[html5] r7836 - [giow] (3) Fix <area> to match <a> in terms of security checking. Also, some edi [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Apr 15 12:11:16 PDT 2013
Author: ianh
Date: 2013-04-15 12:11:14 -0700 (Mon, 15 Apr 2013)
New Revision: 7836
Modified:
complete.html
index
source
Log:
[giow] (3) Fix <area> to match <a> in terms of security checking. Also, some editorial fixes.
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=21654
Affected topics: DOM APIs, HTML, Video Text Tracks, Workers
Modified: complete.html
===================================================================
--- complete.html 2013-04-15 18:15:34 UTC (rev 7835)
+++ complete.html 2013-04-15 19:11:14 UTC (rev 7836)
@@ -19052,6 +19052,7 @@
<div class=impl>
+<!--CLEANUP-->
<p>The <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>, <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>, <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code>, and <code title=attr-hyperlink-ping><a href=#ping>ping</a></code>
attributes affect what happens when users <a href=#following-hyperlinks title="following hyperlinks">follow
hyperlinks</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download hyperlinks</a> created using
@@ -19066,13 +19067,20 @@
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2033 -->
<!-- (didn't test if the bc has to be active) -->
- <li><p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
- to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
- attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
- browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
- exception and abort these steps.</li>
+ <li>
+ <p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
+ to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
+ attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
+ browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+
+ <li><p>Abort these steps witout following the hyperlink.</li>
+
+ </ol></li>
+
<li><p>If the target of the <code title=event-click><a href=#event-click>click</a></code> event is an <code><a href=#the-img-element>img</a></code>
element with an <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> attribute specified, then server-side
image map processing must be performed, as follows:</p>
@@ -31569,9 +31577,9 @@
<li><p>Add <var title="">cue</var> to the method's <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text
track</a>'s <a href=#text-track-list-of-cues>text track list of cues</a>.</li>
- <li><p>If the <code>TextTrack object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
+ <li><p>If the <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
element</a>'s <a href=#list-of-text-tracks>list of text tracks</a>, run the <i><a href=#time-marches-on>time marches on</a></i> steps for that
- <a href=#media-element>media element</a>.</code></li>
+ <a href=#media-element>media element</a>.</li>
</ol><p>The <dfn id=dom-texttrack-removecue title=dom-TextTrack-removeCue><code>removeCue(<var title="">cue</var>)</code></dfn>
method of <code><a href=#texttrack>TextTrack</a></code> objects, when invoked, must run the following steps:</p>
@@ -38967,19 +38975,27 @@
<div class=impl>
+<!--CLEANUP-->
<p>The <a href=#activation-behavior>activation behavior</a> of <code><a href=#the-area-element>area</a></code> elements is to run the following
steps:</p>
<ol><!-- c.f. <a>'s similar section --><li><p>If the <code><a href=#the-a-element>a</a></code> element's <code><a href=#document>Document</a></code> is not in a <a href=#browsing-context>browsing
context</a>, then abort these steps.</li>
- <li><p>If the <code title=event-click><a href=#event-click>click</a></code> event in question is not <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> (i.e. a <code title=dom-click><a href=#dom-click>click()</a></code>
- method call was the reason for the event being dispatched), and the <code><a href=#the-area-element>area</a></code> element has
- a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
- choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
- exception and abort these steps.</li>
+ <li>
+ <p>If the <code><a href=#the-area-element>area</a></code> element has
+ a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not
+ <a href=#allowed-to-show-a-popup>allowed to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
+ choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+
+ <li><p>Abort these steps witout following the hyperlink.</li>
+
+ </ol></li>
+
<li><p>Otherwise, the user agent must <a href=#following-hyperlinks title="following hyperlinks">follow the
hyperlink</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download the hyperlink</a> created by
the <code><a href=#the-area-element>area</a></code> element, if any, and as determined by the <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and any expressed user
@@ -79537,6 +79553,7 @@
<h4 id=importing-scripts-and-libraries><span class=secno>9.3.1 </span>Importing scripts and libraries</h4>
+<!--CLEANUP-->
<p>When a script invokes the <dfn id=dom-workerglobalscope-importscripts title=dom-WorkerGlobalScope-importScripts><code>importScripts(<var title="">urls</var>)</code></dfn> method on a
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, the user agent must run the
following steps:</p>
@@ -79548,7 +79565,7 @@
argument.</li>
<li><p>If any fail, throw a <code><a href=#syntaxerror>SyntaxError</a></code>
- exception.</li>
+ exception and abort these steps.</li>
<li>
@@ -82792,6 +82809,7 @@
};
<a href=#window>Window</a> implements <a href=#windowlocalstorage>WindowLocalStorage</a>;</pre>
+<!--CLEANUP-->
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
<a href=#origin>origin</a>.
@@ -82813,7 +82831,7 @@
marcos uses them from another spec -->
<ol><li><p>The user agent may throw a <code><a href=#securityerror>SecurityError</a></code>
- exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
+ exception and abort these steps instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>
Modified: index
===================================================================
--- index 2013-04-15 18:15:34 UTC (rev 7835)
+++ index 2013-04-15 19:11:14 UTC (rev 7836)
@@ -19052,6 +19052,7 @@
<div class=impl>
+<!--CLEANUP-->
<p>The <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>, <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>, <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code>, and <code title=attr-hyperlink-ping><a href=#ping>ping</a></code>
attributes affect what happens when users <a href=#following-hyperlinks title="following hyperlinks">follow
hyperlinks</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download hyperlinks</a> created using
@@ -19066,13 +19067,20 @@
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2033 -->
<!-- (didn't test if the bc has to be active) -->
- <li><p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
- to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
- attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
- browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
- exception and abort these steps.</li>
+ <li>
+ <p>If either the <code><a href=#the-a-element>a</a></code> element has a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not <a href=#allowed-to-show-a-popup>allowed
+ to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code>
+ attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
+ browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+
+ <li><p>Abort these steps witout following the hyperlink.</li>
+
+ </ol></li>
+
<li><p>If the target of the <code title=event-click><a href=#event-click>click</a></code> event is an <code><a href=#the-img-element>img</a></code>
element with an <code title=attr-img-ismap><a href=#attr-img-ismap>ismap</a></code> attribute specified, then server-side
image map processing must be performed, as follows:</p>
@@ -31569,9 +31577,9 @@
<li><p>Add <var title="">cue</var> to the method's <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text
track</a>'s <a href=#text-track-list-of-cues>text track list of cues</a>.</li>
- <li><p>If the <code>TextTrack object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
+ <li><p>If the <code><a href=#texttrack>TextTrack</a></code> object's <a href=#text-track>text track</a> is in a <a href=#media-element>media
element</a>'s <a href=#list-of-text-tracks>list of text tracks</a>, run the <i><a href=#time-marches-on>time marches on</a></i> steps for that
- <a href=#media-element>media element</a>.</code></li>
+ <a href=#media-element>media element</a>.</li>
</ol><p>The <dfn id=dom-texttrack-removecue title=dom-TextTrack-removeCue><code>removeCue(<var title="">cue</var>)</code></dfn>
method of <code><a href=#texttrack>TextTrack</a></code> objects, when invoked, must run the following steps:</p>
@@ -38967,19 +38975,27 @@
<div class=impl>
+<!--CLEANUP-->
<p>The <a href=#activation-behavior>activation behavior</a> of <code><a href=#the-area-element>area</a></code> elements is to run the following
steps:</p>
<ol><!-- c.f. <a>'s similar section --><li><p>If the <code><a href=#the-a-element>a</a></code> element's <code><a href=#document>Document</a></code> is not in a <a href=#browsing-context>browsing
context</a>, then abort these steps.</li>
- <li><p>If the <code title=event-click><a href=#event-click>click</a></code> event in question is not <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> (i.e. a <code title=dom-click><a href=#dom-click>click()</a></code>
- method call was the reason for the event being dispatched), and the <code><a href=#the-area-element>area</a></code> element has
- a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
- choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
- exception and abort these steps.</li>
+ <li>
+ <p>If the <code><a href=#the-area-element>area</a></code> element has
+ a <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and the algorithm is not
+ <a href=#allowed-to-show-a-popup>allowed to show a popup</a>, or the element's <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute is present and applying <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for
+ choosing a browsing context given a browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+
+ <li><p>Abort these steps witout following the hyperlink.</li>
+
+ </ol></li>
+
<li><p>Otherwise, the user agent must <a href=#following-hyperlinks title="following hyperlinks">follow the
hyperlink</a> or <a href=#downloading-hyperlinks title="downloading hyperlinks">download the hyperlink</a> created by
the <code><a href=#the-area-element>area</a></code> element, if any, and as determined by the <code title=attr-hyperlink-download><a href=#attr-hyperlink-download>download</a></code> attribute and any expressed user
@@ -79537,6 +79553,7 @@
<h4 id=importing-scripts-and-libraries><span class=secno>9.3.1 </span>Importing scripts and libraries</h4>
+<!--CLEANUP-->
<p>When a script invokes the <dfn id=dom-workerglobalscope-importscripts title=dom-WorkerGlobalScope-importScripts><code>importScripts(<var title="">urls</var>)</code></dfn> method on a
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, the user agent must run the
following steps:</p>
@@ -79548,7 +79565,7 @@
argument.</li>
<li><p>If any fail, throw a <code><a href=#syntaxerror>SyntaxError</a></code>
- exception.</li>
+ exception and abort these steps.</li>
<li>
@@ -82792,6 +82809,7 @@
};
<a href=#window>Window</a> implements <a href=#windowlocalstorage>WindowLocalStorage</a>;</pre>
+<!--CLEANUP-->
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
<a href=#origin>origin</a>.
@@ -82813,7 +82831,7 @@
marcos uses them from another spec -->
<ol><li><p>The user agent may throw a <code><a href=#securityerror>SecurityError</a></code>
- exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
+ exception and abort these steps instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>
Modified: source
===================================================================
--- source 2013-04-15 18:15:34 UTC (rev 7835)
+++ source 2013-04-15 19:11:14 UTC (rev 7836)
@@ -1,4 +1,4 @@
-ne<!-- EDITOR NOTES -*- mode: Text; fill-column: 100 -*-
+<!-- EDITOR NOTES -*- mode: Text; fill-column: 100 -*-
!
! Adding a new element involves editing the following sections:
! - section for the element itself
@@ -19842,6 +19842,7 @@
<div class="impl">
+<!--CLEANUP-->
<p>The <code title="attr-hyperlink-href">href</code>, <code
title="attr-hyperlink-target">target</code>, <code
title="attr-hyperlink-download">download</code>, and <code title="attr-hyperlink-ping">ping</code>
@@ -19862,15 +19863,26 @@
<!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2033 -->
<!-- (didn't test if the bc has to be active) -->
- <li><p>If either the <code>a</code> element has a <code
- title="attr-hyperlink-download">download</code> attribute and the algorithm is not <span>allowed
- to show a popup</span>, or the element's <code title="attr-hyperlink-target">target</code>
- attribute is present and applying <span>the rules for choosing a browsing context given a
- browsing context name</span>, using the value of the <code
- title="attr-hyperlink-target">target</code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code>InvalidAccessError</code>
- exception and abort these steps.</p></li>
+ <li>
+ <p>If either the <code>a</code> element has a <code
+ title="attr-hyperlink-download">download</code> attribute and the algorithm is not <span>allowed
+ to show a popup</span>, or the element's <code title="attr-hyperlink-target">target</code>
+ attribute is present and applying <span>the rules for choosing a browsing context given a
+ browsing context name</span>, using the value of the <code
+ title="attr-hyperlink-target">target</code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol>
+
+ <li><p>If there is an <span>entry script</span>, throw an <code>InvalidAccessError</code> exception.</p></li>
+
+ <li><p>Abort these steps witout following the hyperlink.</p></li>
+
+ </ol>
+
+ </li>
+
<li><p>If the target of the <code title="event-click">click</code> event is an <code>img</code>
element with an <code title="attr-img-ismap">ismap</code> attribute specified, then server-side
image map processing must be performed, as follows:</p>
@@ -33924,7 +33936,7 @@
<li><p>Add <var title="">cue</var> to the method's <code>TextTrack</code> object's <span>text
track</span>'s <span>text track list of cues</span>.</p></li>
- <li><p>If the <code>TextTrack</span> object's <span>text track</span> is in a <span>media
+ <li><p>If the <code>TextTrack</code> object's <span>text track</span> is in a <span>media
element</span>'s <span>list of text tracks</span>, run the <i>time marches on</i> steps for that
<span>media element</span>.</p></li>
@@ -42665,6 +42677,7 @@
<div class="impl">
+<!--CLEANUP-->
<p>The <span>activation behavior</span> of <code>area</code> elements is to run the following
steps:</p>
@@ -42673,16 +42686,26 @@
<li><p>If the <code>a</code> element's <code>Document</code> is not in a <span>browsing
context</span>, then abort these steps.</p></li>
- <li><p>If the <code title="event-click">click</code> event in question is not <span
- title="concept-events-trusted">trusted</span> (i.e. a <code title="dom-click">click()</code>
- method call was the reason for the event being dispatched), and the <code>area</code> element has
- a <code title="attr-hyperlink-download">download</code> attribute or the element's <code
- title="attr-hyperlink-target">target</code> attribute is present and applying <span>the rules for
- choosing a browsing context given a browsing context name</span>, using the value of the <code
- title="attr-hyperlink-target">target</code> attribute as the browsing context name, would result
- in there not being a chosen browsing context, then throw an <code>InvalidAccessError</code>
- exception and abort these steps.</p></li>
+ <li>
+ <p>If the <code>area</code> element has
+ a <code title="attr-hyperlink-download">download</code> attribute and the algorithm is not
+ <span>allowed to show a popup</span>, or the element's <code
+ title="attr-hyperlink-target">target</code> attribute is present and applying <span>the rules for
+ choosing a browsing context given a browsing context name</span>, using the value of the <code
+ title="attr-hyperlink-target">target</code> attribute as the browsing context name, would result
+ in there not being a chosen browsing context, then run these substeps:</p>
+
+ <ol>
+
+ <li><p>If there is an <span>entry script</span>, throw an <code>InvalidAccessError</code> exception.</p></li>
+
+ <li><p>Abort these steps witout following the hyperlink.</p></li>
+
+ </ol>
+
+ </li>
+
<li><p>Otherwise, the user agent must <span title="following hyperlinks">follow the
hyperlink</span> or <span title="downloading hyperlinks">download the hyperlink</span> created by
the <code>area</code> element, if any, and as determined by the <code
@@ -88753,6 +88776,7 @@
<h4>Importing scripts and libraries</h4>
+<!--CLEANUP-->
<p>When a script invokes the <dfn
title="dom-WorkerGlobalScope-importScripts"><code>importScripts(<var
title="">urls</var>)</code></dfn> method on a
@@ -88768,7 +88792,7 @@
argument.</p></li>
<li><p>If any fail, throw a <code>SyntaxError</code>
- exception.</p></li>
+ exception and abort these steps.</p></li>
<li>
@@ -92553,6 +92577,7 @@
};
<span>Window</span> implements <span>WindowLocalStorage</span>;</pre>
+<!--CLEANUP-->
<p>The <dfn title="dom-localStorage"><code>localStorage</code></dfn>
object provides a <code>Storage</code> object for an
<span>origin</span>.
@@ -92576,7 +92601,7 @@
<ol>
<li><p>The user agent may throw a <code>SecurityError</code>
- exception instead of returning a <code>Storage</code> object if the
+ exception and abort these steps instead of returning a <code>Storage</code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</p></li>
More information about the Commit-Watchers
mailing list