[html5] r7515 - [giow] (3) More security fixes: Location is now entirely Unforgeable, and wordin [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Nov 19 17:42:03 PST 2012
Author: ianh
Date: 2012-11-19 17:42:02 -0800 (Mon, 19 Nov 2012)
New Revision: 7515
Modified:
complete.html
index
source
Log:
[giow] (3) More security fixes: Location is now entirely Unforgeable, and wording for some other security paragraphs is now consistent.
Affected topics: DOM APIs, Security, Web Storage
Modified: complete.html
===================================================================
--- complete.html 2012-11-20 01:14:35 UTC (rev 7514)
+++ complete.html 2012-11-20 01:42:02 UTC (rev 7515)
@@ -10233,12 +10233,10 @@
<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>
- <p id=security>User agents <span class=impl>must</span> throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
- <code><a href=#document>Document</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
- origin">same</a> as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
- script origin</a>.</p>
+ <p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#document>Document</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#document>Document</a></code>'s
+ <a href=#effective-script-origin>effective script origin</a>.</p>
<!--REMOVE-TOPIC:Security-->
@@ -68452,12 +68450,10 @@
<h4 id=security-window><span class=secno>6.2.1 </span>Security</h4>
- <p id=security-2>User agents must throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
- <code><a href=#window>Window</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the same as the
- <code><a href=#window>Window</a></code> object's <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
- script origin</a>, with the following exceptions:</p>
+ <p id=security-2>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#window>Window</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#window>Window</a></code> object's
+ <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with the following exceptions:</p>
<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> attribute
@@ -70556,7 +70552,7 @@
<a href=#browsing-context>browsing context</a>, and allow the <a href=#current-entry>current entry</a> of the <a href=#browsing-context>browsing
context</a>'s session history to be changed, by adding or replacing entries in the <code title=dom-history><a href=#dom-history>history</a></code> object.</p>
- <pre class=idl>interface <dfn id=location>Location</dfn> {
+ <pre class=idl>[Unforgeable] interface <dfn id=location>Location</dfn> {
stringifier attribute DOMString <a href=#dom-location-href title=dom-location-href>href</a>;
void <a href=#dom-location-assign title=dom-location-assign>assign</a>(DOMString url);
void <a href=#dom-location-replace title=dom-location-replace>replace</a>(DOMString url);
@@ -70712,13 +70708,11 @@
<h5 id=security-location><span class=secno>6.5.3.1 </span>Security</h5>
- <p id=security-3>User agents must throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any of the members of a
- <code><a href=#location>Location</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
- origin">same</a> as the <code><a href=#location>Location</a></code> object's associated
- <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with
- the following exceptions:</p>
+ <p id=security-3>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#location>Location</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#location>Location</a></code>
+ object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with the
+ following exceptions:</p>
<ul><li>The <code title=dom-location-href><a href=#dom-location-href>href</a></code> setter, if the
script is running in a <a href=#browsing-context>browsing context</a> that is
@@ -87861,14 +87855,11 @@
<!--ADD-TOPIC:Security-->
<h5 id=security-localStorage><span class=secno>11.2.3.1 </span>Security</h5>
- <p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception
- whenever any of the members of a <code><a href=#storage-0>Storage</a></code> object
- originally returned by the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute are accessed
- by scripts whose <a href=#effective-script-origin>effective script origin</a> is not the
- <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> of
- the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
- the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute was
- accessed.</p>
+ <p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
+ <code><a href=#storage-0>Storage</a></code> object originally returned by the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute are accessed by scripts whose
+ <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same origin">same</a> as the
+ <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which the
+ <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute was accessed.</p>
<p class=note>This means <code><a href=#storage-0>Storage</a></code> objects are neutered
when the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code>
Modified: index
===================================================================
--- index 2012-11-20 01:14:35 UTC (rev 7514)
+++ index 2012-11-20 01:42:02 UTC (rev 7515)
@@ -10233,12 +10233,10 @@
<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>
- <p id=security>User agents <span class=impl>must</span> throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
- <code><a href=#document>Document</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
- origin">same</a> as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
- script origin</a>.</p>
+ <p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#document>Document</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#document>Document</a></code>'s
+ <a href=#effective-script-origin>effective script origin</a>.</p>
<!--REMOVE-TOPIC:Security-->
@@ -68452,12 +68450,10 @@
<h4 id=security-window><span class=secno>6.2.1 </span>Security</h4>
- <p id=security-2>User agents must throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
- <code><a href=#window>Window</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the same as the
- <code><a href=#window>Window</a></code> object's <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
- script origin</a>, with the following exceptions:</p>
+ <p id=security-2>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#window>Window</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#window>Window</a></code> object's
+ <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with the following exceptions:</p>
<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> attribute
@@ -70556,7 +70552,7 @@
<a href=#browsing-context>browsing context</a>, and allow the <a href=#current-entry>current entry</a> of the <a href=#browsing-context>browsing
context</a>'s session history to be changed, by adding or replacing entries in the <code title=dom-history><a href=#dom-history>history</a></code> object.</p>
- <pre class=idl>interface <dfn id=location>Location</dfn> {
+ <pre class=idl>[Unforgeable] interface <dfn id=location>Location</dfn> {
stringifier attribute DOMString <a href=#dom-location-href title=dom-location-href>href</a>;
void <a href=#dom-location-assign title=dom-location-assign>assign</a>(DOMString url);
void <a href=#dom-location-replace title=dom-location-replace>replace</a>(DOMString url);
@@ -70712,13 +70708,11 @@
<h5 id=security-location><span class=secno>6.5.3.1 </span>Security</h5>
- <p id=security-3>User agents must throw a
- <code><a href=#securityerror>SecurityError</a></code> exception whenever any of the members of a
- <code><a href=#location>Location</a></code> object are accessed by scripts whose
- <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
- origin">same</a> as the <code><a href=#location>Location</a></code> object's associated
- <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with
- the following exceptions:</p>
+ <p id=security-3>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
+ properties of a <code><a href=#location>Location</a></code> object are accessed by scripts whose <a href=#effective-script-origin>effective script
+ origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#location>Location</a></code>
+ object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>, with the
+ following exceptions:</p>
<ul><li>The <code title=dom-location-href><a href=#dom-location-href>href</a></code> setter, if the
script is running in a <a href=#browsing-context>browsing context</a> that is
@@ -87861,14 +87855,11 @@
<!--ADD-TOPIC:Security-->
<h5 id=security-localStorage><span class=secno>11.2.3.1 </span>Security</h5>
- <p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception
- whenever any of the members of a <code><a href=#storage-0>Storage</a></code> object
- originally returned by the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute are accessed
- by scripts whose <a href=#effective-script-origin>effective script origin</a> is not the
- <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> of
- the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
- the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute was
- accessed.</p>
+ <p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any properties of a
+ <code><a href=#storage-0>Storage</a></code> object originally returned by the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute are accessed by scripts whose
+ <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same origin">same</a> as the
+ <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which the
+ <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> attribute was accessed.</p>
<p class=note>This means <code><a href=#storage-0>Storage</a></code> objects are neutered
when the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code>
Modified: source
===================================================================
--- source 2012-11-20 01:14:35 UTC (rev 7514)
+++ source 2012-11-20 01:42:02 UTC (rev 7515)
@@ -10416,12 +10416,10 @@
<!--ADD-TOPIC:Security-->
<h4 id="security-document">Security</h4>
- <p id="security">User agents <span class="impl">must</span> throw a
- <code>SecurityError</code> exception whenever any properties of a
- <code>Document</code> object are accessed by scripts whose
- <span>effective script origin</span> is not the <span title="same
- origin">same</span> as the <code>Document</code>'s <span>effective
- script origin</span>.</p>
+ <p id="security">User agents must throw a <code>SecurityError</code> exception whenever any
+ properties of a <code>Document</code> object are accessed by scripts whose <span>effective script
+ origin</span> is not the <span title="same origin">same</span> as the <code>Document</code>'s
+ <span>effective script origin</span>.</p>
<!--REMOVE-TOPIC:Security-->
@@ -80371,12 +80369,10 @@
<h4 id="security-window">Security</h4>
- <p id="security-2">User agents must throw a
- <code>SecurityError</code> exception whenever any properties of a
- <code>Window</code> object are accessed by scripts whose
- <span>effective script origin</span> is not the same as the
- <code>Window</code> object's <code>Document</code>'s <span>effective
- script origin</span>, with the following exceptions:</p>
+ <p id="security-2">User agents must throw a <code>SecurityError</code> exception whenever any
+ properties of a <code>Window</code> object are accessed by scripts whose <span>effective script
+ origin</span> is not the <span title="same origin">same</span> as the <code>Window</code> object's
+ <code>Document</code>'s <span>effective script origin</span>, with the following exceptions:</p>
<ul>
@@ -82796,7 +82792,7 @@
context</span>'s session history to be changed, by adding or replacing entries in the <code
title="dom-history">history</code> object.</p>
- <pre class="idl">interface <dfn>Location</dfn> {
+ <pre class="idl">[Unforgeable] interface <dfn>Location</dfn> {
stringifier attribute DOMString <span title="dom-location-href">href</span>;
void <span title="dom-location-assign">assign</span>(DOMString url);
void <span title="dom-location-replace">replace</span>(DOMString url);
@@ -82983,13 +82979,11 @@
<h5 id="security-location">Security</h5>
- <p id="security-3">User agents must throw a
- <code>SecurityError</code> exception whenever any of the members of a
- <code>Location</code> object are accessed by scripts whose
- <span>effective script origin</span> is not the <span title="same
- origin">same</span> as the <code>Location</code> object's associated
- <code>Document</code>'s <span>effective script origin</span>, with
- the following exceptions:</p>
+ <p id="security-3">User agents must throw a <code>SecurityError</code> exception whenever any
+ properties of a <code>Location</code> object are accessed by scripts whose <span>effective script
+ origin</span> is not the <span title="same origin">same</span> as the <code>Location</code>
+ object's associated <code>Document</code>'s <span>effective script origin</span>, with the
+ following exceptions:</p>
<ul>
@@ -102300,15 +102294,12 @@
<!--ADD-TOPIC:Security-->
<h6 id="security-localStorage">Security</h6>
- <p>User agents must throw a <code>SecurityError</code> exception
- whenever any of the members of a <code>Storage</code> object
- originally returned by the <code
- title="dom-localStorage">localStorage</code> attribute are accessed
- by scripts whose <span>effective script origin</span> is not the
- <span title="same origin">same</span> as the <span>origin</span> of
- the <code>Document</code> of the <code>Window</code> object on which
- the <code title="dom-localStorage">localStorage</code> attribute was
- accessed.</p>
+ <p>User agents must throw a <code>SecurityError</code> exception whenever any properties of a
+ <code>Storage</code> object originally returned by the <code
+ title="dom-localStorage">localStorage</code> attribute are accessed by scripts whose
+ <span>effective script origin</span> is not the <span title="same origin">same</span> as the
+ <span>origin</span> of the <code>Document</code> of the <code>Window</code> object on which the
+ <code title="dom-localStorage">localStorage</code> attribute was accessed.</p>
<p class="note">This means <code>Storage</code> objects are neutered
when the <code title="dom-document-domain">document.domain</code>
More information about the Commit-Watchers
mailing list