- origin</i> set to <var title="">origin</var>, and the <i><a href=#omit-credentials-flag>omit
- credentials flag</a></i> set if <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" and not set
+ <ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a><!--FETCH-->
+ with the <i>request URL</i> set to <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified, with
+ the <i>source origin</i> set to <var title="">origin</var>, and
+ with the <i><a href=#omit-credentials-flag>omit credentials flag</a></i> set if <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" and not set
otherwise. <a href=#refsCORS>[CORS]</a></li>
<li><p>Wait for the CORS <a href=#cross-origin-request-status>cross-origin request status</a>
@@ -10893,9 +10930,12 @@
<li><p>Let <var title="">success</var> be false.</li>
- <li><p><a href=#fetch>Fetch</a> <var title="">url</var> from the
- <a href=#origin>origin</a> of <var title="">document</var>, with the <i title="">synchronous flag</i> set and the <i title="">force
- same-origin flag</i> set.</li>
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">url</var> from
+ the <a href=#origin>origin</a> of <var title="">document</var>, using the
+ <a href=#entry-script>entry script</a>'s <a href="#script's-referrer-source" title="script's referrer
+ source">referrer source</a>, with the <i title="">synchronous
+ flag</i> set and the <i title="">force same-origin flag</i>
+ set.</li>
<li>
@@ -14871,7 +14911,7 @@
<li><p>If the previous step fails, then abort these steps.</li>
- <li><p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
URL</a>.</li> <!-- http-origin privacy sensitive -->
</ol><p>User agents may opt to only try to obtain such resources when
@@ -16914,7 +16954,7 @@
attribute whose value is not the empty string, then the value of
that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a>
relative to the element, and if that is successful, the specified
- resource must then be <a href=#fetch title=fetch>fetched</a>, from the
+ resource must then be <a href=#fetch title=fetch>fetched</a><!--FETCH-->, from the
<a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>.</p>
<!-- not http-origin privacy sensitive -->
@@ -24559,8 +24599,8 @@
<li>
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- <a href=#absolute-url>absolute URL</a> that resulted from the earlier step,
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the <a href=#absolute-url>absolute URL</a> that resulted from the earlier step,
with the <i>mode</i> being the state of the element's <code title=attr-img-crossorigin><a href=#attr-img-crossorigin>crossorigin</a></code> content attribute,
the <i title="">origin</i> being the <a href=#origin>origin</a> of the
<code><a href=#the-img-element>img</a></code> element's <code><a href=#document>Document</a></code>, and the
@@ -24944,10 +24984,10 @@
<li>
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being
- <var title="">CORS mode</var>, the <i title="">origin</i> being
- the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being <var title="">CORS mode</var>, the <i title="">origin</i>
+ being the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's
<code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
to <i>taint</i>.</p>
@@ -27183,16 +27223,17 @@
<p>The user agent must <a href=#resolve-a-url title="resolve a url">resolve</a>
the value of the element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code>
attribute, relative to the element. If that is successful, the
- user agent should <a href=#fetch>fetch</a> the resulting <a href=#absolute-url>absolute
- URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
- origin</a> if it has one<!-- potentially http-origin privacy
- sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is
- <a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking
- task source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> must find and instantiate an
- appropriate <a href=#plugin>plugin</a> based on the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and hand that
- <a href=#plugin>plugin</a> the content of the resource, replacing any
- previously instantiated plugin for the element.</p> <!-- Note that
- this doesn't happen when the base URL changes. -->
+ user agent should <a href=#fetch>fetch</a><!--FETCH--> the resulting
+ <a href=#absolute-url>absolute URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing
+ context scope origin</a> if it has one<!-- potentially
+ http-origin privacy sensitive -->. The <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
+ task">queued</a> by the <a href=#networking-task-source>networking task source</a>
+ once the resource has been <a href=#fetch title=fetch>fetched</a> must
+ find and instantiate an appropriate <a href=#plugin>plugin</a> based on
+ the <a href=#concept-embed-type title=concept-embed-type>content's type</a>, and
+ hand that <a href=#plugin>plugin</a> the content of the resource,
+ replacing any previously instantiated plugin for the element.</p>
+ <!-- Note that this doesn't happen when the base URL changes. -->
<p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a> of
the element's document.</p>
@@ -27592,15 +27633,17 @@
<li>
- <p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute URL</a>,
- from the element's <a href=#browsing-context-scope-origin>browsing context scope origin</a> if
- it has one<!-- potentially http-origin privacy sensitive
- -->.</p>
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>, from the element's <a href=#browsing-context-scope-origin>browsing context scope
+ origin</a> if it has one<!-- potentially http-origin privacy
+ sensitive -->.</p>
- <!-- similar text in various places --> <p>Fetching the resource
- must <a href=#delay-the-load-event>delay the load event</a> of the element's document
- until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a task">queued</a> by the <a href=#networking-task-source>networking task
- source</a> once the resource has been <a href=#fetch title=fetch>fetched</a> (defined next) has been run.</p>
+ <!-- similar text in various places -->
+ <p>Fetching the resource must <a href=#delay-the-load-event>delay the load event</a>
+ of the element's document until the <a href=#concept-task title=concept-task>task</a> that is <a href=#queue-a-task title="queue a
+ task">queued</a> by the <a href=#networking-task-source>networking task source</a>
+ once the resource has been <a href=#fetch title=fetch>fetched</a>
+ (defined next) has been run.</p>
<p>For the purposes of the <a href=#application-cache>application cache</a>
networking model, this <a href=#fetch>fetch</a> operation is not for a
@@ -28373,10 +28416,10 @@
to the element. If this fails, then there is no <a href=#poster-frame>poster
frame</a>; abort these steps.</li>
- <li><p><a href=#fetch>Fetch</a> the resulting <a href=#absolute-url>absolute URL</a>,
- from the element's <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>.
- This must <a href=#delay-the-load-event>delay the load event</a> of the element's
- document.</li>
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>, from the element's <code><a href=#document>Document</a></code>'s
+ <a href=#origin>origin</a>. This must <a href=#delay-the-load-event>delay the load event</a> of
+ the element's document.</li>
<!-- could define how to sniff for an image here -->
@@ -30064,13 +30107,14 @@
<li>
- <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- <var title="">current media resource</var>'s <a href=#absolute-url>absolute
- URL</a>, with the <i>mode</i> being the state of the
- <a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
- attribute, the <i title="">origin</i> being the <a href=#origin>origin</a> of the
- <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>, and the
- <i>default origin behaviour</i> set to <i>taint</i>.</p>
+ <p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+ fetch</a><!--FETCH--> of the <var title="">current media
+ resource</var>'s <a href=#absolute-url>absolute URL</a>, with the <i>mode</i>
+ being the state of the <a href=#media-element>media element</a>'s <code title=attr-media-crossorigin><a href=#attr-media-crossorigin>crossorigin</a></code> content
+ attribute, the <i title="">origin</i> being the
+ <a href=#origin>origin</a> of the <a href=#media-element>media element</a>'s
+ <code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
+ to <i>taint</i>.</p>
<p>The resource obtained in this fashion, if any, contains the
<a href=#media-data>media data</a>. It can be <a href=#cors-same-origin>CORS-same-origin</a>
@@ -34434,7 +34478,7 @@
<li>
<p>If <var title="">URL</var> is not the empty string, perform a
- <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being <var title="">CORS
+ <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of <var title="">URL</var>, with the <i>mode</i> being <var title="">CORS
mode</var>, the <i title="">origin</i> being the
<a href=#origin>origin</a> of the <code><a href=#the-track-element>track</a></code> element's
<code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set
@@ -42440,7 +42484,7 @@
<div class=impl>
- <h5 id=processing-model><span class=secno>4.8.14.2 </span>Processing model</h5>
+ <h5 id=processing-model-0><span class=secno>4.8.14.2 </span>Processing model</h5>
<p>If an <code><a href=#the-img-element>img</a></code> element or an <code><a href=#the-object-element>object</a></code> element
representing an image has a <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code> attribute specified,
@@ -44244,7 +44288,7 @@
<div class=impl>
- <h4 id=processing-model-0><span class=secno>4.9.12 </span>Processing model</h4>
+ <h4 id=processing-model-1><span class=secno>4.9.12 </span>Processing model</h4>
<p>The various table elements and their content attributes together
define the <dfn id=table-model>table model</dfn>.</p>
@@ -51156,10 +51200,10 @@
or the user agent only fetches elements on demand, or the <code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute's value is the empty
string, the user agent must <a href=#resolve-a-url title="resolve a
url">resolve</a> the value of the <code title=attr-input-src><a href=#attr-input-src>src</a></code> attribute, relative to the
- element, and if that is successful, must <a href=#fetch>fetch</a> the
- resulting <a href=#absolute-url>absolute URL</a>:</p> <!-- Note how this does NOT
- happen when the base URL changes. --> <!-- http-origin privacy
- sensitive -->
+ element, and if that is successful, must
+ <a href=#fetch>fetch</a><!--FETCH--> the resulting <a href=#absolute-url>absolute
+ URL</a>:</p> <!-- Note how this does NOT happen when the base URL
+ changes. --> <!-- http-origin privacy sensitive -->
<ul><li>The <code><a href=#the-input-element>input</a></code> element's <code title=attr-input-type><a href=#attr-input-type>type</a></code> attribute is first set to the
<a href="#image-button-state-(type=image)" title=attr-input-type-image>Image Button</a> state
@@ -59112,13 +59156,13 @@
<dd>Append the command to the menu, respecting its <a href=#concept-facet title=concept-facet>facets</a><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span> (this
- would be http-origin privacy-sensitive), and then that image should
- be associated with the command, such that each command only has its
- image fetched once, to prevent changes to the base URL from having
- effects after the image has been fetched once. (no need to resolve
- the Icon facet, it's an absolute URL) -->. <!--If the element is a
- <code>command</code> element with a <code
+ command, it should be <span title="fetch">fetched</span><!- -FETCH-
+ -> (this would be http-origin privacy-sensitive), and then that
+ image should be associated with the command, such that each command
+ only has its image fetched once, to prevent changes to the base URL
+ from having effects after the image has been fetched once. (no need
+ to resolve the Icon facet, it's an absolute URL) -->. <!--If the
+ element is a <code>command</code> element with a <code
title="attr-command-default">default</code> attribute, mark the
command as being a default command.--></dd>
@@ -60744,9 +60788,9 @@
<li><p>Return to whatever algorithm invoked these steps and continue
these steps asynchronously.</li>
- <li><p><a href=#fetch>Fetch</a> <var title="">URL</var> and handle the
- resulting resource <a href=#as-a-download>as a download</a>.</li> <!--
- http-origin privacy sensitive -->
+ <li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">URL</var> and
+ handle the resulting resource <a href=#as-a-download>as a download</a>.</li>
+ <!-- http-origin privacy sensitive -->
</ol><p>When a user agent is to handle a resource obtained from a
<a href=#fetch>fetch</a> algorithm <dfn id=as-a-download>as a download</dfn>, it should
@@ -60927,9 +60971,7 @@
</div>
-<!--DOWNLOAD-->
-
<!--PING-->
<div class=impl>
@@ -60941,11 +60983,12 @@
follows the hyperlink, and the value of the element's <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code> attribute can be <a href=#resolve-a-url title="resolve a url">resolved</a>, relative to the element,
without failure, then the user agent must take the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute's value, <a href=#split-a-string-on-spaces title="split a string on spaces">split that string on spaces</a>,
<a href=#resolve-a-url title="resolve a url">resolve</a> each resulting token
- relative to the element, and then should send a request (as
- described below) to each of the resulting <a href=#absolute-url title="absolute
- URL">absolute URLs</a>. (Tokens that fail to resolve are
- ignored.) This may be done in parallel with the primary request, and
- is independent of the result of that request.</p>
+ relative to the element, and then each of the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a> should be <a href=#fetch title=fetch>fetched</a><!--FETCH--> from the
+ <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> containing the
+ <a href=#hyperlink>hyperlink</a> <!-- not http-origin privacy sensitive -->
+ (as described below). (Tokens that fail to resolve are ignored.)
+ This may be done in parallel with the primary request, and is
+ independent of the result of that request.</p>
<p>User agents should allow the user to adjust this behavior, for
example in conjunction with a setting that disables the sending of
@@ -60955,13 +60998,10 @@
or selectively ignore URLs in the list (e.g. ignoring any
third-party URLs).</p>
- <p>For URLs that are HTTP URLs, the requests must be performed by
- <a href=#fetch title=fetch>fetching</a> the specified URLs using the
- POST method, with an entity body with the <a href=#mime-type>MIME type</a>
+ <p>For URLs that are HTTP URLs, the requests must be performed using
+ the POST method, with an entity body with the <a href=#mime-type>MIME type</a>
<code><a href=#text/ping>text/ping</a></code> consisting of the four-character string
- "<code title="">PING</code>", from the <a href=#origin>origin</a> of the
- <code><a href=#document>Document</a></code> containing the <a href=#hyperlink>hyperlink</a>. <!--
- not http-origin privacy sensitive --> All relevant cookie and HTTP
+ "<code title="">PING</code>". All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -61006,10 +61046,6 @@
responses. User agents may close the connection prematurely once
they start receiving an entity body. <a href=#refsCOOKIES>[COOKIES]</a></p>
- <p>For URLs that are not HTTP URLs, the requests must be performed
- by <a href=#fetch title=fetch>fetching</a> the specified URL normally,
- and discarding the results.</p>
-
<p>When the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute is
present, user agents should clearly indicate to the user that
following the hyperlink will also cause secondary requests to be
@@ -61052,7 +61088,6 @@
<!-- resolving ping urls happens at audit time, so base URL changes
affect the values of ping attributes -->
-<!--PING-->
@@ -61539,8 +61574,9 @@
<p>In the absence of a <code><a href=#the-link-element>link</a></code> with the <code title=rel-icon><a href=#rel-icon>icon</a></code> keyword, for <code><a href=#document>Document</a></code>s
obtained over HTTP or HTTPS, user agents may instead attempt to
- <a href=#fetch>fetch</a> and use an icon with the <a href=#absolute-url>absolute
- URL</a> obtained by resolving the <a href=#url>URL</a> "<code title="">/favicon.ico</code>" against <a href="#the-document's-address">the document's
+ <a href=#fetch>fetch</a><!--FETCH--> and use an icon with the
+ <a href=#absolute-url>absolute URL</a> obtained by resolving the <a href=#url>URL</a>
+ "<code title="">/favicon.ico</code>" against <a href="#the-document's-address">the document's
address</a>, as if the page had declared that icon using the
<code title=rel-icon><a href=#rel-icon>icon</a></code> keyword.</p>
@@ -70403,8 +70439,8 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <a href=#fetch>fetch</a> the new resource, with the
- <i>manual redirect flag</i> set.</p>
+ <p>Otherwise, <a href=#fetch>fetch</a><!--FETCH--> the new resource,
+ with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a>
@@ -72967,12 +73003,12 @@
<li>
- <p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a> the resource
- from <var title="">manifest URL</var> with the <i>synchronous
- flag</i> set, and let <var title="">manifest</var> be that
- resource. HTTP caching semantics should be honored for this
- request.</p> <!-- http-origin privacy sensitive, though it doesn't
- matter, since this can never be cross-origin -->
+ <p><i>Fetching the manifest</i>: <a href=#fetch>Fetch</a><!--FETCH-->
+ the resource from <var title="">manifest URL</var> with the
+ <i>synchronous flag</i> set, and let <var title="">manifest</var>
+ be that resource. HTTP caching semantics should be honored for
+ this request.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
<p>Parse <var title="">manifest</var> according to the <a href=#parse-a-manifest title="parse a manifest">rules for parsing manifests</a>,
obtaining a list of <a href=#concept-appcache-explicit title=concept-appcache-explicit>explicit entries</a>, <a href=#concept-appcache-fallback title=concept-appcache-fallback>fallback entries</a> and the
@@ -73214,10 +73250,9 @@
<li>
- <p><a href=#fetch>Fetch</a> the resource, from the <a href=#origin>origin</a>
- of the <a href=#url>URL</a> <var title="">manifest URL</var>, with
- the <i>synchronous flag</i> set and the <i>manual redirect
- flag</i> set. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resource, from the
+ <a href=#origin>origin</a> of the <a href=#url>URL</a> <var title="">manifest URL</var>, with the <i>synchronous flag</i>
+ set and the <i>manual redirect flag</i> set. If this is an <a href=#concept-appcache-upgrade title=concept-appcache-upgrade>upgrade attempt</a>, then
use the <a href=#concept-appcache-newer title=concept-appcache-newer>newest</a>
<a href=#application-cache>application cache</a> in <var title="">cache
group</var> as an HTTP cache, and honor HTTP caching semantics
@@ -73427,12 +73462,11 @@
<li>
- <p><a href=#fetch>Fetch</a> the resource from <var title="">manifest
- URL</var> again, with the <i>synchronous flag</i> set, and let
- <var title="">second manifest</var> be that resource. HTTP caching
- semantics should again be honored for this request.</p> <!--
- http-origin privacy sensitive, though it doesn't matter, since
- this can never be cross-origin -->
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the resource from <var title="">manifest URL</var> again, with the <i>synchronous
+ flag</i> set, and let <var title="">second manifest</var> be that
+ resource. HTTP caching semantics should again be honored for this
+ request.</p> <!-- http-origin privacy sensitive, though it doesn't
+ matter, since this can never be cross-origin -->
<p class=note>Since caching can be honored, authors are
encouraged to avoid setting the cache headers on the manifest in
@@ -73711,7 +73745,7 @@
following steps instead of immediately invoking the mechanisms
appropriate to that resource's scheme:</p>
- <ol><li><p>If the resource is not to be fetched using the HTTP GET
+ <ol><!--FETCH--><li><p>If the resource is not to be fetched using the HTTP GET
mechanism <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or
equivalent</a>, or if its <a href=#url>URL</a> has a different <a href=#url-scheme title=url-scheme><scheme></a> component than the
<a href=#application-cache>application cache</a>'s <a href=#concept-appcache-manifest title=concept-appcache-manifest>manifest</a>, then
@@ -74217,7 +74251,7 @@
<div class=impl>
<!-- SCRIPT EXEC (marks areas related to creation of scripts) -->
- <h4 id=processing-model-1><span class=secno>7.1.3 </span>Processing model</h4>
+ <h4 id=processing-model-2><span class=secno>7.1.3 </span>Processing model</h4>
<h5 id=definitions-0><span class=secno>7.1.3.1 </span>Definitions</h5>
@@ -74322,12 +74356,25 @@
<p>A <code><a href=#document>Document</a></code> that is assigned responsibility for
actions taken by the script.</p>
- <p class=example>When a script <a href=#fetch title=fetch>fetches</a> a resource, the <a href="#the-document's-address" title="the
- document's address">address</a> of the <a href="#script's-document">script's
- document</a> will be used to set the <code title=http-referer>Referer</code> (sic) header.</p>
+ <p class=example>For example, the <a href="#the-document's-address" title="the document's
+ address">address</a> of the <a href="#script's-document">script's document</a> is
+ used to set the <a href="#the-document's-address" title="the document's
+ address">address</a> of any <code><a href=#document>Document</a></code> elements
+ created using <code title=dom-DOMImplementation-createDocument><a href=#dom-domimplementation-createdocument>createDocument()</a></code>.</p>
</dd>
+ <dt>The <dfn id="script's-referrer-source">script's referrer source</dfn></dt>
+
+ <dd>
+
+ <p>Either a <code><a href=#document>Document</a></code> (specifically, the
+ <a href="#script's-document">script's document</a>), or a <a href=#url>URL</a>, which is
+ used by some APIs to determine what value to use for the <code title=http-referer>Referer</code> (sic) header in calls to the
+ <a href=#fetch title=fetch>fetching</a> algorithm.</p>
+
+ </dd>
+
<dt>A <dfn id="script's-url-character-encoding" title="script's URL character encoding">URL character encoding</dfn></dt>
<dd>
@@ -74394,8 +74441,8 @@
<p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a
script">created</dfn>, given some script source, a script source
URL, its scripting language, a global object, a browsing context, a
- URL character encoding, and a base URL, the user agent must run the
- following steps:</p>
+ document, a referrer source, a URL character encoding, and a base
+ URL, the user agent must run the following steps:</p>
<ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
@@ -74415,9 +74462,10 @@
<li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
<a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
- document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
- and the <a href="#script's-base-url">script's base URL</a> from the settings passed to
- this algorithm.</li>
+ document</a>, the <a href="#script's-referrer-source">script's referrer source</a>, the
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and the
+ <a href="#script's-base-url">script's base URL</a> from the settings passed to this
+ algorithm.</li>
<li>
@@ -74440,9 +74488,9 @@
browsing context, the user agent must <a href=#create-a-script>create a script</a>,
using the given script source, URL, and scripting language, using a
new empty object as the global object, and using the given browsing
- context as the browsing context. The URL character encoding and base
- URL for the resulting <a href=#concept-script title=concept-script>script</a> are
- not important as no APIs are exposed to the script.</p>
+ context as the browsing context. The referrer source, URL character
+ encoding, and base URL for the resulting <a href=#concept-script title=concept-script>script</a> are not important as no APIs
+ are exposed to the script.</p>
<hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a
script from a node">created from a node</dfn> <var title="">node</var>, given some script source, its URL, and its
@@ -74457,12 +74505,15 @@
<code><a href=#document>Document</a></code> of <var title="">node</var> (or <var title="">node</var> itself if it is a
<code><a href=#document>Document</a></code>).</li>
+ <li><p>The global object is the <code><a href=#window>Window</a></code> object of <var title="">document</var>.</li>
+
<li><p>The browsing context is the <a href=#browsing-context>browsing context</a> of
<var title="">document</var>.</p>
- <li><p>The global object is the <code><a href=#window>Window</a></code> object of
- <var title="">document</var>.</li>
+ <li><p>The document is <var title="">document</var>.</p>
+ <li><p>The referrer source is <var title="">document</var>.</p>
+
<li><p>The URL character encoding is the <a href="#document's-character-encoding" title="document's
character encoding">character encoding</a> of <var title="">document</var>. (<a href=#sce-not-copy>This is a
reference, not a copy</a>.)</li>
@@ -74727,7 +74778,7 @@
release the <a href=#storage-mutex>storage mutex</a>.</p>
- <h5 id=processing-model-2><span class=secno>7.1.4.2 </span>Processing model</h5>
+ <h5 id=processing-model-3><span class=secno>7.1.4.2 </span>Processing model</h5>
<p>An <a href=#event-loop>event loop</a> must continually run through the
following steps for as long as it exists:</p>
@@ -75243,10 +75294,11 @@
<li><p>Set up the <a href="#script's-global-object">script's global object</a>, the
<a href="#script's-browsing-context">script's browsing context</a>, the <a href="#script's-document">script's
- document</a>, the <a href="#script's-url-character-encoding">script's URL character encoding</a>,
- and the <a href="#script's-base-url">script's base URL</a> from <a href=#the-script-settings-determined-from-the-node>the script
- settings determined from the node</a> on which the attribute is
- being set.</li>
+ document</a>, the <a href="#script's-referrer-source">script's referrer source</a>, the
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and the
+ <a href="#script's-base-url">script's base URL</a> from <a href=#the-script-settings-determined-from-the-node>the script settings
+ determined from the node</a> on which the attribute is being
+ set.</li>
<li><p>Set the corresponding <a href=#event-handlers title="event handlers">event
handler</a> to the aforementioned function.</li>
@@ -76158,25 +76210,27 @@
object, let <var title="">global object</var> be the <a href=#method-context>method
context</a>, let <var title="">browsing context</var> be the
<a href=#browsing-context>browsing context</a> with which <var title="">global
- object</var> is associated, let <var title="">character
- encoding</var> be the <a href="#document's-character-encoding" title="document's character
- encoding">character encoding</a> of the <code><a href=#document>Document</a></code>
- associated with <var title="">global object</var> (<a href=#sce-not-copy>this is a reference, not a copy</a>), and let
- <var title="">base URL</var> be the <a href=#document-base-url title="document base
- URL">base URL</a> of the <code><a href=#document>Document</a></code> associated with
- <var title="">global object</var> (<a href=#sbu-not-copy>this is
- a reference, not a copy</a>).</p>
+ object</var> is associated, let <var title="">document</var> and
+ <var title="">referrer source</var> be the <code><a href=#document>Document</a></code>
+ associated with <var title="">global object</var>, let <var title="">character encoding</var> be the <a href="#document's-character-encoding" title="document's
+ character encoding">character encoding</a> of the
+ <code><a href=#document>Document</a></code> associated with <var title="">global
+ object</var> (<a href=#sce-not-copy>this is a reference, not a
+ copy</a>), and let <var title="">base URL</var> be the <a href=#document-base-url title="document base URL">base URL</a> of the
+ <code><a href=#document>Document</a></code> associated with <var title="">global
+ object</var> (<a href=#sbu-not-copy>this is a reference, not a
+ copy</a>).</p>
<p>Otherwise, if the <a href=#method-context>method context</a> is a
<code><a href=#workerutils>WorkerUtils</a></code> object, let <var title="">global
- object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">character encoding</var>,
- and <var title="">base URL</var> be the <a href="#script's-global-object">script's global
- object</a>, <a href="#script's-browsing-context">script's browsing context</a>,
- <a href="#script's-document">script's document</a>, <a href="#script's-url-character-encoding">script's URL character
- encoding</a>, and <a href="#script's-base-url">script's base URL</a> (respectively)
- of the <a href=#concept-script title=concept-script>script</a> that the
- <a href=#run-a-worker>run a worker</a> algorithm created when it created the
- <a href=#method-context>method context</a>.</p>
+ object</var>, <var title="">browsing context</var>, <var title="">document</var>, <var title="">referrer source</var>, <var title="">character encoding</var>, and <var title="">base
+ URL</var> be the <a href="#script's-global-object">script's global object</a>,
+ <a href="#script's-browsing-context">script's browsing context</a>, <a href="#script's-document">script's
+ document</a>, <a href="#script's-referrer-source">script's referrer source</a>,
+ <a href="#script's-url-character-encoding">script's URL character encoding</a>, and <a href="#script's-base-url">script's
+ base URL</a> (respectively) of the <a href=#concept-script title=concept-script>script</a> that the <a href=#run-a-worker>run a
+ worker</a> algorithm created when it created the <a href=#method-context>method
+ context</a>.</p>
<p>Otherwise, act as described in the specification that defines
that the <code><a href=#windowtimers>WindowTimers</a></code> interface is implemented by
@@ -76189,7 +76243,8 @@
<a href=#url>URL</a> where <var title="">script source</var> can be
found, <var title="">scripting language</var> as the scripting
language, <var title="">global object</var> as the global object,
- <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">character
+ <var title="">browsing context</var> as the browsing context, <var title="">document</var> as the document, <var title="">referrer
+ source</var> as the referrer source, <var title="">character
encoding</var> as the URL character encoding, and <var title="">base URL</var> as the base URL.</li>
</ol><hr><p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <dfn id=timer-task-source>timer task
@@ -78386,7 +78441,7 @@
<div class=impl>
- <h4 id=processing-model-3><span class=secno>8.5.3 </span>Processing model</h4>
+ <h4 id=processing-model-4><span class=secno>8.5.3 </span>Processing model</h4>
<p>An element's <dfn id=assigned-access-key>assigned access key</dfn> is a key combination
derived from the element's <code title=attr-accesskey><a href=#the-accesskey-attribute>accesskey</a></code> content attribute.
@@ -82587,7 +82642,7 @@
<a href=#permissible-worker>permissible worker</a>.</p>
- <h4 id=processing-model-4><span class=secno>9.2.4 </span>Processing model</h4>
+ <h4 id=processing-model-5><span class=secno>9.2.4 </span>Processing model</h4>
<p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with
<a href=#url>URL</a> <var title="">url</var>, a <a href=#browsing-context>browsing
@@ -82616,10 +82671,12 @@
<li>
- <p>Attempt to <a href=#fetch>fetch</a> the resource identified by <var title="">url</var>, from the <var title="">owner origin</var>,
- with the <i>synchronous flag</i> set and the <i>force same-origin
- flag</i> set.</p> <!-- not http-origin privacy sensitive (looking
- forward to CORS) -->
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> the resource
+ identified by <var title="">url</var>, from the <var title="">owner origin</var>, using <var title="">owner
+ document</var> as the <a href=#referrer-source>referrer source</a>, with the
+ <i>synchronous flag</i> set and the <i>force same-origin flag</i>
+ set.</p> <!-- not http-origin privacy sensitive (looking forward
+ to CORS) -->
<p>If the attempt fails, then for each <code><a href=#worker>Worker</a></code> or
<code><a href=#sharedworker>SharedWorker</a></code> object associated with <var title="">worker global scope</var>, <a href=#queue-a-task>queue a task</a> to
@@ -82669,6 +82726,8 @@
<p>Set the <a href="#script's-document">script's document</a> to <var title="">owner
document</var>.</p>
+ <p>Set the <a href="#script's-referrer-source">script's referrer source</a> to <var title="">url</var>.</p>
+
<p>Set the <a href="#script's-url-character-encoding">script's URL character encoding</a> to
UTF-8. (This is just used for encoding non-ASCII characters in the
query component of URLs.)</p>
@@ -83404,10 +83463,11 @@
<li>
- <p>Attempt to <a href=#fetch>fetch</a> each resource identified by the
- resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from
- the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, with the
- <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource
+ identified by the resulting <a href=#absolute-url title="absolute URL">absolute
+ URLs</a>, from the <a href=#entry-script>entry script</a>'s
+ <a href=#origin>origin</a>, using the <a href=#entry-script>entry script</a>'s <a href="#script's-referrer-source" title="script's referrer source">referrer source</a>, and with
+ the <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
sensitive -->
</li>
@@ -83443,8 +83503,8 @@
<p><a href=#create-a-script>Create a script</a>, using <var title="">source</var> as the script source, the <a href=#url>URL</a>
from which <var title="">source</var> was obtained, and <var title="">language</var> as the scripting language, using the
- same global object, browsing context, URL character encoding,
- base URL, and script group as the <a href=#concept-script title=concept-script>script</a> that was created by the
+ same global object, browsing context, document, referrer source,
+ URL character encoding, and base URL as the <a href=#concept-script title=concept-script>script</a> that was created by the
worker's <a href=#run-a-worker>run a worker</a> algorithm.</p>
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
@@ -83504,7 +83564,9 @@
null. The <a href=#xmlhttprequest-base-url><code>XMLHttpRequest</code> base URL</a> is the
<a href="#script's-base-url">script's base URL</a>; the
<a href=#xmlhttprequest-origin><code>XMLHttpRequest</code> origin</a> is the script's
- <a href=#origin>origin</a>. <a href=#refsXHR>[XHR]</a></li>
+ <a href=#origin>origin</a>, and the <a href=#xmlhttprequest-referrer-source><code>XMLHttpRequest</code>
+ referrer source</a> is the <a href="#script's-referrer-source">script's referrer
+ source</a>. <a href=#refsXHR>[XHR]</a></li>
<li><p>The interface objects and constructors defined by this
specification, except where is further restricted by explicit
@@ -83821,14 +83883,15 @@
<li><!-- if you change this, don't forget to update the
reconnecting fetch lower down as well! -->
- <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
- resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being
- <var title="">CORS mode</var>, and the <i title="">origin</i>
- being the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a><!--, and
- the <i>default origin behaviour</i> set to <i>fail</i> (though it
- has no effect in the "Anonymous" and "Use Credentials" modes)-->,
- and process the resource obtained in this fashion, if any, as
- described below.</p>
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of
+ the resulting <a href=#absolute-url>absolute URL</a> using the <a href=#entry-script>entry
+ script</a>'s <a href="#script's-referrer-source" title="script's referrer source">referrer
+ source</a>, with the <i>mode</i> being <var title="">CORS
+ mode</var>, and the <i title="">origin</i> being the <a href=#entry-script>entry
+ script</a>'s <a href=#origin>origin</a><!--, and the <i>default origin
+ behaviour</i> set to <i>fail</i> (though it has no effect in the
+ "Anonymous" and "Use Credentials" modes)-->, and process the
+ resource obtained in this fashion, if any, as described below.</p>
<p class=note>The definition of the <a href=#fetch title=fetch>fetching</a> algorithm (which is used by CORS) is
such that if the browser is already fetching the resource
@@ -83909,7 +83972,7 @@
</ul><p>These values are not currently exposed on the interface.</p>
- <h4 id=processing-model-5><span class=secno>10.2.3 </span>Processing model</h4>
+ <h4 id=processing-model-6><span class=secno>10.2.3 </span>Processing model</h4>
<p>The resource indicated in the argument to the <code title=dom-EventSource><a href=#dom-eventsource>EventSource</a></code> constructor is <a href=#fetch title=fetch>fetched</a> when the constructor is run.</p>
@@ -84031,11 +84094,12 @@
not set to <code title=dom-EventSource-CONNECTING><a href=#dom-eventsource-connecting>CONNECTING</a></code>, abort these
steps.</li>
- <li><p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of
- the <a href=#absolute-url>absolute URL</a> of the event source resource, with
- the <i>mode</i><!--, the <i>default origin behaviour</i>,--> and
- the <i title="">origin</i> being the same as those used in the
- original request triggered by the <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor, and
+ <li><p>Perform a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
+ fetch</a><!--FETCH--> of the <a href=#absolute-url>absolute URL</a> of the
+ event source resource, using the same <i><a href=#referrer-source>referrer source</a></i>, and
+ with the same <i>mode</i><!--, <i>default origin
+ behaviour</i>,--> and <i title="">origin</i>, as those used in
+ the original request triggered by the <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor, and
process the resource obtained in this fashion, if any, as
described earlier in this section.</li>
Modified: source
===================================================================
--- source 2012-09-12 07:21:58 UTC (rev 7340)
+++ source 2012-09-12 23:14:45 UTC (rev 7341)
@@ -3208,9 +3208,10 @@
<p>This specification references the XMLHttpRequest specification
to define how the two specifications interact. The terms
<dfn>document response entity body</dfn>,
- <dfn><code>XMLHttpRequest</code> base URL</dfn>, and
- <dfn><code>XMLHttpRequest</code> origin</dfn> are defined in that
- specification. <a href="#refsXHR">[XHR]</a></p>
+ <dfn><code>XMLHttpRequest</code> base URL</dfn>,
+ <dfn><code>XMLHttpRequest</code> origin</dfn>, and
+ <dfn><code>XMLHttpRequest</code> referrer source</dfn> are defined
+ in that specification. <a href="#refsXHR">[XHR]</a></p>
</dd>
@@ -8219,8 +8220,41 @@
<h3>Fetching resources</h3>
- <p>When a user agent is to <dfn>fetch</dfn> a resource or
- <span>URL</span>, optionally from an origin <i title="">origin</i>,
+ <h4>Terminology</h4>
+
+ <p id="concept-http-equivalent">User agents can implement a variety
+ of transfer protocols, but this specification mostly defines
+ behavior in terms of HTTP. <a href="#refsHTTP">[HTTP]</a></p>
+
+ <p>The <dfn title="concept-http-equivalent-get">HTTP GET
+ method</dfn> is equivalent to the default retrieval action of the
+ protocol. For example, RETR in FTP. Such actions are idempotent and
+ safe, in HTTP terms.</p>
+
+ <p>The <dfn title="concept-http-equivalent-codes">HTTP response
+ codes</dfn> are equivalent to statuses in other protocols that have
+ the same basic meanings. For example, a "file not found" error is
+ equivalent to a 404 code, a server error is equivalent to a 5xx
+ code, and so on.</p>
+
+ <p>The <dfn title="concept-http-equivalent-headers">HTTP
+ headers</dfn> are equivalent to fields in other protocols that have
+ the same basic meaning. For example, the HTTP authentication
+ headers are equivalent to the authentication aspects of the FTP
+ protocol.</p>
+
+ <hr>
+
+ <p>A <dfn>referrer source</dfn> is either a <code>Document</code> or
+ a <span>URL</span>.</p>
+
+
+ <h4>Processing model</h4>
+
+ <p>When a user agent is to <dfn>fetch</dfn><!--FETCH--> a resource
+ or <span>URL</span>, optionally <strong>from</strong> an origin <i
+ title="">origin</i>, optionally <strong>using</strong> a specific
+ <span>referrer source</span> as an <i>override referrer source</i>,
and optionally with a <i>synchronous flag</i>, a <i>manual redirect
flag</i>, a <i>force same-origin flag</i>, and/or a <i>block cookies
flag</i>, the following steps must be run. (When a <em>URL</em> is
@@ -8243,6 +8277,11 @@
<ol>
+ <li><p>If there is a specific <i>override referrer source</i>, and
+ it is a <span>URL</span>, then let <var title="">referrer</var> be
+ the <i>override referrer source</i>, and jump to the step labeled
+ <i>clean referrer</i>.</p></li>
+
<li>
<p>Let <var title="">document</var> be the appropriate
@@ -8250,20 +8289,23 @@
<dl class="switch">
+
+ <dt>If there is a specific <i>override referrer source</i></dt>
+
+ <dd>The <i>override referrer source</i>.</dd>
+
+
<dt>When <span title="navigate">navigating</span></dt>
<dd>The <span>active document</span> of the <span>source browsing
context</span>.</dd>
+
<dt>When fetching resources for an element</dt>
<dd>The element's <code>Document</code>.</dd>
- <dt>When fetching resources in response to a call to an API</dt>
- <dd>The <span>entry script</span>'s <span title="script's
- document">document</span>.</dd>
-
</dl>
</li>
@@ -8281,24 +8323,46 @@
<li>
- <p>Generate the <i>address of the resource from which Request-URIs
- are obtained</i> as required by HTTP for the <code
- title="http-referer">Referer</code> (sic) header from <span>the
- document's address</span> of <var title="">document</var>. <a
- href="#refsHTTP">[HTTP]</a></p>
+ <p>If the <span>origin</span> of <var title="">Document</var> is
+ not a scheme/host/port tuple, then set <var
+ title="">referrer</var> to the empty string and jump to the step
+ labeled <i>clean referrer</i>.</p>
- <p>Remove any <span title="url-fragment"><fragment></span>
- component from the generated <i>address of the resource from which
- Request-URIs are obtained</i>.</p> <!-- RFC2616 says "The URI MUST
- NOT include a fragment." (section 14.36) -->
+ </li>
- <p>If the <span>origin</span> of the appropriate
- <code>Document</code> is not a scheme/host/port tuple, then the
- <code title="http-referer">Referer</code> (sic) header must be
- omitted, regardless of its value.</p>
+ <li>
+ <p>Let <var title="">referrer</var> be <span>the document's
+ address</span> of <var title="">document</var>.</p>
+
</li>
+ <li>
+
+ <p><i>Clean referrer</i>: Remove any <span
+ title="url-fragment"><fragment></span> component from <var
+ title="">referrer</var>.</p> <!-- RFC2616 says "The URI MUST NOT
+ include a fragment." (section 14.36) -->
+
+ </li>
+
+ <li>
+
+ <p>If <var title="">referrer</var> is not the empty string, is not
+ a <span title="data protocol"><code title="">data:</code>
+ URL</span>, is not a <span title="javascript protocol"><code
+ title="">javascript:</code> URL</span>, and is not the
+ <span>URL</span> "<code>about:blank</code>", then generate the
+ <i>address of the resource from which Request-URIs are
+ obtained</i> as required by HTTP for the <code
+ title="http-referer">Referer</code> (sic) header from <var
+ title="">referrer</var>. <a href="#refsHTTP">[HTTP]</a></p>
+
+ <p>Otherwise, the <code title="http-referer">Referer</code> (sic)
+ header must be omitted, regardless of its value.</p>
+
+ </li>
+
<li><p>If the algorithm was not invoked with the <i>synchronous
flag</i>, perform the remaining steps asynchronously.</p></li>
@@ -8482,30 +8546,6 @@
applicable.</p>
- <h4 id="concept-http-equivalent">Protocol concepts</h4>
-
- <p>User agents can implement a variety of transfer protocols, but
- this specification mostly defines behavior in terms of HTTP. <a
- href="#refsHTTP">[HTTP]</a></p>
-
- <p>The <dfn title="concept-http-equivalent-get">HTTP GET
- method</dfn> is equivalent to the default retrieval action of the
- protocol. For example, RETR in FTP. Such actions are idempotent and
- safe, in HTTP terms.</p>
-
- <p>The <dfn title="concept-http-equivalent-codes">HTTP response
- codes</dfn> are equivalent to statuses in other protocols that have
- the same basic meanings. For example, a "file not found" error is
- equivalent to a 404 code, a server error is equivalent to a 5xx
- code, and so on.</p>
-
- <p>The <dfn title="concept-http-equivalent-headers">HTTP
- headers</dfn> are equivalent to fields in other protocols that have
- the same basic meaning. For example, the HTTP authentication
- headers are equivalent to the authentication aspects of the FTP
- protocol.</p>
-
-
<!--ADD-TOPIC:Security-->
<h4>Encrypted HTTP and related security concerns</h4>
@@ -8692,19 +8732,21 @@
<p>When the user agent is required to perform a <dfn>potentially
CORS-enabled fetch</dfn> of an <span>absolute URL</span> <var
- title="">URL</var>, with a mode <var title="">mode</var> that is
+ title="">URL</var> with a mode <var title="">mode</var> that is
either "<span title="attr-crossorigin-none">No CORS</span>", "<span
title="attr-crossorigin-anonymous">Anonymous</span>", or "<span
title="attr-crossorigin-use-credentials">Use Credentials</span>",
- an <span>origin</span> <var title="">origin</var>, and a default
- origin behaviour <var title="">default</var> which is either
- "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
- set of steps from the following list. The default origin behaviour
- is only used if <var title="">mode</var> is "<span
- title="attr-crossorigin-none">No CORS</span>". This algorithm wraps
- the <span>fetch</span> algorithm above, and labels the obtained
- resource as either <dfn>CORS-same-origin</dfn> or
- <dfn>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>
+ optionally using a <span>referrer source</span> <var
+ title="">referrer source</var>, with an <span>origin</span> <var
+ title="">origin</var>, and with a default origin behaviour <var
+ title="">default</var> which is either "<i>taint</i>" or
+ "<i>fail</i>", it must run the first applicable set of steps from
+ the following list. The default origin behaviour is only used if
+ <var title="">mode</var> is "<span title="attr-crossorigin-none">No
+ CORS</span>". This algorithm wraps the <span>fetch</span> algorithm
+ above, and labels the obtained resource as either
+ <dfn>CORS-same-origin</dfn> or <dfn>CORS-cross-origin</dfn>, or
+ blocks the resource entirely.</p>
<dl class="switch">
@@ -8719,9 +8761,10 @@
<ol>
- <li><p><span>Fetch</span> <var title="">URL</var>, with the
- <i>manual redirect flag</i> set.</li> <!-- http-origin privacy
- sensitive -->
+ <li><p><span>Fetch</span><!--FETCH--> <var title="">URL</var>,
+ using <var title="">referrer source</var> if one was specified,
+ with the <i>manual redirect flag</i> set.</li> <!-- http-origin
+ privacy sensitive -->
<li><p><i>Loop</i>: Wait for the <span>fetch</span> algorithm
to know if the result is a redirect or not.</p></li>
@@ -8792,7 +8835,8 @@
<p class="note">The <var title="">URL</var> does not have the
<span>same origin</span> as <var title="">origin</var>.</p>
- <p><span>Fetch</span> <var title="">URL</var>.</p> <!--
+ <p><span>Fetch</span><!--FETCH--> <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified.</p> <!--
http-origin privacy sensitive -->
<p>The <span title="concept-task">tasks</span> from the
@@ -8841,10 +8885,12 @@
<ol>
- <li><p>Perform a <span>cross-origin request</span> with the
- <i>request URL</i> set to <var title="">URL</var>, the <i>source
- origin</i> set to <var title="">origin</var>, and the <i>omit
- credentials flag</i> set if <var title="">mode</var> is "<span
+ <li><p>Perform a <span>cross-origin request</span><!--FETCH-->
+ with the <i>request URL</i> set to <var title="">URL</var>, using
+ <var title="">referrer source</var> if one was specified, with
+ the <i>source origin</i> set to <var title="">origin</var>, and
+ with the <i>omit credentials flag</i> set if <var
+ title="">mode</var> is "<span
title="attr-crossorigin-anonymous">Anonymous</span>" and not set
otherwise. <a href="#refsCORS">[CORS]</a></p></li>
@@ -11250,10 +11296,12 @@
<li><p>Let <var title="">success</var> be false.</p></li>
- <li><p><span>Fetch</span> <var title="">url</var> from the
- <span>origin</span> of <var title="">document</var>, with the <i
- title="">synchronous flag</i> set and the <i title="">force
- same-origin flag</i> set.</p></li>
+ <li><p><span>Fetch</span><!--FETCH--> <var title="">url</var> from
+ the <span>origin</span> of <var title="">document</var>, using the
+ <span>entry script</span>'s <span title="script's referrer
+ source">referrer source</span>, with the <i title="">synchronous
+ flag</i> set and the <i title="">force same-origin flag</i>
+ set.</p></li>
<li>
@@ -15743,7 +15791,7 @@
<li><p>If the previous step fails, then abort these steps.</p></li>
- <li><p><span>Fetch</span> the resulting <span>absolute
+ <li><p><span>Fetch</span><!--FETCH--> the resulting <span>absolute
URL</span>.</p></li> <!-- http-origin privacy sensitive -->
</ol>
@@ -18101,7 +18149,8 @@
attribute whose value is not the empty string, then the value of
that attribute must be <span title="resolve a url">resolved</span>
relative to the element, and if that is successful, the specified
- resource must then be <span title="fetch">fetched</span>, from the
+ resource must then be <span
+ title="fetch">fetched</span><!--FETCH-->, from the
<span>origin</span> of the element's <code>Document</code>.</p>
<!-- not http-origin privacy sensitive -->
@@ -26381,8 +26430,8 @@
<li>
- <p>Do a <span>potentially CORS-enabled fetch</span> of the
- <span>absolute URL</span> that resulted from the earlier step,
+ <p>Do a <span>potentially CORS-enabled fetch</span><!--FETCH--> of
+ the <span>absolute URL</span> that resulted from the earlier step,
with the <i>mode</i> being the state of the element's <code
title="attr-img-crossorigin">crossorigin</code> content attribute,
the <i title="">origin</i> being the <span>origin</span> of the
@@ -26844,10 +26893,10 @@
<li>
- <p>Do a <span>potentially CORS-enabled fetch</span> of the
- resulting <span>absolute URL</span>, with the <i>mode</i> being
- <var title="">CORS mode</var>, the <i title="">origin</i> being
- the <span>origin</span> of the <code>img</code> element's
+ <p>Do a <span>potentially CORS-enabled fetch</span><!--FETCH--> of
+ the resulting <span>absolute URL</span>, with the <i>mode</i>
+ being <var title="">CORS mode</var>, the <i title="">origin</i>
+ being the <span>origin</span> of the <code>img</code> element's
<code>Document</code>, and the <i>default origin behaviour</i> set
to <i>taint</i>.</p>
@@ -29322,18 +29371,18 @@
<p>The user agent must <span title="resolve a url">resolve</span>
the value of the element's <code title="attr-embed-src">src</code>
attribute, relative to the element. If that is successful, the
- user agent should <span>fetch</span> the resulting <span>absolute
- URL</span>, from the element's <span>browsing context scope
- origin</span> if it has one<!-- potentially http-origin privacy
- sensitive -->. The <span title="concept-task">task</span> that is
- <span title="queue a task">queued</span> by the <span>networking
- task source</span> once the resource has been <span
- title="fetch">fetched</span> must find and instantiate an
- appropriate <span>plugin</span> based on the <span
- title="concept-embed-type">content's type</span>, and hand that
- <span>plugin</span> the content of the resource, replacing any
- previously instantiated plugin for the element.</p> <!-- Note that
- this doesn't happen when the base URL changes. -->
+ user agent should <span>fetch</span><!--FETCH--> the resulting
+ <span>absolute URL</span>, from the element's <span>browsing
+ context scope origin</span> if it has one<!-- potentially
+ http-origin privacy sensitive -->. The <span
+ title="concept-task">task</span> that is <span title="queue a
+ task">queued</span> by the <span>networking task source</span>
+ once the resource has been <span title="fetch">fetched</span> must
+ find and instantiate an appropriate <span>plugin</span> based on
+ the <span title="concept-embed-type">content's type</span>, and
+ hand that <span>plugin</span> the content of the resource,
+ replacing any previously instantiated plugin for the element.</p>
+ <!-- Note that this doesn't happen when the base URL changes. -->
<p>Fetching the resource must <span>delay the load event</span> of
the element's document.</p>
@@ -29776,17 +29825,18 @@
<li>
- <p><span>Fetch</span> the resulting <span>absolute URL</span>,
- from the element's <span>browsing context scope origin</span> if
- it has one<!-- potentially http-origin privacy sensitive
- -->.</p>
+ <p><span>Fetch</span><!--FETCH--> the resulting <span>absolute
+ URL</span>, from the element's <span>browsing context scope
+ origin</span> if it has one<!-- potentially http-origin privacy
+ sensitive -->.</p>
- <!-- similar text in various places --> <p>Fetching the resource
- must <span>delay the load event</span> of the element's document
- until the <span title="concept-task">task</span> that is <span
- title="queue a task">queued</span> by the <span>networking task
- source</span> once the resource has been <span
- title="fetch">fetched</span> (defined next) has been run.</p>
+ <!-- similar text in various places -->
+ <p>Fetching the resource must <span>delay the load event</span>
+ of the element's document until the <span
+ title="concept-task">task</span> that is <span title="queue a
+ task">queued</span> by the <span>networking task source</span>
+ once the resource has been <span title="fetch">fetched</span>
+ (defined next) has been run.</p>
<p>For the purposes of the <span>application cache</span>
networking model, this <span>fetch</span> operation is not for a
@@ -30651,10 +30701,10 @@
to the element. If this fails, then there is no <span>poster
frame</span>; abort these steps.</p></li>
- <li><p><span>Fetch</span> the resulting <span>absolute URL</span>,
- from the element's <code>Document</code>'s <span>origin</span>.
- This must <span>delay the load event</span> of the element's
- document.</p></li>
+ <li><p><span>Fetch</span><!--FETCH--> the resulting <span>absolute
+ URL</span>, from the element's <code>Document</code>'s
+ <span>origin</span>. This must <span>delay the load event</span> of
+ the element's document.</p></li>
<!-- could define how to sniff for an image here -->
@@ -32626,14 +32676,15 @@
<li>
- <p>Perform a <span>potentially CORS-enabled fetch</span> of the
- <var title="">current media resource</var>'s <span>absolute
- URL</span>, with the <i>mode</i> being the state of the
- <span>media element</span>'s <code
+ <p>Perform a <span>potentially CORS-enabled
+ fetch</span><!--FETCH--> of the <var title="">current media
+ resource</var>'s <span>absolute URL</span>, with the <i>mode</i>
+ being the state of the <span>media element</span>'s <code
title="attr-media-crossorigin">crossorigin</code> content
- attribute, the <i title="">origin</i> being the <span>origin</span> of the
- <span>media element</span>'s <code>Document</code>, and the
- <i>default origin behaviour</i> set to <i>taint</i>.</p>
+ attribute, the <i title="">origin</i> being the
+ <span>origin</span> of the <span>media element</span>'s
+ <code>Document</code>, and the <i>default origin behaviour</i> set
+ to <i>taint</i>.</p>
<p>The resource obtained in this fashion, if any, contains the
<span>media data</span>. It can be <span>CORS-same-origin</span>
@@ -37736,7 +37787,7 @@
<li>
<p>If <var title="">URL</var> is not the empty string, perform a
- <span>potentially CORS-enabled fetch</span> of <var
+ <span>potentially CORS-enabled fetch</span><!--FETCH--> of <var
title="">URL</var>, with the <i>mode</i> being <var title="">CORS
mode</var>, the <i title="">origin</i> being the
<span>origin</span> of the <code>track</code> element's
@@ -59567,10 +59618,10 @@
string, the user agent must <span title="resolve a
url">resolve</span> the value of the <code
title="attr-input-src">src</code> attribute, relative to the
- element, and if that is successful, must <span>fetch</span> the
- resulting <span>absolute URL</span>:</p> <!-- Note how this does NOT
- happen when the base URL changes. --> <!-- http-origin privacy
- sensitive -->
+ element, and if that is successful, must
+ <span>fetch</span><!--FETCH--> the resulting <span>absolute
+ URL</span>:</p> <!-- Note how this does NOT happen when the base URL
+ changes. --> <!-- http-origin privacy sensitive -->
<ul>
@@ -69105,13 +69156,13 @@
title="concept-facet">facets</span><!-- we might need to be
explicit about what this means for each facet, if testing shows
this isn't well-implemented. e.g.: If there's an Icon facet for the
- command, it should be <span title="fetch">fetched</span> (this
- would be http-origin privacy-sensitive), and then that image should
- be associated with the command, such that each command only has its
- image fetched once, to prevent changes to the base URL from having
- effects after the image has been fetched once. (no need to resolve
- the Icon facet, it's an absolute URL) -->. <!--If the element is a
- <code>command</code> element with a <code
+ command, it should be <span title="fetch">fetched</span><!- -FETCH-
+ -> (this would be http-origin privacy-sensitive), and then that
+ image should be associated with the command, such that each command
+ only has its image fetched once, to prevent changes to the base URL
+ from having effects after the image has been fetched once. (no need
+ to resolve the Icon facet, it's an absolute URL) -->. <!--If the
+ element is a <code>command</code> element with a <code
title="attr-command-default">default</code> attribute, mark the
command as being a default command.--></dd>
@@ -70959,7 +71010,7 @@
</div>
-<!--END w3c-html--><!--DOWNLOAD-->
+<!--DOWNLOAD-->
<h4>Downloading resources</h4>
@@ -71018,9 +71069,9 @@
<li><p>Return to whatever algorithm invoked these steps and continue
these steps asynchronously.</p></li>
- <li><p><span>Fetch</span> <var title="">URL</var> and handle the
- resulting resource <span>as a download</span>.</p></li> <!--
- http-origin privacy sensitive -->
+ <li><p><span>Fetch</span><!--FETCH--> <var title="">URL</var> and
+ handle the resulting resource <span>as a download</span>.</p></li>
+ <!-- http-origin privacy sensitive -->
</ol>
@@ -71231,9 +71282,7 @@
</div>
-<!--DOWNLOAD-->
-
<!--PING-->
<div class="impl">
@@ -71250,11 +71299,14 @@
title="attr-hyperlink-ping">ping</code> attribute's value, <span
title="split a string on spaces">split that string on spaces</span>,
<span title="resolve a url">resolve</span> each resulting token
- relative to the element, and then should send a request (as
- described below) to each of the resulting <span title="absolute
- URL">absolute URLs</span>. (Tokens that fail to resolve are
- ignored.) This may be done in parallel with the primary request, and
- is independent of the result of that request.</p>
+ relative to the element, and then each of the resulting <span
+ title="absolute URL">absolute URLs</span> should be <span
+ title="fetch">fetched</span><!--FETCH--> from the
+ <span>origin</span> of the <code>Document</code> containing the
+ <span>hyperlink</span> <!-- not http-origin privacy sensitive -->
+ (as described below). (Tokens that fail to resolve are ignored.)
+ This may be done in parallel with the primary request, and is
+ independent of the result of that request.</p>
<p>User agents should allow the user to adjust this behavior, for
example in conjunction with a setting that disables the sending of
@@ -71264,13 +71316,10 @@
or selectively ignore URLs in the list (e.g. ignoring any
third-party URLs).</p>
- <p>For URLs that are HTTP URLs, the requests must be performed by
- <span title="fetch">fetching</span> the specified URLs using the
- POST method, with an entity body with the <span>MIME type</span>
+ <p>For URLs that are HTTP URLs, the requests must be performed using
+ the POST method, with an entity body with the <span>MIME type</span>
<code>text/ping</code> consisting of the four-character string
- "<code title="">PING</code>", from the <span>origin</span> of the
- <code>Document</code> containing the <span>hyperlink</span>. <!--
- not http-origin privacy sensitive --> All relevant cookie and HTTP
+ "<code title="">PING</code>". All relevant cookie and HTTP
authentication headers must be included in the request. Which other
headers are required depends on the URLs involved.</p>
@@ -71327,10 +71376,6 @@
they start receiving an entity body. <a
href="#refsCOOKIES">[COOKIES]</a></p>
- <p>For URLs that are not HTTP URLs, the requests must be performed
- by <span title="fetch">fetching</span> the specified URL normally,
- and discarding the results.</p>
-
<p>When the <code title="attr-hyperlink-ping">ping</code> attribute is
present, user agents should clearly indicate to the user that
following the hyperlink will also cause secondary requests to be
@@ -71378,7 +71423,6 @@
<!-- resolving ping urls happens at audit time, so base URL changes
affect the values of ping attributes -->
-<!--START w3c-html--><!--PING-->
@@ -71975,9 +72019,9 @@
<p>In the absence of a <code>link</code> with the <code
title="rel-icon">icon</code> keyword, for <code>Document</code>s
obtained over HTTP or HTTPS, user agents may instead attempt to
- <span>fetch</span> and use an icon with the <span>absolute
- URL</span> obtained by resolving the <span>URL</span> "<code
- title="">/favicon.ico</code>" against <span>the document's
+ <span>fetch</span><!--FETCH--> and use an icon with the
+ <span>absolute URL</span> obtained by resolving the <span>URL</span>
+ "<code title="">/favicon.ico</code>" against <span>the document's
address</span>, as if the page had declared that icon using the
<code title="rel-icon">icon</code> keyword.</p>
@@ -82315,8 +82359,8 @@
application cache at all; the submission will be made to the
network.</p>
- <p>Otherwise, <span>fetch</span> the new resource, with the
- <i>manual redirect flag</i> set.</p>
+ <p>Otherwise, <span>fetch</span><!--FETCH--> the new resource,
+ with the <i>manual redirect flag</i> set.</p>
<p>If the resource is being fetched using a method other than one
<span title="concept-http-equivalent-get">equivalent to</span>
@@ -85285,12 +85329,12 @@
<li>
- <p><i>Fetching the manifest</i>: <span>Fetch</span> the resource
- from <var title="">manifest URL</var> with the <i>synchronous
- flag</i> set, and let <var title="">manifest</var> be that
- resource. HTTP caching semantics should be honored for this
- request.</p> <!-- http-origin privacy sensitive, though it doesn't
- matter, since this can never be cross-origin -->
+ <p><i>Fetching the manifest</i>: <span>Fetch</span><!--FETCH-->
+ the resource from <var title="">manifest URL</var> with the
+ <i>synchronous flag</i> set, and let <var title="">manifest</var>
+ be that resource. HTTP caching semantics should be honored for
+ this request.</p> <!-- http-origin privacy sensitive, though it
+ doesn't matter, since this can never be cross-origin -->
<p>Parse <var title="">manifest</var> according to the <span
title="parse a manifest">rules for parsing manifests</span>,
@@ -85586,10 +85630,10 @@
<li>
- <p><span>Fetch</span> the resource, from the <span>origin</span>
- of the <span>URL</span> <var title="">manifest URL</var>, with
- the <i>synchronous flag</i> set and the <i>manual redirect
- flag</i> set. If this is an <span
+ <p><span>Fetch</span><!--FETCH--> the resource, from the
+ <span>origin</span> of the <span>URL</span> <var
+ title="">manifest URL</var>, with the <i>synchronous flag</i>
+ set and the <i>manual redirect flag</i> set. If this is an <span
title="concept-appcache-upgrade">upgrade attempt</span>, then
use the <span title="concept-appcache-newer">newest</span>
<span>application cache</span> in <var title="">cache
@@ -85833,12 +85877,12 @@
<li>
- <p><span>Fetch</span> the resource from <var title="">manifest
- URL</var> again, with the <i>synchronous flag</i> set, and let
- <var title="">second manifest</var> be that resource. HTTP caching
- semantics should again be honored for this request.</p> <!--
- http-origin privacy sensitive, though it doesn't matter, since
- this can never be cross-origin -->
+ <p><span>Fetch</span><!--FETCH--> the resource from <var
+ title="">manifest URL</var> again, with the <i>synchronous
+ flag</i> set, and let <var title="">second manifest</var> be that
+ resource. HTTP caching semantics should again be honored for this
+ request.</p> <!-- http-origin privacy sensitive, though it doesn't
+ matter, since this can never be cross-origin -->
<p class="note">Since caching can be honored, authors are
encouraged to avoid setting the cache headers on the manifest in
@@ -86173,7 +86217,7 @@
following steps instead of immediately invoking the mechanisms
appropriate to that resource's scheme:</p>
- <ol>
+ <ol> <!--FETCH-->
<li><p>If the resource is not to be fetched using the HTTP GET
mechanism <span title="concept-http-equivalent-get">or
@@ -86877,14 +86921,27 @@
<p>A <code>Document</code> that is assigned responsibility for
actions taken by the script.</p>
- <p class="example">When a script <span
- title="fetch">fetches</span> a resource, the <span title="the
- document's address">address</span> of the <span>script's
- document</span> will be used to set the <code
- title="http-referer">Referer</code> (sic) header.</p>
+ <p class="example">For example, the <span title="the document's
+ address">address</span> of the <span>script's document</span> is
+ used to set the <span title="the document's
+ address">address</span> of any <code>Document</code> elements
+ created using <code
+ title="dom-DOMImplementation-createDocument">createDocument()</code>.</p>
</dd>
+ <dt>The <dfn>script's referrer source</dfn></dt>
+
+ <dd>
+
+ <p>Either a <code>Document</code> (specifically, the
+ <span>script's document</span>), or a <span>URL</span>, which is
+ used by some APIs to determine what value to use for the <code
+ title="http-referer">Referer</code> (sic) header in calls to the
+ <span title="fetch">fetching</span> algorithm.</p>
+
+ </dd>
+
<dt>A <dfn title="script's URL character encoding">URL character encoding</dfn></dt>
<dd>
@@ -86961,8 +87018,8 @@
title="concept-script">script</span> is to be <dfn title="create a
script">created</dfn>, given some script source, a script source
URL, its scripting language, a global object, a browsing context, a
- URL character encoding, and a base URL, the user agent must run the
- following steps:</p>
+ document, a referrer source, a URL character encoding, and a base
+ URL, the user agent must run the following steps:</p>
<ol>
@@ -86984,9 +87041,10 @@
<li><p>Set up the <span>script's global object</span>, the
<span>script's browsing context</span>, the <span>script's
- document</span>, the <span>script's URL character encoding</span>,
- and the <span>script's base URL</span> from the settings passed to
- this algorithm.</p></li>
+ document</span>, the <span>script's referrer source</span>, the
+ <span>script's URL character encoding</span>, and the
+ <span>script's base URL</span> from the settings passed to this
+ algorithm.</p></li>
<li>
@@ -87016,9 +87074,10 @@
browsing context, the user agent must <span>create a script</span>,
using the given script source, URL, and scripting language, using a
new empty object as the global object, and using the given browsing
- context as the browsing context. The URL character encoding and base
- URL for the resulting <span title="concept-script">script</span> are
- not important as no APIs are exposed to the script.</p>
+ context as the browsing context. The referrer source, URL character
+ encoding, and base URL for the resulting <span
+ title="concept-script">script</span> are not important as no APIs
+ are exposed to the script.</p>
<hr>
@@ -87041,12 +87100,16 @@
title="">node</var> itself if it is a
<code>Document</code>).</p></li>
+ <li><p>The global object is the <code>Window</code> object of <var
+ title="">document</var>.</p></li>
+
<li><p>The browsing context is the <span>browsing context</span> of
<var title="">document</var>.</p>
- <li><p>The global object is the <code>Window</code> object of
- <var title="">document</var>.</p></li>
+ <li><p>The document is <var title="">document</var>.</p>
+ <li><p>The referrer source is <var title="">document</var>.</p>
+
<li><p>The URL character encoding is the <span title="document's
character encoding">character encoding</span> of <var
title="">document</var>. (<a href="#sce-not-copy">This is a
@@ -87967,10 +88030,11 @@
<li><p>Set up the <span>script's global object</span>, the
<span>script's browsing context</span>, the <span>script's
- document</span>, the <span>script's URL character encoding</span>,
- and the <span>script's base URL</span> from <span>the script
- settings determined from the node</span> on which the attribute is
- being set.</p></li>
+ document</span>, the <span>script's referrer source</span>, the
+ <span>script's URL character encoding</span>, and the
+ <span>script's base URL</span> from <span>the script settings
+ determined from the node</span> on which the attribute is being
+ set.</p></li>
<li><p>Set the corresponding <span title="event handlers">event
handler</span> to the aforementioned function.</p></li>
@@ -89043,27 +89107,32 @@
object, let <var title="">global object</var> be the <span>method
context</span>, let <var title="">browsing context</var> be the
<span>browsing context</span> with which <var title="">global
- object</var> is associated, let <var title="">character
- encoding</var> be the <span title="document's character
- encoding">character encoding</span> of the <code>Document</code>
- associated with <var title="">global object</var> (<a
- href="#sce-not-copy">this is a reference, not a copy</a>), and let
- <var title="">base URL</var> be the <span title="document base
- URL">base URL</span> of the <code>Document</code> associated with
- <var title="">global object</var> (<a href="#sbu-not-copy">this is
- a reference, not a copy</a>).</p>
+ object</var> is associated, let <var title="">document</var> and
+ <var title="">referrer source</var> be the <code>Document</code>
+ associated with <var title="">global object</var>, let <var
+ title="">character encoding</var> be the <span title="document's
+ character encoding">character encoding</span> of the
+ <code>Document</code> associated with <var title="">global
+ object</var> (<a href="#sce-not-copy">this is a reference, not a
+ copy</a>), and let <var title="">base URL</var> be the <span
+ title="document base URL">base URL</span> of the
+ <code>Document</code> associated with <var title="">global
+ object</var> (<a href="#sbu-not-copy">this is a reference, not a
+ copy</a>).</p>
<p>Otherwise, if the <span>method context</span> is a
<code>WorkerUtils</code> object, let <var title="">global
object</var>, <var title="">browsing context</var>, <var
- title="">document</var>, <var title="">character encoding</var>,
- and <var title="">base URL</var> be the <span>script's global
- object</span>, <span>script's browsing context</span>,
- <span>script's document</span>, <span>script's URL character
- encoding</span>, and <span>script's base URL</span> (respectively)
- of the <span title="concept-script">script</span> that the
- <span>run a worker</span> algorithm created when it created the
- <span>method context</span>.</p>
+ title="">document</var>, <var title="">referrer source</var>, <var
+ title="">character encoding</var>, and <var title="">base
+ URL</var> be the <span>script's global object</span>,
+ <span>script's browsing context</span>, <span>script's
+ document</span>, <span>script's referrer source</span>,
+ <span>script's URL character encoding</span>, and <span>script's
+ base URL</span> (respectively) of the <span
+ title="concept-script">script</span> that the <span>run a
+ worker</span> algorithm created when it created the <span>method
+ context</span>.</p>
<p>Otherwise, act as described in the specification that defines
that the <code>WindowTimers</code> interface is implemented by
@@ -89080,7 +89149,8 @@
found, <var title="">scripting language</var> as the scripting
language, <var title="">global object</var> as the global object,
<var title="">browsing context</var> as the browsing context, <var
- title="">document</var> as the document, <var title="">character
+ title="">document</var> as the document, <var title="">referrer
+ source</var> as the referrer source, <var title="">character
encoding</var> as the URL character encoding, and <var
title="">base URL</var> as the base URL.</p></li>
@@ -95842,11 +95912,13 @@
<li>
- <p>Attempt to <span>fetch</span> the resource identified by <var
- title="">url</var>, from the <var title="">owner origin</var>,
- with the <i>synchronous flag</i> set and the <i>force same-origin
- flag</i> set.</p> <!-- not http-origin privacy sensitive (looking
- forward to CORS) -->
+ <p>Attempt to <span>fetch</span><!--FETCH--> the resource
+ identified by <var title="">url</var>, from the <var
+ title="">owner origin</var>, using <var title="">owner
+ document</var> as the <span>referrer source</span>, with the
+ <i>synchronous flag</i> set and the <i>force same-origin flag</i>
+ set.</p> <!-- not http-origin privacy sensitive (looking forward
+ to CORS) -->
<p>If the attempt fails, then for each <code>Worker</code> or
<code>SharedWorker</code> object associated with <var
@@ -95907,6 +95979,9 @@
<p>Set the <span>script's document</span> to <var title="">owner
document</var>.</p>
+ <p>Set the <span>script's referrer source</span> to <var
+ title="">url</var>.</p>
+
<p>Set the <span>script's URL character encoding</span> to
UTF-8. (This is just used for encoding non-ASCII characters in the
query component of URLs.)</p>
@@ -96775,10 +96850,12 @@
<li>
- <p>Attempt to <span>fetch</span> each resource identified by the
- resulting <span title="absolute URL">absolute URLs</span>, from
- the <span>entry script</span>'s <span>origin</span>, with the
- <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
+ <p>Attempt to <span>fetch</span><!--FETCH--> each resource
+ identified by the resulting <span title="absolute URL">absolute
+ URLs</span>, from the <span>entry script</span>'s
+ <span>origin</span>, using the <span>entry script</span>'s <span
+ title="script's referrer source">referrer source</span>, and with
+ the <i>synchronous flag</i> set.</p> <!-- not http-origin privacy
sensitive -->
</li>
@@ -96821,8 +96898,8 @@
title="">source</var> as the script source, the <span>URL</span>
from which <var title="">source</var> was obtained, and <var
title="">language</var> as the scripting language, using the
- same global object, browsing context, URL character encoding,
- base URL, and script group as the <span
+ same global object, browsing context, document, referrer source,
+ URL character encoding, and base URL as the <span
title="concept-script">script</span> that was created by the
worker's <span>run a worker</span> algorithm.</p>
@@ -96897,7 +96974,9 @@
null. The <span><code>XMLHttpRequest</code> base URL</span> is the
<span>script's base URL</span>; the
<span><code>XMLHttpRequest</code> origin</span> is the script's
- <span>origin</span>. <a href="#refsXHR">[XHR]</a></p></li>
+ <span>origin</span>, and the <span><code>XMLHttpRequest</code>
+ referrer source</span> is the <span>script's referrer
+ source</span>. <a href="#refsXHR">[XHR]</a></p></li>
<li><p>The interface objects and constructors defined by this
specification, except where is further restricted by explicit
@@ -97267,14 +97346,15 @@
<li><!-- if you change this, don't forget to update the
reconnecting fetch lower down as well! -->
- <p>Do a <span>potentially CORS-enabled fetch</span> of the
- resulting <span>absolute URL</span>, with the <i>mode</i> being
- <var title="">CORS mode</var>, and the <i title="">origin</i>
- being the <span>entry script</span>'s <span>origin</span><!--, and
- the <i>default origin behaviour</i> set to <i>fail</i> (though it
- has no effect in the "Anonymous" and "Use Credentials" modes)-->,
- and process the resource obtained in this fashion, if any, as
- described below.</p>
+ <p>Do a <span>potentially CORS-enabled fetch</span><!--FETCH--> of
+ the resulting <span>absolute URL</span> using the <span>entry
+ script</span>'s <span title="script's referrer source">referrer
+ source</span>, with the <i>mode</i> being <var title="">CORS
+ mode</var>, and the <i title="">origin</i> being the <span>entry
+ script</span>'s <span>origin</span><!--, and the <i>default origin
+ behaviour</i> set to <i>fail</i> (though it has no effect in the
+ "Anonymous" and "Use Credentials" modes)-->, and process the
+ resource obtained in this fashion, if any, as described below.</p>
<p class="note">The definition of the <span
title="fetch">fetching</span> algorithm (which is used by CORS) is
@@ -97531,11 +97611,12 @@
title="dom-EventSource-CONNECTING">CONNECTING</code>, abort these
steps.</p></li>
- <li><p>Perform a <span>potentially CORS-enabled fetch</span> of
- the <span>absolute URL</span> of the event source resource, with
- the <i>mode</i><!--, the <i>default origin behaviour</i>,--> and
- the <i title="">origin</i> being the same as those used in the
- original request triggered by the <code
+ <li><p>Perform a <span>potentially CORS-enabled
+ fetch</span><!--FETCH--> of the <span>absolute URL</span> of the
+ event source resource, using the same <i>referrer source</i>, and
+ with the same <i>mode</i><!--, <i>default origin
+ behaviour</i>,--> and <i title="">origin</i>, as those used in
+ the original request triggered by the <code
title="dom-EventSource">EventSource()</code> constructor, and
process the resource obtained in this fashion, if any, as
described earlier in this section.</p></li>
More information about the Commit-Watchers
mailing list