[html5] r7548 - [giow] (2) Support <script crossorigin>. Affected topics: DOM APIs, HTML
whatwg at whatwg.org
whatwg at whatwg.org
Wed Nov 28 16:23:10 PST 2012
Author: ianh
Date: 2012-11-28 16:23:09 -0800 (Wed, 28 Nov 2012)
New Revision: 7548
Modified:
complete.html
index
source
Log:
[giow] (2) Support <script crossorigin>.
Affected topics: DOM APIs, HTML
Modified: complete.html
===================================================================
--- complete.html 2012-11-28 00:27:51 UTC (rev 7547)
+++ complete.html 2012-11-29 00:23:09 UTC (rev 7548)
@@ -248,7 +248,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 28 November 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 29 November 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -15998,18 +15998,20 @@
<dt><a href=#element-dfn-attributes title=element-dfn-attributes>Content attributes</a>:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-script-src><a href=#attr-script-src>src</a></code></dd>
+ <dd><code title=attr-script-type><a href=#attr-script-type>type</a></code></dd>
+ <dd><code title=attr-script-charset><a href=#attr-script-charset>charset</a></code></dd>
<dd><code title=attr-script-async><a href=#attr-script-async>async</a></code></dd>
<dd><code title=attr-script-defer><a href=#attr-script-defer>defer</a></code></dd>
- <dd><code title=attr-script-type><a href=#attr-script-type>type</a></code></dd>
- <dd><code title=attr-script-charset><a href=#attr-script-charset>charset</a></code></dd>
+ <dd><code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code></dd>
<dt><a href=#element-dfn-dom title=element-dfn-dom>DOM interface</a>:</dt><!--TOPIC:DOM APIs-->
<dd>
<pre class=idl>interface <dfn id=htmlscriptelement>HTMLScriptElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-script-src title=dom-script-src>src</a>;
+ attribute DOMString <a href=#dom-script-type title=dom-script-type>type</a>;
+ attribute DOMString <a href=#dom-script-charset title=dom-script-charset>charset</a>;
attribute boolean <a href=#dom-script-async title=dom-script-async>async</a>;
attribute boolean <a href=#dom-script-defer title=dom-script-defer>defer</a>;
- attribute DOMString <a href=#dom-script-type title=dom-script-type>type</a>;
- attribute DOMString <a href=#dom-script-charset title=dom-script-charset>charset</a>;
+ attribute DOMString <a href=#dom-script-crossorigin title=dom-script-crossorigin>crossOrigin</a>;
attribute DOMString <a href=#dom-script-text title=dom-script-text>text</a>;
};</pre>
</dd>
@@ -16093,11 +16095,13 @@
support <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> (and not <code title=attr-script-async><a href=#attr-script-async>async</a></code>) to fall back to the <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> behavior instead of the
synchronous blocking behavior that is the default.</p>
- <p>Changing the <code title=attr-script-src><a href=#attr-script-src>src</a></code>, <code title=attr-script-type><a href=#attr-script-type>type</a></code>, <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code>, <code title=attr-script-async><a href=#attr-script-async>async</a></code>, and <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> attributes dynamically has no
- direct effect; these attribute are only used at specific times
- described below.</p> <!-- by implication, changes to the base URL
- also have no effect -->
+ <p>The <dfn id=attr-script-crossorigin title=attr-script-crossorigin><code>crossorigin</code></dfn> attribute is a
+ <a href=#cors-settings-attribute>CORS settings attribute</a>. It controls, for scripts that are obtained from other <a href=#origin title=origin>origins</a>, whether error information will be exposed.</p>
+ <p>Changing the <code title=attr-script-src><a href=#attr-script-src>src</a></code>, <code title=attr-script-type><a href=#attr-script-type>type</a></code>, <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code>, <code title=attr-script-async><a href=#attr-script-async>async</a></code>, <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code>, and <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attributes dynamically has no direct effect;
+ these attribute are only used at specific times described below.</p> <!-- by implication, changes
+ to the base URL also have no effect -->
+
<div class=impl>
<p>A <code><a href=#the-script-element>script</a></code> element has several associated pieces of
@@ -16349,39 +16353,51 @@
<li id=script-processing-src-prepare>
<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
- attribute whose value is not the empty string, then the value of
- that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a>
- relative to the element, and if that is successful, the specified
- resource must then be <a href=#fetch title=fetch>fetched</a><!--FETCH-->, from the
- <a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>.</p>
- <!-- not http-origin privacy sensitive -->
+ content attribute, run these substeps:</p>
- <p>If the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute's
- value is the empty string or if it could not be resolved, then the
- user agent must <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
- event</a> named <code title=event-error>error</code> at the
- element, and abort these steps.</p>
+ <ol><li><p>Let <var title="">src</var> be the value of the element's <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute.</li>
- <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a>, then the user agent must not, despite the requirements
- in the definition of the <a href=#fetch title=fetch>fetching</a>
- algorithm, actually execute the script in the URL; instead the
- user agent must act as if it had received an empty HTTP 400
- response.</p>
+ <li><p>If <var title="">src</var> is the empty string, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire
+ a simple event</a> named <code title=event-error>error</code> at the element, and abort
+ these steps.</li>
- <p>For performance reasons, user agents may start fetching the
- script as soon as the attribute is set, instead, in the hope that
- the element will be inserted into the document. Either way, once
- the element is <a href=#insert-an-element-into-a-document title="insert an element into a
- document">inserted into the document</a>, the load must have
- started. If the UA performs such prefetching, but the element is
- never inserted in the document, or the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is dynamically
- changed,<!-- or the base URL is dynamically changed,--> then the
- user agent will not execute the script, and the fetching process
- will have been effectively wasted.</p>
+ <li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> <var title="">src</var> relative to the
+ element.</li>
- </li>
+ <li><p>If the previous step failed, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
+ event</a> named <code title=event-error>error</code> at the element, and abort these
+ steps.</li>
+ <li>
+
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of the resulting
+ <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being the state of the element's <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> content attribute, the <i title="">origin</i> being the <a href=#origin>origin</a> of the <code><a href=#the-script-element>script</a></code> element's
+ <code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set to <i>taint</i>.</p>
+
+ <p>The resource obtained in this fashion can be either <a href=#cors-same-origin>CORS-same-origin</a> or
+ <a href=#cors-cross-origin>CORS-cross-origin</a>. This only affects how error reporting happens.</p>
+
+ <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript
+ protocol"><code title="">javascript:</code> URL</a>, then the user agent must not, despite
+ the requirements in the definition of the <a href=#fetch title=fetch>fetching</a> algorithm,
+ actually execute the script in the URL; instead the user agent must act as if it had received
+ an empty HTTP 400 response.</p>
+
+ <p>For performance reasons, user agents may start fetching the script (as defined above) as
+ soon as the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is set, instead, in the hope
+ that the element will be inserted into the document (and that the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute won't change value in the
+ meantime). Either way, once the element is <a href=#insert-an-element-into-a-document title="insert an element into a
+ document">inserted into the document</a>, the load must have started as described in this
+ step. If the UA performs such prefetching, but the element is never inserted in the document,
+ or the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is dynamically changed,<!-- or the
+ base URL is dynamically changed,--> or the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute is dynamically changed, then the
+ user agent will not execute the script so obtained, and the fetching process will have been
+ effectively wasted.</p>
+
+ </li>
+
+ </ol></li>
+
<!-- at this point if the element is "parser-inserted" then we know
it is not "force-async". -->
@@ -16723,6 +16739,10 @@
from which the script was obtained, and <var><a href="#the-script-block's-type">the script
block's type</a></var>.</p>
+ <p>If the script came from a resource that was <a href=#fetch title=fetch>fetched</a> in the
+ steps above, and the resource was <a href=#cors-cross-origin>CORS-cross-origin</a>, then pass the <var title="">muted errors</var> flag to the <a href=#create-a-script-from-a-node>create a script from a node</a>
+ algorithm.</p>
+
<p class=note>This is where the script is compiled and
actually executed.</p>
@@ -16760,10 +16780,14 @@
</dl></li>
- </ol><p>The IDL attributes <dfn id=dom-script-src title=dom-script-src><code>src</code></dfn>, <dfn id=dom-script-type title=dom-script-type><code>type</code></dfn>, <dfn id=dom-script-charset title=dom-script-charset><code>charset</code></dfn>, and <dfn id=dom-script-defer title=dom-script-defer><code>defer</code></dfn>, each must
+ </ol><p>The IDL attributes <dfn id=dom-script-src title=dom-script-src><code>src</code></dfn>, <dfn id=dom-script-type title=dom-script-type><code>type</code></dfn>, <dfn id=dom-script-charset title=dom-script-charset><code>charset</code></dfn>, <dfn id=dom-script-defer title=dom-script-defer><code>defer</code></dfn>, each must
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-script-crossorigin title=dom-script-crossOrigin><code>crossOrigin</code></dfn> IDL attribute must
+ <a href=#reflect>reflect</a> the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> content
+ attribute.</p>
+
<p>The <dfn id=dom-script-async title=dom-script-async><code>async</code></dfn> IDL
attribute controls whether the element will execute asynchronously
or not. If the element's <a href=#force-async>"force-async"</a> flag is set,
@@ -72745,6 +72769,16 @@
</dd>
+ <dt>Optionally, a <dfn id=muted-errors>muted errors</dfn> flag</dt>
+
+ <dd>
+
+ <p>A flag which, if set, means that error information will not be provided for errors in this
+ script (used to mute errors for cross-origin scripts, since that can leak private
+ information).</p>
+
+ </dd>
+
</dl></div>
@@ -72813,11 +72847,10 @@
<h5 id=creating-scripts><span class=secno>7.1.3.3 </span>Creating scripts</h5>
- <p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a
- script">created</dfn>, given some script source, a script source
- URL, its scripting language, a global object, a browsing context, a
- document, a referrer source, a URL character encoding, and a base
- URL, the user agent must run the following steps:</p>
+ <p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a script">created</dfn>, given some script source, a script source URL, its
+ scripting language, a global object, a browsing context, a document, a referrer source, a URL
+ character encoding, a base URL, and optionally a <var title="">muted errors</var> flag, the user
+ agent must run the following steps:</p>
<ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
@@ -72842,6 +72875,9 @@
<a href="#script's-base-url">script's base URL</a> from the settings passed to this
algorithm.</li>
+ <li><p>If the <var title="">muted errors</var> flag was set, then set the script's <a href=#muted-errors>muted
+ errors</a> flag also.</li>
+
<li>
<p>If all the steps above succeeded (in particular, if the script
@@ -72849,12 +72885,11 @@
entry-point">Jump</a> to the <a href=#concept-script title=concept-script>script</a>'s <i><a href=#initial-code-entry-point>initial code
entry-point</a></i>.</p>
- <p>Otherwise, <a href=#report-the-error>report the error</a> at the script source
- URL, with the problematic position (line number and column
- number), in the script's <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
- handlers">event handler</a> of the <a href="#script's-global-object">script's global
- object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then
- the error may be reported to the user.</p>
+ <p>Otherwise, <a href=#report-the-error>report the error</a> for the <a href=#concept-script title=concept-script>script</a>,
+ with the problematic position (line number and column number), in the script's
+ <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of the <a href="#script's-global-object">script's global object</a>. If the
+ error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then the error
+ may be reported to the user.</p>
</li>
@@ -72867,12 +72902,11 @@
encoding, and base URL for the resulting <a href=#concept-script title=concept-script>script</a> are not important as no APIs
are exposed to the script.</p>
- <hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a
- script from a node">created from a node</dfn> <var title="">node</var>, given some script source, its URL, and its
- scripting language, the user agent must <a href=#create-a-script>create a
- script</a>, using the given script source, URL, and scripting
- language, and using <a href=#the-script-settings-determined-from-the-node>the script settings determined from the
- node</a> <var title="">node</var>.</p>
+ <hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a script from a node">created from a node</dfn> <var title="">node</var>, given some
+ script source, its URL, its scripting language, and optionally a <var title="">muted errors</var>
+ flag, the user agent must <a href=#create-a-script>create a script</a>, using the given script source, URL, and
+ scripting language, <a href=#the-script-settings-determined-from-the-node>the script settings determined from the node</a> <var title="">node</var>, and, if the <var title="">muted errors</var> flag was set in the call to this
+ algorithm, the <var title="">muted errors</var> flag.</p>
<p><dfn id=the-script-settings-determined-from-the-node>The script settings determined from the node</dfn> <var title="">node</var> are computed as follows:</p>
@@ -72944,10 +72978,11 @@
<h5 id=runtime-script-errors><span class=secno>7.1.3.5 </span>Runtime script errors</h5>
- <p>When the user agent is required to <dfn id=report-the-error title="report the
- error">report an error</dfn> at a particular <a href=#url>URL</a> <var title="">location</var> with a particular position <var title="">line</var>:<var title="">col</var> in a particular origin <var title="">origin</var>, using the <a href=#event-handlers title="event handlers">event
- handler</a> <var title="">onerror</var>, it must run these steps,
- after which the error is either <dfn id=concept-error-handled title=concept-error-handled><i>handled</i></dfn> or <dfn id=concept-error-nothandled title=concept-error-nothandled><i>not handled</i></dfn>:</p>
+ <p>When the user agent is required to <dfn id=report-the-error title="report the error">report an error</dfn> for a
+ particular <a href=#concept-script title=concept-script>script</a> <var title="">script</var> with a particular
+ position <var title="">line</var>:<var title="">col</var>, using the <a href=#event-handlers title="event
+ handlers">event handler</a> <var title="">onerror</var>, it must run these steps, after which
+ the error is either <dfn id=concept-error-handled title=concept-error-handled><i>handled</i></dfn> or <dfn id=concept-error-nothandled title=concept-error-nothandled><i>not handled</i></dfn>:</p>
<dl class=switch><dt>If the value of <var title="">onerror</var> is an
<code><a href=#onerroreventhandler>OnErrorEventHandler</a></code></dt>
@@ -72957,12 +72992,7 @@
<ol><li><p>Let <var title="">message</var> be a user-agent-defined
string describing the error in a helpful manner.</li>
- <li><p>If the <var title="">location</var> <a href=#url>URL</a> does
- not have a <a href=#same-origin title="same origin">same</a>
- <a href=#origin>origin</a> as the <var title="">origin</var>, then set
- <var title="">message</var> to "<code title="">Script
- error.</code>", set <var title="">location</var> to the empty
- string, and set <var title="">line</var> and <var title="">col</var> to 0.</li>
+ <li><p>If <var title="">script</var> has <a href=#muted-errors>muted errors</a>, then set <var title="">message</var> to "<code title="">Script error.</code>", set <var title="">location</var> to the empty string, and set <var title="">line</var> and <var title="">col</var> to 0.</li>
<li>
@@ -72991,16 +73021,11 @@
</dl><h6 id=runtime-script-errors-in-documents><span class=secno>7.1.3.5.1 </span>Runtime script errors in documents</h6>
- <p>Whenever an uncaught runtime script error occurs in one of the
- scripts associated with a <code><a href=#document>Document</a></code>, the user agent must
- <a href=#report-the-error>report the error</a> at the URL of the resource containing
- the script (as established when the <a href=#concept-script title=concept-script>script</a> was <a href=#create-a-script title="create a
- script">created</a>), with the problematic position (line number
- and column number) in that resource, in the script's
- <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
- handlers">event handler</a> of the <a href="#script's-global-object">script's global
- object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then
- the error may be reported to the user.</p>
+ <p>Whenever an uncaught runtime script error occurs in one of the scripts associated with a
+ <code><a href=#document>Document</a></code>, the user agent must <a href=#report-the-error>report the error</a> for the relevant <a href=#concept-script title=concept-script>script</a>, with the problematic position (line number and column
+ number) in the resource containing the script, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of
+ the <a href="#script's-global-object">script's global object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then the error may be reported to the
+ user.</p>
<p>The resource containing the script will typically be the file
from which the <code><a href=#document>Document</a></code> was parsed, e.g. for inline
@@ -73764,16 +73789,13 @@
<ol><li><p>If <var title="">H</var>'s value is null, then abort these
steps.</li>
- <li><p>If <var title="">H</var>'s value is an <a href=#concept-handler-error title=concept-handler-error>internal error value</a>, then set
- the <a href=#event-handlers title="event handlers">event handler</a> to null and
- then <a href=#report-the-error>report the error</a> at the appropriate URL and with
- the appropriate position (line number and column number), as
- established when the error was detected, in the <a href=#origin>origin</a>
- of the <code><a href=#document>Document</a></code> of the node of the <a href=#event-handler-content-attributes title="event
- handler content attributes">event handler content attribute</a>,
- using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of the
- <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>, and abort
- these steps.</li>
+ <li><p>If <var title="">H</var>'s value is an <a href=#concept-handler-error title=concept-handler-error>internal error
+ value</a>, then set the <a href=#event-handlers title="event handlers">event handler</a> to null and then
+ <a href=#report-the-error>report the error</a> for the appropriate <a href=#concept-script title=concept-script>script</a> and
+ with the appropriate position (line number and column number), as established when the error was
+ detected, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
+ handlers">event handler</a> of the <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>,
+ and abort these steps.</li>
<li><p>Let <var title="">callback</var> be <var title="">H</var>'s
value, the callback that the <a href=#event-handlers title="event handlers">event
@@ -81590,14 +81612,11 @@
<h4 id=runtime-script-errors-0><span class=secno>9.2.5 </span>Runtime script errors</h4>
- <p>Whenever an uncaught runtime script error occurs in one of the
- worker's scripts, if the error did not occur while handling a
- previous script error, the user agent must <a href=#report-the-error>report the
- error</a> at the <a href=#url>URL</a> of the resource that contained
- the script, with the position (line number and column number) where
- the error occurred, in the <a href=#origin>origin</a> of the scripts
- running in the worker, using the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code>
- object's <code title=handler-WorkerGlobalScope-onerror><a href=#handler-workerglobalscope-onerror>onerror</a></code> attribute.
+ <p>Whenever an uncaught runtime script error occurs in one of the worker's scripts, if the error
+ did not occur while handling a previous script error, the user agent must <a href=#report-the-error>report the
+ error</a> for that <a href=#concept-script title=concept-script>script</a>, with the position (line number
+ and column number) where the error occurred, using the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object's
+ <code title=handler-WorkerGlobalScope-onerror><a href=#handler-workerglobalscope-onerror>onerror</a></code> attribute.
</p>
<p>For shared workers, if the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> afterwards, or if
@@ -82175,6 +82194,10 @@
URL character encoding, and base URL as the <a href=#concept-script title=concept-script>script</a> that was created by the
worker's <a href=#run-a-worker>run a worker</a> algorithm.</p>
+ <p>If the script came from a resource whose <a href=#url>URL</a> does not have the <a href=#same-origin>same
+ origin</a> as the <a href=#worker-origin>worker origin</a>, then pass the <var title="">muted
+ errors</var> flag to the <a href=#create-a-script-from-a-node>create a script from a node</a> algorithm.</p>
+
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
returns, fails to parse, fails to catch an exception, or gets
prematurely aborted by the "<a href=#kill-a-worker>kill a worker</a>" or
Modified: index
===================================================================
--- index 2012-11-28 00:27:51 UTC (rev 7547)
+++ index 2012-11-29 00:23:09 UTC (rev 7548)
@@ -248,7 +248,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 28 November 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 29 November 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -15998,18 +15998,20 @@
<dt><a href=#element-dfn-attributes title=element-dfn-attributes>Content attributes</a>:</dt>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-script-src><a href=#attr-script-src>src</a></code></dd>
+ <dd><code title=attr-script-type><a href=#attr-script-type>type</a></code></dd>
+ <dd><code title=attr-script-charset><a href=#attr-script-charset>charset</a></code></dd>
<dd><code title=attr-script-async><a href=#attr-script-async>async</a></code></dd>
<dd><code title=attr-script-defer><a href=#attr-script-defer>defer</a></code></dd>
- <dd><code title=attr-script-type><a href=#attr-script-type>type</a></code></dd>
- <dd><code title=attr-script-charset><a href=#attr-script-charset>charset</a></code></dd>
+ <dd><code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code></dd>
<dt><a href=#element-dfn-dom title=element-dfn-dom>DOM interface</a>:</dt><!--TOPIC:DOM APIs-->
<dd>
<pre class=idl>interface <dfn id=htmlscriptelement>HTMLScriptElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-script-src title=dom-script-src>src</a>;
+ attribute DOMString <a href=#dom-script-type title=dom-script-type>type</a>;
+ attribute DOMString <a href=#dom-script-charset title=dom-script-charset>charset</a>;
attribute boolean <a href=#dom-script-async title=dom-script-async>async</a>;
attribute boolean <a href=#dom-script-defer title=dom-script-defer>defer</a>;
- attribute DOMString <a href=#dom-script-type title=dom-script-type>type</a>;
- attribute DOMString <a href=#dom-script-charset title=dom-script-charset>charset</a>;
+ attribute DOMString <a href=#dom-script-crossorigin title=dom-script-crossorigin>crossOrigin</a>;
attribute DOMString <a href=#dom-script-text title=dom-script-text>text</a>;
};</pre>
</dd>
@@ -16093,11 +16095,13 @@
support <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> (and not <code title=attr-script-async><a href=#attr-script-async>async</a></code>) to fall back to the <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> behavior instead of the
synchronous blocking behavior that is the default.</p>
- <p>Changing the <code title=attr-script-src><a href=#attr-script-src>src</a></code>, <code title=attr-script-type><a href=#attr-script-type>type</a></code>, <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code>, <code title=attr-script-async><a href=#attr-script-async>async</a></code>, and <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code> attributes dynamically has no
- direct effect; these attribute are only used at specific times
- described below.</p> <!-- by implication, changes to the base URL
- also have no effect -->
+ <p>The <dfn id=attr-script-crossorigin title=attr-script-crossorigin><code>crossorigin</code></dfn> attribute is a
+ <a href=#cors-settings-attribute>CORS settings attribute</a>. It controls, for scripts that are obtained from other <a href=#origin title=origin>origins</a>, whether error information will be exposed.</p>
+ <p>Changing the <code title=attr-script-src><a href=#attr-script-src>src</a></code>, <code title=attr-script-type><a href=#attr-script-type>type</a></code>, <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code>, <code title=attr-script-async><a href=#attr-script-async>async</a></code>, <code title=attr-script-defer><a href=#attr-script-defer>defer</a></code>, and <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attributes dynamically has no direct effect;
+ these attribute are only used at specific times described below.</p> <!-- by implication, changes
+ to the base URL also have no effect -->
+
<div class=impl>
<p>A <code><a href=#the-script-element>script</a></code> element has several associated pieces of
@@ -16349,39 +16353,51 @@
<li id=script-processing-src-prepare>
<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
- attribute whose value is not the empty string, then the value of
- that attribute must be <a href=#resolve-a-url title="resolve a url">resolved</a>
- relative to the element, and if that is successful, the specified
- resource must then be <a href=#fetch title=fetch>fetched</a><!--FETCH-->, from the
- <a href=#origin>origin</a> of the element's <code><a href=#document>Document</a></code>.</p>
- <!-- not http-origin privacy sensitive -->
+ content attribute, run these substeps:</p>
- <p>If the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute's
- value is the empty string or if it could not be resolved, then the
- user agent must <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
- event</a> named <code title=event-error>error</code> at the
- element, and abort these steps.</p>
+ <ol><li><p>Let <var title="">src</var> be the value of the element's <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute.</li>
- <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a>, then the user agent must not, despite the requirements
- in the definition of the <a href=#fetch title=fetch>fetching</a>
- algorithm, actually execute the script in the URL; instead the
- user agent must act as if it had received an empty HTTP 400
- response.</p>
+ <li><p>If <var title="">src</var> is the empty string, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire
+ a simple event</a> named <code title=event-error>error</code> at the element, and abort
+ these steps.</li>
- <p>For performance reasons, user agents may start fetching the
- script as soon as the attribute is set, instead, in the hope that
- the element will be inserted into the document. Either way, once
- the element is <a href=#insert-an-element-into-a-document title="insert an element into a
- document">inserted into the document</a>, the load must have
- started. If the UA performs such prefetching, but the element is
- never inserted in the document, or the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is dynamically
- changed,<!-- or the base URL is dynamically changed,--> then the
- user agent will not execute the script, and the fetching process
- will have been effectively wasted.</p>
+ <li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> <var title="">src</var> relative to the
+ element.</li>
- </li>
+ <li><p>If the previous step failed, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
+ event</a> named <code title=event-error>error</code> at the element, and abort these
+ steps.</li>
+ <li>
+
+ <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of the resulting
+ <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being the state of the element's <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> content attribute, the <i title="">origin</i> being the <a href=#origin>origin</a> of the <code><a href=#the-script-element>script</a></code> element's
+ <code><a href=#document>Document</a></code>, and the <i>default origin behaviour</i> set to <i>taint</i>.</p>
+
+ <p>The resource obtained in this fashion can be either <a href=#cors-same-origin>CORS-same-origin</a> or
+ <a href=#cors-cross-origin>CORS-cross-origin</a>. This only affects how error reporting happens.</p>
+
+ <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript
+ protocol"><code title="">javascript:</code> URL</a>, then the user agent must not, despite
+ the requirements in the definition of the <a href=#fetch title=fetch>fetching</a> algorithm,
+ actually execute the script in the URL; instead the user agent must act as if it had received
+ an empty HTTP 400 response.</p>
+
+ <p>For performance reasons, user agents may start fetching the script (as defined above) as
+ soon as the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is set, instead, in the hope
+ that the element will be inserted into the document (and that the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute won't change value in the
+ meantime). Either way, once the element is <a href=#insert-an-element-into-a-document title="insert an element into a
+ document">inserted into the document</a>, the load must have started as described in this
+ step. If the UA performs such prefetching, but the element is never inserted in the document,
+ or the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is dynamically changed,<!-- or the
+ base URL is dynamically changed,--> or the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute is dynamically changed, then the
+ user agent will not execute the script so obtained, and the fetching process will have been
+ effectively wasted.</p>
+
+ </li>
+
+ </ol></li>
+
<!-- at this point if the element is "parser-inserted" then we know
it is not "force-async". -->
@@ -16723,6 +16739,10 @@
from which the script was obtained, and <var><a href="#the-script-block's-type">the script
block's type</a></var>.</p>
+ <p>If the script came from a resource that was <a href=#fetch title=fetch>fetched</a> in the
+ steps above, and the resource was <a href=#cors-cross-origin>CORS-cross-origin</a>, then pass the <var title="">muted errors</var> flag to the <a href=#create-a-script-from-a-node>create a script from a node</a>
+ algorithm.</p>
+
<p class=note>This is where the script is compiled and
actually executed.</p>
@@ -16760,10 +16780,14 @@
</dl></li>
- </ol><p>The IDL attributes <dfn id=dom-script-src title=dom-script-src><code>src</code></dfn>, <dfn id=dom-script-type title=dom-script-type><code>type</code></dfn>, <dfn id=dom-script-charset title=dom-script-charset><code>charset</code></dfn>, and <dfn id=dom-script-defer title=dom-script-defer><code>defer</code></dfn>, each must
+ </ol><p>The IDL attributes <dfn id=dom-script-src title=dom-script-src><code>src</code></dfn>, <dfn id=dom-script-type title=dom-script-type><code>type</code></dfn>, <dfn id=dom-script-charset title=dom-script-charset><code>charset</code></dfn>, <dfn id=dom-script-defer title=dom-script-defer><code>defer</code></dfn>, each must
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-script-crossorigin title=dom-script-crossOrigin><code>crossOrigin</code></dfn> IDL attribute must
+ <a href=#reflect>reflect</a> the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> content
+ attribute.</p>
+
<p>The <dfn id=dom-script-async title=dom-script-async><code>async</code></dfn> IDL
attribute controls whether the element will execute asynchronously
or not. If the element's <a href=#force-async>"force-async"</a> flag is set,
@@ -72745,6 +72769,16 @@
</dd>
+ <dt>Optionally, a <dfn id=muted-errors>muted errors</dfn> flag</dt>
+
+ <dd>
+
+ <p>A flag which, if set, means that error information will not be provided for errors in this
+ script (used to mute errors for cross-origin scripts, since that can leak private
+ information).</p>
+
+ </dd>
+
</dl></div>
@@ -72813,11 +72847,10 @@
<h5 id=creating-scripts><span class=secno>7.1.3.3 </span>Creating scripts</h5>
- <p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a
- script">created</dfn>, given some script source, a script source
- URL, its scripting language, a global object, a browsing context, a
- document, a referrer source, a URL character encoding, and a base
- URL, the user agent must run the following steps:</p>
+ <p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a script">created</dfn>, given some script source, a script source URL, its
+ scripting language, a global object, a browsing context, a document, a referrer source, a URL
+ character encoding, a base URL, and optionally a <var title="">muted errors</var> flag, the user
+ agent must run the following steps:</p>
<ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
@@ -72842,6 +72875,9 @@
<a href="#script's-base-url">script's base URL</a> from the settings passed to this
algorithm.</li>
+ <li><p>If the <var title="">muted errors</var> flag was set, then set the script's <a href=#muted-errors>muted
+ errors</a> flag also.</li>
+
<li>
<p>If all the steps above succeeded (in particular, if the script
@@ -72849,12 +72885,11 @@
entry-point">Jump</a> to the <a href=#concept-script title=concept-script>script</a>'s <i><a href=#initial-code-entry-point>initial code
entry-point</a></i>.</p>
- <p>Otherwise, <a href=#report-the-error>report the error</a> at the script source
- URL, with the problematic position (line number and column
- number), in the script's <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
- handlers">event handler</a> of the <a href="#script's-global-object">script's global
- object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then
- the error may be reported to the user.</p>
+ <p>Otherwise, <a href=#report-the-error>report the error</a> for the <a href=#concept-script title=concept-script>script</a>,
+ with the problematic position (line number and column number), in the script's
+ <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of the <a href="#script's-global-object">script's global object</a>. If the
+ error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then the error
+ may be reported to the user.</p>
</li>
@@ -72867,12 +72902,11 @@
encoding, and base URL for the resulting <a href=#concept-script title=concept-script>script</a> are not important as no APIs
are exposed to the script.</p>
- <hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a
- script from a node">created from a node</dfn> <var title="">node</var>, given some script source, its URL, and its
- scripting language, the user agent must <a href=#create-a-script>create a
- script</a>, using the given script source, URL, and scripting
- language, and using <a href=#the-script-settings-determined-from-the-node>the script settings determined from the
- node</a> <var title="">node</var>.</p>
+ <hr><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script-from-a-node title="create a script from a node">created from a node</dfn> <var title="">node</var>, given some
+ script source, its URL, its scripting language, and optionally a <var title="">muted errors</var>
+ flag, the user agent must <a href=#create-a-script>create a script</a>, using the given script source, URL, and
+ scripting language, <a href=#the-script-settings-determined-from-the-node>the script settings determined from the node</a> <var title="">node</var>, and, if the <var title="">muted errors</var> flag was set in the call to this
+ algorithm, the <var title="">muted errors</var> flag.</p>
<p><dfn id=the-script-settings-determined-from-the-node>The script settings determined from the node</dfn> <var title="">node</var> are computed as follows:</p>
@@ -72944,10 +72978,11 @@
<h5 id=runtime-script-errors><span class=secno>7.1.3.5 </span>Runtime script errors</h5>
- <p>When the user agent is required to <dfn id=report-the-error title="report the
- error">report an error</dfn> at a particular <a href=#url>URL</a> <var title="">location</var> with a particular position <var title="">line</var>:<var title="">col</var> in a particular origin <var title="">origin</var>, using the <a href=#event-handlers title="event handlers">event
- handler</a> <var title="">onerror</var>, it must run these steps,
- after which the error is either <dfn id=concept-error-handled title=concept-error-handled><i>handled</i></dfn> or <dfn id=concept-error-nothandled title=concept-error-nothandled><i>not handled</i></dfn>:</p>
+ <p>When the user agent is required to <dfn id=report-the-error title="report the error">report an error</dfn> for a
+ particular <a href=#concept-script title=concept-script>script</a> <var title="">script</var> with a particular
+ position <var title="">line</var>:<var title="">col</var>, using the <a href=#event-handlers title="event
+ handlers">event handler</a> <var title="">onerror</var>, it must run these steps, after which
+ the error is either <dfn id=concept-error-handled title=concept-error-handled><i>handled</i></dfn> or <dfn id=concept-error-nothandled title=concept-error-nothandled><i>not handled</i></dfn>:</p>
<dl class=switch><dt>If the value of <var title="">onerror</var> is an
<code><a href=#onerroreventhandler>OnErrorEventHandler</a></code></dt>
@@ -72957,12 +72992,7 @@
<ol><li><p>Let <var title="">message</var> be a user-agent-defined
string describing the error in a helpful manner.</li>
- <li><p>If the <var title="">location</var> <a href=#url>URL</a> does
- not have a <a href=#same-origin title="same origin">same</a>
- <a href=#origin>origin</a> as the <var title="">origin</var>, then set
- <var title="">message</var> to "<code title="">Script
- error.</code>", set <var title="">location</var> to the empty
- string, and set <var title="">line</var> and <var title="">col</var> to 0.</li>
+ <li><p>If <var title="">script</var> has <a href=#muted-errors>muted errors</a>, then set <var title="">message</var> to "<code title="">Script error.</code>", set <var title="">location</var> to the empty string, and set <var title="">line</var> and <var title="">col</var> to 0.</li>
<li>
@@ -72991,16 +73021,11 @@
</dl><h6 id=runtime-script-errors-in-documents><span class=secno>7.1.3.5.1 </span>Runtime script errors in documents</h6>
- <p>Whenever an uncaught runtime script error occurs in one of the
- scripts associated with a <code><a href=#document>Document</a></code>, the user agent must
- <a href=#report-the-error>report the error</a> at the URL of the resource containing
- the script (as established when the <a href=#concept-script title=concept-script>script</a> was <a href=#create-a-script title="create a
- script">created</a>), with the problematic position (line number
- and column number) in that resource, in the script's
- <a href=#origin>origin</a>, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
- handlers">event handler</a> of the <a href="#script's-global-object">script's global
- object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then
- the error may be reported to the user.</p>
+ <p>Whenever an uncaught runtime script error occurs in one of the scripts associated with a
+ <code><a href=#document>Document</a></code>, the user agent must <a href=#report-the-error>report the error</a> for the relevant <a href=#concept-script title=concept-script>script</a>, with the problematic position (line number and column
+ number) in the resource containing the script, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of
+ the <a href="#script's-global-object">script's global object</a>. If the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> after this, then the error may be reported to the
+ user.</p>
<p>The resource containing the script will typically be the file
from which the <code><a href=#document>Document</a></code> was parsed, e.g. for inline
@@ -73764,16 +73789,13 @@
<ol><li><p>If <var title="">H</var>'s value is null, then abort these
steps.</li>
- <li><p>If <var title="">H</var>'s value is an <a href=#concept-handler-error title=concept-handler-error>internal error value</a>, then set
- the <a href=#event-handlers title="event handlers">event handler</a> to null and
- then <a href=#report-the-error>report the error</a> at the appropriate URL and with
- the appropriate position (line number and column number), as
- established when the error was detected, in the <a href=#origin>origin</a>
- of the <code><a href=#document>Document</a></code> of the node of the <a href=#event-handler-content-attributes title="event
- handler content attributes">event handler content attribute</a>,
- using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event handlers">event handler</a> of the
- <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>, and abort
- these steps.</li>
+ <li><p>If <var title="">H</var>'s value is an <a href=#concept-handler-error title=concept-handler-error>internal error
+ value</a>, then set the <a href=#event-handlers title="event handlers">event handler</a> to null and then
+ <a href=#report-the-error>report the error</a> for the appropriate <a href=#concept-script title=concept-script>script</a> and
+ with the appropriate position (line number and column number), as established when the error was
+ detected, using the <code title=handler-window-onerror><a href=#handler-window-onerror>onerror</a></code> <a href=#event-handlers title="event
+ handlers">event handler</a> of the <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>,
+ and abort these steps.</li>
<li><p>Let <var title="">callback</var> be <var title="">H</var>'s
value, the callback that the <a href=#event-handlers title="event handlers">event
@@ -81590,14 +81612,11 @@
<h4 id=runtime-script-errors-0><span class=secno>9.2.5 </span>Runtime script errors</h4>
- <p>Whenever an uncaught runtime script error occurs in one of the
- worker's scripts, if the error did not occur while handling a
- previous script error, the user agent must <a href=#report-the-error>report the
- error</a> at the <a href=#url>URL</a> of the resource that contained
- the script, with the position (line number and column number) where
- the error occurred, in the <a href=#origin>origin</a> of the scripts
- running in the worker, using the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code>
- object's <code title=handler-WorkerGlobalScope-onerror><a href=#handler-workerglobalscope-onerror>onerror</a></code> attribute.
+ <p>Whenever an uncaught runtime script error occurs in one of the worker's scripts, if the error
+ did not occur while handling a previous script error, the user agent must <a href=#report-the-error>report the
+ error</a> for that <a href=#concept-script title=concept-script>script</a>, with the position (line number
+ and column number) where the error occurred, using the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object's
+ <code title=handler-WorkerGlobalScope-onerror><a href=#handler-workerglobalscope-onerror>onerror</a></code> attribute.
</p>
<p>For shared workers, if the error is still <i title=concept-error-nothandled><a href=#concept-error-nothandled>not handled</a></i> afterwards, or if
@@ -82175,6 +82194,10 @@
URL character encoding, and base URL as the <a href=#concept-script title=concept-script>script</a> that was created by the
worker's <a href=#run-a-worker>run a worker</a> algorithm.</p>
+ <p>If the script came from a resource whose <a href=#url>URL</a> does not have the <a href=#same-origin>same
+ origin</a> as the <a href=#worker-origin>worker origin</a>, then pass the <var title="">muted
+ errors</var> flag to the <a href=#create-a-script-from-a-node>create a script from a node</a> algorithm.</p>
+
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
returns, fails to parse, fails to catch an exception, or gets
prematurely aborted by the "<a href=#kill-a-worker>kill a worker</a>" or
Modified: source
===================================================================
--- source 2012-11-28 00:27:51 UTC (rev 7547)
+++ source 2012-11-29 00:23:09 UTC (rev 7548)
@@ -16834,18 +16834,20 @@
<dt><span title="element-dfn-attributes">Content attributes</span>:</dt>
<dd><span>Global attributes</span></dd>
<dd><code title="attr-script-src">src</code></dd>
+ <dd><code title="attr-script-type">type</code></dd>
+ <dd><code title="attr-script-charset">charset</code></dd>
<dd><code title="attr-script-async">async</code></dd>
<dd><code title="attr-script-defer">defer</code></dd>
- <dd><code title="attr-script-type">type</code></dd>
- <dd><code title="attr-script-charset">charset</code></dd>
+ <dd><code title="attr-script-crossorigin">crossorigin</code></dd>
<dt><span title="element-dfn-dom">DOM interface</span>:</dt><!--TOPIC:DOM APIs-->
<dd>
<pre class="idl">interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
attribute DOMString <span title="dom-script-src">src</span>;
+ attribute DOMString <span title="dom-script-type">type</span>;
+ attribute DOMString <span title="dom-script-charset">charset</span>;
attribute boolean <span title="dom-script-async">async</span>;
attribute boolean <span title="dom-script-defer">defer</span>;
- attribute DOMString <span title="dom-script-type">type</span>;
- attribute DOMString <span title="dom-script-charset">charset</span>;
+ attribute DOMString <span title="dom-script-crossorigin">crossOrigin</span>;
attribute DOMString <span title="dom-script-text">text</span>;
};</pre>
</dd>
@@ -16942,14 +16944,16 @@
title="attr-script-defer">defer</code> behavior instead of the
synchronous blocking behavior that is the default.</p>
+ <p>The <dfn title="attr-script-crossorigin"><code>crossorigin</code></dfn> attribute is a
+ <span>CORS settings attribute</span>. It controls, for scripts that are obtained from other <span
+ title="origin">origins</span>, whether error information will be exposed.</p>
+
<p>Changing the <code title="attr-script-src">src</code>, <code
- title="attr-script-type">type</code>, <code
- title="attr-script-charset">charset</code>, <code
- title="attr-script-async">async</code>, and <code
- title="attr-script-defer">defer</code> attributes dynamically has no
- direct effect; these attribute are only used at specific times
- described below.</p> <!-- by implication, changes to the base URL
- also have no effect -->
+ title="attr-script-type">type</code>, <code title="attr-script-charset">charset</code>, <code
+ title="attr-script-async">async</code>, <code title="attr-script-defer">defer</code>, and <code
+ title="attr-script-crossorigin">crossorigin</code> attributes dynamically has no direct effect;
+ these attribute are only used at specific times described below.</p> <!-- by implication, changes
+ to the base URL also have no effect -->
<div class="impl">
@@ -17249,40 +17253,58 @@
<li id="script-processing-src-prepare">
<p>If the element has a <code title="attr-script-src">src</code>
- attribute whose value is not the empty string, then the value of
- that attribute must be <span title="resolve a url">resolved</span>
- relative to the element, and if that is successful, the specified
- resource must then be <span
- title="fetch">fetched</span><!--FETCH-->, from the
- <span>origin</span> of the element's <code>Document</code>.</p>
- <!-- not http-origin privacy sensitive -->
+ content attribute, run these substeps:</p>
- <p>If the <code title="attr-script-src">src</code> attribute's
- value is the empty string or if it could not be resolved, then the
- user agent must <span>queue a task</span> to <span>fire a simple
- event</span> named <code title="event-error">error</code> at the
- element, and abort these steps.</p>
+ <ol>
- <p>For historical reasons, if the <span>URL</span> is a <span
- title="javascript protocol"><code title="">javascript:</code>
- URL</span>, then the user agent must not, despite the requirements
- in the definition of the <span title="fetch">fetching</span>
- algorithm, actually execute the script in the URL; instead the
- user agent must act as if it had received an empty HTTP 400
- response.</p>
+ <li><p>Let <var title="">src</var> be the value of the element's <code
+ title="attr-script-src">src</code> attribute.</p></li>
- <p>For performance reasons, user agents may start fetching the
- script as soon as the attribute is set, instead, in the hope that
- the element will be inserted into the document. Either way, once
- the element is <span title="insert an element into a
- document">inserted into the document</span>, the load must have
- started. If the UA performs such prefetching, but the element is
- never inserted in the document, or the <code
- title="attr-script-src">src</code> attribute is dynamically
- changed,<!-- or the base URL is dynamically changed,--> then the
- user agent will not execute the script, and the fetching process
- will have been effectively wasted.</p>
+ <li><p>If <var title="">src</var> is the empty string, <span>queue a task</span> to <span>fire
+ a simple event</span> named <code title="event-error">error</code> at the element, and abort
+ these steps.</p></li>
+ <li><p><span title="resolve a url">Resolve</span> <var title="">src</var> relative to the
+ element.</p></li>
+
+ <li><p>If the previous step failed, <span>queue a task</span> to <span>fire a simple
+ event</span> named <code title="event-error">error</code> at the element, and abort these
+ steps.</p></li>
+
+ <li>
+
+ <p>Do a <span>potentially CORS-enabled fetch</span><!--FETCH--> of the resulting
+ <span>absolute URL</span>, with the <i>mode</i> being the state of the element's <code
+ title="attr-script-crossorigin">crossorigin</code> content attribute, the <i
+ title="">origin</i> being the <span>origin</span> of the <code>script</code> element's
+ <code>Document</code>, and the <i>default origin behaviour</i> set to <i>taint</i>.</p>
+
+ <p>The resource obtained in this fashion can be either <span>CORS-same-origin</span> or
+ <span>CORS-cross-origin</span>. This only affects how error reporting happens.</p>
+
+ <p>For historical reasons, if the <span>URL</span> is a <span title="javascript
+ protocol"><code title="">javascript:</code> URL</span>, then the user agent must not, despite
+ the requirements in the definition of the <span title="fetch">fetching</span> algorithm,
+ actually execute the script in the URL; instead the user agent must act as if it had received
+ an empty HTTP 400 response.</p>
+
+ <p>For performance reasons, user agents may start fetching the script (as defined above) as
+ soon as the <code title="attr-script-src">src</code> attribute is set, instead, in the hope
+ that the element will be inserted into the document (and that the <code
+ title="attr-script-crossorigin">crossorigin</code> attribute won't change value in the
+ meantime). Either way, once the element is <span title="insert an element into a
+ document">inserted into the document</span>, the load must have started as described in this
+ step. If the UA performs such prefetching, but the element is never inserted in the document,
+ or the <code title="attr-script-src">src</code> attribute is dynamically changed,<!-- or the
+ base URL is dynamically changed,--> or the <code
+ title="attr-script-crossorigin">crossorigin</code> attribute is dynamically changed, then the
+ user agent will not execute the script so obtained, and the fetching process will have been
+ effectively wasted.</p>
+
+ </li>
+
+ </ol>
+
</li>
<!-- at this point if the element is "parser-inserted" then we know
@@ -17673,6 +17695,11 @@
from which the script was obtained, and <var>the script
block's type</var>.</p>
+ <p>If the script came from a resource that was <span title="fetch">fetched</span> in the
+ steps above, and the resource was <span>CORS-cross-origin</span>, then pass the <var
+ title="">muted errors</var> flag to the <span>create a script from a node</span>
+ algorithm.</p>
+
<p class="note">This is where the script is compiled and
actually executed.</p>
@@ -17721,11 +17748,15 @@
<p>The IDL attributes <dfn
title="dom-script-src"><code>src</code></dfn>, <dfn
title="dom-script-type"><code>type</code></dfn>, <dfn
- title="dom-script-charset"><code>charset</code></dfn>, and <dfn
+ title="dom-script-charset"><code>charset</code></dfn>, <dfn
title="dom-script-defer"><code>defer</code></dfn>, each must
<span>reflect</span> the respective content attributes of the same
name.</p>
+ <p>The <dfn title="dom-script-crossOrigin"><code>crossOrigin</code></dfn> IDL attribute must
+ <span>reflect</span> the <code title="attr-script-crossorigin">crossorigin</code> content
+ attribute.</p>
+
<p>The <dfn title="dom-script-async"><code>async</code></dfn> IDL
attribute controls whether the element will execute asynchronously
or not. If the element's <span>"force-async"</span> flag is set,
@@ -85134,6 +85165,16 @@
</dd>
+ <dt>Optionally, a <dfn>muted errors</dfn> flag</dt>
+
+ <dd>
+
+ <p>A flag which, if set, means that error information will not be provided for errors in this
+ script (used to mute errors for cross-origin scripts, since that can leak private
+ information).</p>
+
+ </dd>
+
</dl>
</div>
@@ -85213,12 +85254,11 @@
<h5 id="creating-scripts">Creating scripts</h5>
- <p>When the specification says that a <span
- title="concept-script">script</span> is to be <dfn title="create a
- script">created</dfn>, given some script source, a script source
- URL, its scripting language, a global object, a browsing context, a
- document, a referrer source, a URL character encoding, and a base
- URL, the user agent must run the following steps:</p>
+ <p>When the specification says that a <span title="concept-script">script</span> is to be <dfn
+ title="create a script">created</dfn>, given some script source, a script source URL, its
+ scripting language, a global object, a browsing context, a document, a referrer source, a URL
+ character encoding, a base URL, and optionally a <var title="">muted errors</var> flag, the user
+ agent must run the following steps:</p>
<ol>
@@ -85245,6 +85285,9 @@
<span>script's base URL</span> from the settings passed to this
algorithm.</p></li>
+ <li><p>If the <var title="">muted errors</var> flag was set, then set the script's <span>muted
+ errors</span> flag also.</p></li>
+
<li>
<p>If all the steps above succeeded (in particular, if the script
@@ -85253,14 +85296,12 @@
title="concept-script">script</span>'s <i>initial code
entry-point</i>.</p>
- <p>Otherwise, <span>report the error</span> at the script source
- URL, with the problematic position (line number and column
- number), in the script's <span>origin</span>, using the <code
- title="handler-window-onerror">onerror</code> <span title="event
- handlers">event handler</span> of the <span>script's global
- object</span>. If the error is still <i
- title="concept-error-nothandled">not handled</i> after this, then
- the error may be reported to the user.</p>
+ <p>Otherwise, <span>report the error</span> for the <span title="concept-script">script</span>,
+ with the problematic position (line number and column number), in the script's
+ <span>origin</span>, using the <code title="handler-window-onerror">onerror</code> <span
+ title="event handlers">event handler</span> of the <span>script's global object</span>. If the
+ error is still <i title="concept-error-nothandled">not handled</i> after this, then the error
+ may be reported to the user.</p>
</li>
@@ -85280,14 +85321,13 @@
<hr>
- <p>When the specification says that a <span
- title="concept-script">script</span> is to be <dfn title="create a
- script from a node">created from a node</dfn> <var
- title="">node</var>, given some script source, its URL, and its
- scripting language, the user agent must <span>create a
- script</span>, using the given script source, URL, and scripting
- language, and using <span>the script settings determined from the
- node</span> <var title="">node</var>.</p>
+ <p>When the specification says that a <span title="concept-script">script</span> is to be <dfn
+ title="create a script from a node">created from a node</dfn> <var title="">node</var>, given some
+ script source, its URL, its scripting language, and optionally a <var title="">muted errors</var>
+ flag, the user agent must <span>create a script</span>, using the given script source, URL, and
+ scripting language, <span>the script settings determined from the node</span> <var
+ title="">node</var>, and, if the <var title="">muted errors</var> flag was set in the call to this
+ algorithm, the <var title="">muted errors</var> flag.</p>
<p><dfn>The script settings determined from the node</dfn> <var
title="">node</var> are computed as follows:</p>
@@ -85369,14 +85409,11 @@
<h5 id="runtime-script-errors">Runtime script errors</h5>
- <p>When the user agent is required to <dfn title="report the
- error">report an error</dfn> at a particular <span>URL</span> <var
- title="">location</var> with a particular position <var
- title="">line</var>:<var title="">col</var> in a particular origin <var
- title="">origin</var>, using the <span title="event handlers">event
- handler</span> <var title="">onerror</var>, it must run these steps,
- after which the error is either <dfn
- title="concept-error-handled"><i>handled</i></dfn> or <dfn
+ <p>When the user agent is required to <dfn title="report the error">report an error</dfn> for a
+ particular <span title="concept-script">script</span> <var title="">script</var> with a particular
+ position <var title="">line</var>:<var title="">col</var>, using the <span title="event
+ handlers">event handler</span> <var title="">onerror</var>, it must run these steps, after which
+ the error is either <dfn title="concept-error-handled"><i>handled</i></dfn> or <dfn
title="concept-error-nothandled"><i>not handled</i></dfn>:</p>
<dl class="switch">
@@ -85391,12 +85428,9 @@
<li><p>Let <var title="">message</var> be a user-agent-defined
string describing the error in a helpful manner.</p></li>
- <li><p>If the <var title="">location</var> <span>URL</span> does
- not have a <span title="same origin">same</span>
- <span>origin</span> as the <var title="">origin</var>, then set
- <var title="">message</var> to "<code title="">Script
- error.</code>", set <var title="">location</var> to the empty
- string, and set <var title="">line</var> and <var
+ <li><p>If <var title="">script</var> has <span>muted errors</span>, then set <var
+ title="">message</var> to "<code title="">Script error.</code>", set <var
+ title="">location</var> to the empty string, and set <var title="">line</var> and <var
title="">col</var> to 0.</p></li>
<li>
@@ -85434,19 +85468,14 @@
<h6>Runtime script errors in documents</h6>
- <p>Whenever an uncaught runtime script error occurs in one of the
- scripts associated with a <code>Document</code>, the user agent must
- <span>report the error</span> at the URL of the resource containing
- the script (as established when the <span
- title="concept-script">script</span> was <span title="create a
- script">created</span>), with the problematic position (line number
- and column number) in that resource, in the script's
- <span>origin</span>, using the <code
- title="handler-window-onerror">onerror</code> <span title="event
- handlers">event handler</span> of the <span>script's global
- object</span>. If the error is still <i
- title="concept-error-nothandled">not handled</i> after this, then
- the error may be reported to the user.</p>
+ <p>Whenever an uncaught runtime script error occurs in one of the scripts associated with a
+ <code>Document</code>, the user agent must <span>report the error</span> for the relevant <span
+ title="concept-script">script</span>, with the problematic position (line number and column
+ number) in the resource containing the script, using the <code
+ title="handler-window-onerror">onerror</code> <span title="event handlers">event handler</span> of
+ the <span>script's global object</span>. If the error is still <i
+ title="concept-error-nothandled">not handled</i> after this, then the error may be reported to the
+ user.</p>
<p>The resource containing the script will typically be the file
from which the <code>Document</code> was parsed, e.g. for inline
@@ -86340,18 +86369,13 @@
<li><p>If <var title="">H</var>'s value is null, then abort these
steps.</p></li>
- <li><p>If <var title="">H</var>'s value is an <span
- title="concept-handler-error">internal error value</span>, then set
- the <span title="event handlers">event handler</span> to null and
- then <span>report the error</span> at the appropriate URL and with
- the appropriate position (line number and column number), as
- established when the error was detected, in the <span>origin</span>
- of the <code>Document</code> of the node of the <span title="event
- handler content attributes">event handler content attribute</span>,
- using the <code title="handler-window-onerror">onerror</code> <span
- title="event handlers">event handler</span> of the
- <code>Window</code> object of that <code>Document</code>, and abort
- these steps.</p></li>
+ <li><p>If <var title="">H</var>'s value is an <span title="concept-handler-error">internal error
+ value</span>, then set the <span title="event handlers">event handler</span> to null and then
+ <span>report the error</span> for the appropriate <span title="concept-script">script</span> and
+ with the appropriate position (line number and column number), as established when the error was
+ detected, using the <code title="handler-window-onerror">onerror</code> <span title="event
+ handlers">event handler</span> of the <code>Window</code> object of that <code>Document</code>,
+ and abort these steps.</p></li>
<li><p>Let <var title="">callback</var> be <var title="">H</var>'s
value, the callback that the <span title="event handlers">event
@@ -94733,15 +94757,11 @@
<h4>Runtime script errors</h4>
- <p>Whenever an uncaught runtime script error occurs in one of the
- worker's scripts, if the error did not occur while handling a
- previous script error, the user agent must <span>report the
- error</span> at the <span>URL</span> of the resource that contained
- the script, with the position (line number and column number) where
- the error occurred, in the <span>origin</span> of the scripts
- running in the worker, using the <code>WorkerGlobalScope</code>
- object's <code
- title="handler-WorkerGlobalScope-onerror">onerror</code> attribute.
+ <p>Whenever an uncaught runtime script error occurs in one of the worker's scripts, if the error
+ did not occur while handling a previous script error, the user agent must <span>report the
+ error</span> for that <span title="concept-script">script</span>, with the position (line number
+ and column number) where the error occurred, using the <code>WorkerGlobalScope</code> object's
+ <code title="handler-WorkerGlobalScope-onerror">onerror</code> attribute.
<!--END complete-->
<a href="#refsHTML">[HTML]</a>
<!--START complete-->
@@ -95427,6 +95447,10 @@
title="concept-script">script</span> that was created by the
worker's <span>run a worker</span> algorithm.</p>
+ <p>If the script came from a resource whose <span>URL</span> does not have the <span>same
+ origin</span> as the <span>worker origin</span>, then pass the <var title="">muted
+ errors</var> flag to the <span>create a script from a node</span> algorithm.</p>
+
<p>Let the newly created <span
title="concept-script">script</span> run until it either
returns, fails to parse, fails to catch an exception, or gets
More information about the Commit-Watchers
mailing list