[html5] r8262 - [] (3) Move the spec from a stack of incumbent scripts to a stack of script sett [...]
whatwg at whatwg.org
whatwg at whatwg.org
Fri Nov 8 15:21:02 PST 2013
Author: ianh
Date: 2013-11-08 15:21:01 -0800 (Fri, 08 Nov 2013)
New Revision: 8262
Modified:
complete.html
index
source
Log:
[] (3) Move the spec from a stack of incumbent scripts to a stack of script settings object. This should in theory have no concrete effects (though I may have changed some of the origin used for Web Workers started from document.domain-affected scripts that were called from other scripts with different original origins).
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=22863
Affected topics: Canvas, DOM APIs, HTML, HTML Syntax and Parsing, Security, Workers
Modified: complete.html
===================================================================
--- complete.html 2013-11-07 22:41:52 UTC (rev 8261)
+++ complete.html 2013-11-08 23:21:01 UTC (rev 8262)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 7 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 8 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -8492,12 +8492,14 @@
<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>
+<!--CLEANUP-->
<p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-script>incumbent script</a>
- has an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
+ properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a>
+ specifies an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>.</p>
- <p>When the <a href=#incumbent-script>incumbent script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than
+<!--CLEANUP-->
+ <p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <code><a href=#document>Document</a></code> object's <a href=#effective-script-origin>effective script origin</a>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
@@ -9096,7 +9098,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the method's first argument, relative to the
<a href=#api-base-url>API base URL</a> specified by the
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>. If this is not
+ <a href=#entry-settings-object>entry settings object</a>. If this is not
successful, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps. Otherwise, let <var title="">url</var> be the resulting <a href=#absolute-url>absolute URL</a>.</li>
<li><p>If the <a href=#origin>origin</a> of <var title="">url</var> is not the same as the
@@ -9123,8 +9125,8 @@
<!--CLEANUP-->
<li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">url</var> from the <a href=#origin>origin</a> of
- <var title="">document</var>, using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, with the <i title="">synchronous flag</i> set and the <i title="">force same-origin flag</i> set.</li>
+ <var title="">document</var>, using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, with the <i title="">synchronous flag</i> set and the <i title="">force same-origin flag</i> set.</li>
<li>
@@ -17484,7 +17486,8 @@
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>
- <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+ <ol><li><p>If there is an <a href=#entry-settings-object>entry settings object</a>, throw an
+ <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
<li><p>Abort these steps without following the hyperlink.</li>
@@ -31325,7 +31328,7 @@
<code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would
result in there not being a chosen browsing context, then run these substeps:</p>
- <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
+ <ol><!--CLEANUP--><li><p>If there is an <a href=#entry-settings-object>entry settings object</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception.</li>
<li><p>Abort these steps without following the hyperlink.</li>
@@ -55754,9 +55757,10 @@
object's bitmap image data must be used as the source image.</p>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<p><dfn id=the-image-argument-is-not-origin-clean>The <var title="">image argument</var> is not origin-clean</dfn> if it is an
<code><a href=#htmlimageelement>HTMLImageElement</a></code> or <code><a href=#htmlvideoelement>HTMLVideoElement</a></code> whose <a href=#origin>origin</a> is not
- the <a href=#same-origin title="same origin">same</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>,
+ the <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>,
or if it is an <code><a href=#htmlcanvaselement>HTMLCanvasElement</a></code> whose bitmap's <a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag is false, or if it is a
<code><a href=#canvasrenderingcontext2d>CanvasRenderingContext2D</a></code> object whose <a href=#scratch-bitmap>scratch bitmap</a>'s <a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag is false.</p>
<!--REMOVE-TOPIC:Security-->
@@ -56257,9 +56261,10 @@
</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#text-preparation-algorithm>text preparation algorithm</a> used a font that has an <a href=#origin>origin</a>
- that is not the <a href=#same-origin title="same origin">same</a> as the <a href=#entry-script>entry script</a>'s
- <a href=#origin>origin</a> (even if "using a font" means just checking if that font has a particular
+ that is not the <a href=#same-origin title="same origin">same</a> as the
+ <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> (even if "using a font" means just checking if that font has a particular
glyph in it before falling back to another font), then set the <a href=#scratch-bitmap>scratch bitmap</a>'s
<a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag to false.</li> <!--
because fonts could consider sensitive material, I guess; and because that sensitivity could
@@ -63650,9 +63655,10 @@
<ol><li><p>If <var title="">d</var> is not a <code><a href=#document>Document</a></code> in a <a href=#nested-browsing-context>nested browsing
context</a>, return null and abort these steps.</li>
+<!--CLEANUP-->
<li><p>If the <a href=#browsing-context-container>browsing context container</a>'s <code><a href=#document>Document</a></code> does not have the
- <a href=#same-origin title="same origin">same</a> <a href=#effective-script-origin>effective script origin</a> as the <a href=#entry-script>entry
- script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
+ <a href=#same-origin title="same origin">same</a> <a href=#effective-script-origin>effective script origin</a> as the <a href=#effective-script-origin>effective script origin</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<li><p>Return the <a href=#browsing-context-container>browsing context container</a> for <var title="">b</var>.</li>
@@ -64276,8 +64282,9 @@
how cross-origin cross-global access to <code><a href=#window>Window</a></code> and <code><a href=#location>Location</a></code> objects
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
+<!--CLEANUP-->
<p id=security-2>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#window>Window</a></code> object are accessed when the <a href=#incumbent-script>incumbent script</a> has
+ properties of a <code><a href=#window>Window</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a> specifies
an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a> as
<a href=#concept-document-window title=concept-document-window>the <code>Window</code> object's
<code>Document</code></a>'s <a href=#effective-script-origin>effective script origin</a>, with the following
@@ -64309,7 +64316,7 @@
<li>The <a href=#dynamic-nested-browsing-context-properties>dynamic nested browsing context properties</a>
- </ul><p>When the <a href=#incumbent-script>incumbent script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than
+ </ul><!--CLEANUP--><p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <a href=#concept-document-window title=concept-document-window><code>Window</code> object's
<code>Document</code></a>'s <a href=#effective-script-origin>effective script origin</a>, the user agent must act as if
any changes to that <code><a href=#window>Window</a></code> object's properties, getters, setters, etc, were not
@@ -64399,7 +64406,7 @@
<p>The first argument, <var title="">url</var>, must be a <a href=#valid-non-empty-url>valid non-empty URL</a> for a
page to load in the browsing context. If the first argument is the empty string, then the <var title="">url</var> argument must be interpreted as "<code><a href=#about:blank>about:blank</a></code>". Otherwise, the
argument must be <a href=#resolve-a-url title="resolve a url">resolved</a> to an <a href=#absolute-url>absolute URL</a> (or
- an error), relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ an error), relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a> when the method was invoked.</p>
<p>The second argument, <var title="">target</var>, specifies the <a href=#browsing-context-name title="browsing context
@@ -64440,7 +64447,7 @@
context</a> was just created as part of <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, then <a href=#replacement-enabled title="replacement enabled">replacement must be
enabled</a>. The navigation must be done with the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a> as the <a href=#source-browsing-context>source browsing
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a> as the <a href=#source-browsing-context>source browsing
context</a>. If the <a href=#resolve-a-url>resolve a URL</a> algorithm failed, then the user agent may either
instead <a href=#navigate>navigate</a> to an inline error page, using the same replacement behavior and
source browsing context behavior as described earlier in this paragraph; or treat the <var title="">url</var> as "<code><a href=#about:blank>about:blank</a></code>", acting as described in the next paragraph.</p>
@@ -64472,13 +64479,13 @@
<a href=#script-closable>script-closable</a>.</li>
<!--CLEANUP-->
- <li>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar
+ <li>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is <a href=#familiar-with>familiar
with</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</li>
<!--CLEANUP-->
<li id=sandboxClose>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the
- <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ <a href=#incumbent-settings-object>incumbent settings object</a>
is <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing
context</a> <var title="">A</var>.</li>
@@ -64529,8 +64536,7 @@
elements that are <a href=#in-a-document title="in a document">in the <code>Document</code></a> that is the
<a href=#active-document>active document</a> of that <code><a href=#window>Window</a></code> object, if that <code><a href=#window>Window</a></code>'s
<a href=#browsing-context>browsing context</a> shares the same <a href=#event-loop>event loop</a> as the <a href=#responsible-document>responsible
- document</a> specified by the <a href=#settings-object>settings object</a> of the
- <a href=#entry-script>entry script</a> accessing the IDL attribute; otherwise,
+ document</a> specified by the <a href=#entry-settings-object>entry settings object</a> accessing the IDL attribute; otherwise,
it must return zero.</p>
<!-- in other words, frames are only accessible to same-thread processes -->
@@ -64959,12 +64965,12 @@
<dd>
<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
- <a href=#origin>origin</a> of the <a href=#incumbent-script>incumbent script</a> when the <a href=#navigate>navigate</a>
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a> when the <a href=#navigate>navigate</a>
algorithm was invoked, or, if no <a href=#concept-script title=concept-script>script</a> was involved, of
the <code><a href=#document>Document</a></code> of the element that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</p>
<p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of that
- same <a href=#concept-script title=concept-script>script</a> or <code><a href=#document>Document</a></code>.</p>
+ same <a href=#script-settings-object>script settings object</a> or <code><a href=#document>Document</a></code>.</p>
</dd>
@@ -65082,81 +65088,9 @@
</dd>
-
- <dt>For scripts</dt>
-
- <dd>
-
- <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a> of a script are determined
- from another resource, called the <i>owner</i>:</p>
-
- <dl class=switch><dt>If a script is in a <code><a href=#the-script-element>script</a></code> element</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> to which the <code><a href=#the-script-element>script</a></code> element
- belongs.</dd>
-
-
- <dt>If a script is in an <a href=#event-handler-content-attributes title="event handler content attributes">event handler content
- attribute</a></dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> to which the attribute node belongs.</dd>
-
-
- <dt>If a script is a function or other code reference created by another script</dt>
-
- <dd>The owner is the <a href=#incumbent-script>incumbent script</a> when the function or other code reference
- was created.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> that was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in other protocols)</dt>
-
- <dd>The owner is the <a href=#url>URL</a> that redirected to the <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> in an attribute</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the element on which the attribute is found.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> in a style sheet</dt>
-
- <dd>The owner is the <a href=#url>URL</a> of the style sheet.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been provided by the user (e.g. by using a
- <i>bookmarklet</i>)</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been declared in markup</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the element (e.g. an <code><a href=#the-a-element>a</a></code> or
- <code><a href=#the-area-element>area</a></code> element) that declared the URL.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been provided by script</dt>
-
- <dd>The owner is the <a href=#incumbent-script>incumbent script</a> when the <a href=#navigate>navigate</a> algorithm was
- invoked.</dd>
-
- </dl><p>The <a href=#origin>origin</a> of the script is then an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a> of the owner, and the
- <a href=#effective-script-origin>effective script origin</a> of the script is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of the
- owner.</p>
-
- </dd>
-
</dl><p>Other specifications can override the above definitions by themselves specifying the origin of
- a particular <a href=#url>URL</a>, <code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, font, or
- <a href=#concept-script title=concept-script>script</a>.</p>
+ a particular <a href=#url>URL</a>, <code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, or
+ font.</p>
<!-- e.g.:
@@ -65987,7 +65921,7 @@
<ol><!--CLEANUP--><li><a href=#resolve-a-url title="resolve a url">Resolve</a> the value of the third argument, relative to the
<a href=#api-base-url>API base URL</a> specified by the
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ <a href=#entry-settings-object>entry settings object</a>.</li>
<li>If that fails, throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
@@ -65999,8 +65933,8 @@
<!--CLEANUP-->
<li>If the <a href=#origin>origin</a> of the resulting <a href=#absolute-url>absolute URL</a> is not the same as
- the <a href=#origin>origin</a> of the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, and either the <a href=#concept-url-path title=concept-url-path>path</a> or <a href=#concept-url-query title=concept-url-query>query</a> components of the two <a href=#parsed-url title="parsed URL">parsed
+ the <a href=#origin>origin</a> of the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, and either the <a href=#concept-url-path title=concept-url-path>path</a> or <a href=#concept-url-query title=concept-url-query>query</a> components of the two <a href=#parsed-url title="parsed URL">parsed
URLs</a> compared in the previous step differ, throw a <code><a href=#securityerror>SecurityError</a></code> exception
and abort these steps. (This prevents sandboxed content from spoofing other pages on the same
origin.)</li>
@@ -66258,7 +66192,7 @@
<!--CLEANUP-->
<p>When the <dfn id=dom-location-assign title=dom-location-assign><code>assign(<var title="">url</var>)</code></dfn>
method is invoked, the UA must <a href=#resolve-a-url title="resolve a url">resolve</a> the argument, relative
- to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>, and if that is
+ to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>, and if that is
successful, must <a href=#navigate>navigate</a><!--DONAV location.href/assign--> the <a href=#browsing-context>browsing
context</a> to the specified <var title="">url</var>. If the <a href=#browsing-context>browsing context</a>'s
<a href=#session-history>session history</a> contains only one <code><a href=#document>Document</a></code>, and that was the
@@ -66271,13 +66205,13 @@
<!--CLEANUP-->
<p>When the <dfn id=dom-location-replace title=dom-location-replace><code>replace(<var title="">url</var>)</code></dfn>
method is invoked, the UA must <a href=#resolve-a-url title="resolve a url">resolve</a> the argument, relative
- to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>, and if that is
+ to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>, and if that is
successful, <a href=#navigate>navigate</a><!--DONAV location.href/replace--> the <a href=#browsing-context>browsing
context</a> to the specified <var title="">url</var> with <a href=#replacement-enabled>replacement enabled</a>.</p>
<!--CLEANUP-->
<p>Navigation for the <code title=dom-location-assign><a href=#dom-location-assign>assign()</a></code> and <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> methods must be done with the <a href=#responsible-browsing-context>responsible browsing context</a> specified by
- the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a> as the <a href=#source-browsing-context>source
+ the <a href=#incumbent-settings-object>incumbent settings object</a> as the <a href=#source-browsing-context>source
browsing context</a>.</p>
<p>If the <a href=#resolve-a-url title="resolve a url">resolving</a> step of the <code title=dom-location-assign><a href=#dom-location-assign>assign()</a></code> and <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> methods is not successful, then the user agent must
@@ -66343,8 +66277,8 @@
<!--CLEANUP-->
<p>The element's <code><a href=#urlutils>URLUtils</a></code> interface's <a href=#concept-uu-get-the-base title=concept-uu-get-the-base>get the
- base</a> algorithm must return the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, if there is one, or null otherwise.</p>
+ base</a> algorithm must return the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, if there is one, or null otherwise.</p>
<p>The element's <code><a href=#urlutils>URLUtils</a></code> interface's <a href=#concept-uu-query-encoding title=concept-uu-query-encoding>query
encoding</a> is the <a href="#document's-character-encoding">document's character encoding</a>.</p>
@@ -66390,29 +66324,30 @@
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
<p id=security-3>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#location>Location</a></code> object are accessed when the <a href=#entry-script>entry script</a> has
+ properties of a <code><a href=#location>Location</a></code> object are accessed when the <a href=#entry-settings-object>entry settings object</a> specifies
an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a> as
the <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
context</a>'s <a href=#active-document>active document</a>'s <a href=#effective-script-origin>effective script origin</a>, with the
following exceptions:</p>
<ul><!--CLEANUP--><li>The <code title=dom-url-href><a href=#dom-url-href>href</a></code> setter, if the <a href=#responsible-browsing-context>responsible browsing context</a>
- specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar with</a> the <a href=#browsing-context>browsing
+ specified by the <a href=#entry-settings-object>entry
+ settings object</a> is <a href=#familiar-with>familiar with</a> the <a href=#browsing-context>browsing
context</a> with which the <code><a href=#location>Location</a></code> object is associated
<!--CLEANUP-->
<li>The <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> method, if the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar with</a> the
+ browsing context</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a> is <a href=#familiar-with>familiar with</a> the
<a href=#browsing-context>browsing context</a> with which the <code><a href=#location>Location</a></code> object is associated
+<!--CLEANUP-->
<li>Any properties not defined in the IDL for the <code><a href=#location>Location</a></code> object or indirectly via
- one of those properties (e.g. <code title="">toString()</code>, which is defined via the <code title="">stringifier</code> keyword), if the <a href=#entry-script>entry script</a>'s <a href=#effective-script-origin>effective script
- origin</a> is the <a href=#same-origin>same origin</a> as the <code><a href=#location>Location</a></code> object's associated
+ one of those properties (e.g. <code title="">toString()</code>, which is defined via the <code title="">stringifier</code> keyword), if the <a href=#effective-script-origin>effective script
+ origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is the <a href=#same-origin>same origin</a> as the <code><a href=#location>Location</a></code> object's associated
<code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>
- </ul><p>When the <a href=#entry-script>entry script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than a
+ </ul><p>When the <a href=#effective-script-origin>effective script origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is different than a
<code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
origin</a>, the user agent must act as if any changes to that <code><a href=#location>Location</a></code> object's
properties, getters, setters, etc, were not present, and as if all the properties of that
@@ -69999,14 +69934,6 @@
</dd>
- <dt>An <dfn title="">owner</dfn>, <dfn title="">origin</dfn>, and <dfn title="">effective origin</dfn></dt>
-
- <dd>
-
- <p>There are defined in the <a href=#origin>origin</a> section.</p>
-
- </dd>
-
</dl><hr><p>A <dfn id=script-settings-object>script settings object</dfn> specifies algorithms for obtaining the following:</p>
<dl><dt>A <dfn id=script-execution-environment>script execution environment</dfn> for each language supported by the user agent</dt>
@@ -70111,6 +70038,14 @@
</dd>
+ <dt>An <a href=#origin>origin</a> and an <a href=#effective-script-origin>effective script origin</a></dt>
+
+ <dd>
+
+ <p>An instrument used in security checks.</p>
+
+ </dd>
+
</dl><h5 id=script-settings-for-browsing-contexts><span class=secno>7.1.3.2 </span>Script settings for browsing contexts</h5>
<p>Whenever a new <code><a href=#window>Window</a></code> object is created, it must also create a <a href=#script-settings-object>script
@@ -70184,18 +70119,36 @@
</dd>
+ <dt>The <a href=#origin>origin</a></dt>
+ <dd>
+
+ <p>Return the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> with which the
+ <code><a href=#window>Window</a></code> is currently associated.</p>
+
+ </dd>
+
+ <dt>The <a href=#effective-script-origin>effective script origin</a></dt>
+ <dd>
+
+ <p>Return the <a href=#effective-script-origin>effective script origin</a> of the <code><a href=#document>Document</a></code> with which the
+ <code><a href=#window>Window</a></code> is currently associated.</p>
+
+ </dd>
+
</dl><h5 id=calling-scripts><span class=secno>7.1.3.3 </span>Calling scripts</h5>
- <p>Each <a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a> has a <dfn id=stack-of-incumbent-scripts>stack of
- incumbent scripts</dfn>, which must be initially empty. When a new script is <i>pushed</i> onto
- this stack, the specified script is to be added to the stack; when the script on this stack that
+<!--CLEANUP-->
+ <p>Each <a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a> has a <dfn id=stack-of-script-settings-objects>stack of
+ script settings objects</dfn>, which must be initially empty. When a new <a href=#script-settings-object>script settings object</a> is <i>pushed</i> onto
+ this stack, the specified <a href=#script-settings-object>script settings object</a> is to be added to the stack; when the <a href=#script-settings-object>script settings object</a> on this stack that
was most recently pushed onto it is to be <i>popped</i> from the stack, it must be removed.
- Entries on this stack can be labeled as <dfn id=candidate-entry-scripts>candidate entry scripts</dfn>.</p>
+ Entries on this stack can be labeled as <dfn id=candidate-entry-settings-object title="candidate entry settings object">candidate entry settings objects</dfn>.</p>
<p>When a user agent is to <dfn id=jump-to-a-code-entry-point>jump to a code entry-point</dfn> for a <a href=#concept-script title=concept-script>script</a>, the user agent must run the following steps:</p>
<ol><li><p>Let <var title="">s</var> be the given <a href=#concept-script title=concept-script>script</a>.</li>
+<!--CLEANUP-->
<li><p><a href=#prepare-to-run-a-script-based-callback>Prepare to run a script-based callback</a> with <var title="">s</var> as both the
new incumbent <a href=#concept-script title=concept-script>script</a> and the owner <a href=#concept-script title=concept-script>script</a>. If this returns "do not run" then abort these
steps.</li>
@@ -70221,49 +70174,56 @@
<li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a> for the <a href=#responsible-browsing-context>responsible browsing context</a> specified by <var title="">o</var>'s <a href=#settings-object>settings object</a>, then return
"do not run" and abort these steps.</p>
- <li><p>Push <var title="">s</var> onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>, and label it
- as a <a href=#candidate-entry-scripts title="candidate entry scripts">candidate entry script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Push <var title="">s</var>'s <a href=#settings-object>settings object</a> onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>, and label it
+ as a <a href=#candidate-entry-settings-object>candidate entry settings object</a>.</li>
<li><p>Return "run".</li>
- </ol><p>The steps to <dfn id=prepare-to-run-a-non-script-based-callback>prepare to run a non-script-based callback</dfn> are as follows. They are
- invoked with a new incumbent <a href=#concept-script title=concept-script>script</a> <var title="">s</var> and,
+ </ol><!--CLEANUP--><p>The steps to <dfn id=prepare-to-run-a-non-script-based-callback>prepare to run a non-script-based callback</dfn> are as follows. They are
+ invoked with a new <a href=#script-settings-object>script settings object</a> <var title="">s</var> and,
in principle, return either "run" or "do not run" (though in practice they always return
"run").</p>
- <ol><li><p>Push <var title="">s</var> onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>.</li>
+ <ol><li><p>Push <var title="">s</var> onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>.</li>
<li><p>Return "run".</li>
</ol><p>The steps to <dfn id=clean-up-after-running-a-callback>clean up after running a callback</dfn> are as follows:</p>
- <ol><li><p>Pop the current <a href=#incumbent-script>incumbent script</a> from the <a href=#stack-of-incumbent-scripts>stack of incumbent
- scripts</a>.</li>
+ <ol><!--CLEANUP--><li><p>Pop the current <a href=#incumbent-settings-object>incumbent settings object</a> from the <a href=#stack-of-script-settings-objects>stack of script settings
+ objects</a>.</li>
- <li><p>If the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> is now empty, <a href=#run-the-global-script-clean-up-jobs>run the global script
+<!--CLEANUP-->
+ <li><p>If the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> is now empty, <a href=#run-the-global-script-clean-up-jobs>run the global script
clean-up jobs</a>. (These cannot run scripts.)</li>
- <li><p>If the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> is now empty, <a href=#perform-a-microtask-checkpoint>perform a microtask
+<!--CLEANUP-->
+ <li><p>If the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> is now empty, <a href=#perform-a-microtask-checkpoint>perform a microtask
checkpoint</a>. (If this runs scripts, these algorithms will be invoked reentrantly.)</li>
</ol><p class=note>These algorithms are not invoked by one script directly calling another, but they
can be invoked reentrantly in an indirect manner, e.g. if a script dispatches an event which has
event listeners registered.</p>
- <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <a href=#concept-script title=concept-script>script</a> corresponding to that <i>SourceElements</i> must be pushed
- onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> before the evaluation begins, and popped when the
+<!--CLEANUP-->
+ <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <a href=#settings-object>settings object</a> of the <a href=#concept-script title=concept-script>script</a> corresponding to that <i>SourceElements</i> must be pushed
+ onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> before the evaluation begins, and popped when the
evaluation ends (regardless of whether it's an abrupt completion or not).</p>
- <p>The <dfn id=entry-script>entry script</dfn> is the most-recently added <a href=#concept-script title=concept-script>script</a> in the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> that is
- labeled as a <a href=#candidate-entry-scripts title="candidate entry scripts">candidate entry script</a>. If the stack is
- empty, or has no entries labeled as such, then there is no <a href=#entry-script>entry script</a>. It is used
+<!--CLEANUP-->
+ <p>The <dfn id=entry-settings-object>entry settings object</dfn> is the most-recently added <a href=#script-settings-object>script settings object</a>
+ in the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> that is
+ labeled as a <a href=#candidate-entry-settings-object>candidate entry settings object</a>. If the stack is
+ empty, or has no entries labeled as such, then there is no <a href=#entry-settings-object>entry settings object</a>. It is used
to obtain, amongst other things, the <a href=#api-base-url>API base URL</a> to <a href=#resolve-a-url title="resolve a
url">resolve</a> relative <a href=#url title=URL>URLs</a> used in scripts running in that
<a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a>.</p>
- <p>The <dfn id=incumbent-script>incumbent script</dfn> is the <a href=#concept-script title=concept-script>script</a> in the
- <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> that was most-recently added (i.e. the last one on the
- stack). If the stack is empty, then there is no <a href=#incumbent-script>incumbent script</a>. It is used in some
+<!--CLEANUP-->
+ <p>The <dfn id=incumbent-settings-object>incumbent settings object</dfn> is the <a href=#script-settings-object>script settings object</a> in the
+ <a href=#stack-of-script-settings-objects>stack of script settings objects</a> that was most-recently added (i.e. the last one on the
+ stack). If the stack is empty, then there is no <a href=#incumbent-settings-object>incumbent settings object</a>. It is used in some
security checks.</p>
<p class=note>The WebIDL specification also uses these algorithms. <a href=#refsWEBIDL>[WEBIDL]</a></p>
@@ -70697,10 +70657,11 @@
<ol><li><p>Let <var title="">task source</var> be the <a href=#task-source>task source</a> of the currently
running <a href=#concept-task title=concept-task>task</a>.</li>
- <li><p>Let <var title="">old stack of incumbent scripts</var> be a copy of the <a href=#stack-of-incumbent-scripts>stack of
- incumbent scripts</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">old stack of script settings objects</var> be a copy of the <a href=#stack-of-script-settings-objects>stack of
+ script settings objects</a>.</li>
- <li><p>Empty the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>.</li>
+ <li><p>Empty the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>.</li>
<li><p><a href=#run-the-global-script-clean-up-jobs>Run the global script clean-up jobs</a>.</li>
@@ -70722,8 +70683,9 @@
source</a> <var title="">task source</var>. Wait until this task runs before continuing these
steps.</li>
- <li><p>Replace the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> with the <var title="">old stack of
- incumbent scripts</var>.</li>
+<!--CLEANUP-->
+ <li><p>Replace the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> with the <var title="">old stack of
+ script settings objects</var>.</li>
<li><p>Return to the caller.</li>
@@ -71908,7 +71870,7 @@
<!--CLEANUP-->
<li><p>Change <a href="#the-document's-address">the document's address</a> to the <a href="#the-document's-address" title="the document's
address">address</a> of the <a href=#responsible-document>responsible document</a> specified by
- the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ the <a href=#entry-settings-object>entry settings object</a>.</li>
<!-- <span>the document's referrer</span> stays the same -->
@@ -72692,9 +72654,10 @@
<ol><li>
+<!--CLEANUP-->
<p><a href=#resolve-a-url title="resolve a url">Resolve</a> <var title="">url</var> relative to the
<a href=#api-base-url>API base URL</a> specified by
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</p>
+ the <a href=#entry-settings-object>entry settings object</a>.</p>
<p>If this fails, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps.</p>
@@ -72725,16 +72688,17 @@
<!--CLEANUP-->
<p>If the <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href=#active-document>active document</a> of the
- <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> has its <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> set,
+ <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> has its <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> set,
then return the empty string and abort these steps.</p>
</li>
<li>
- <p>Let <var title="">incumbent origin</var> be the <a href=#effective-script-origin>effective script origin</a> of the
- <a href=#incumbent-script>incumbent script</a> at the time the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method was called.</p>
+<!--CLEANUP-->
+ <p>Let <var title="">incumbent origin</var> be the <a href=#effective-script-origin>effective script origin</a> specified by the
+ <a href=#incumbent-settings-object>incumbent settings object</a> at the time the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method was called.</p>
</li>
@@ -72782,8 +72746,8 @@
<!--CLEANUP-->
<p>Set all the flags in the new browsing context's <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a> that
are set in the <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href=#active-document>active document</a> of
- the <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a>. The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ the <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a>. The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
must be set as the new browsing context's <a href=#one-permitted-sandboxed-navigator>one permitted sandboxed
navigator</a>.</p>
@@ -72819,7 +72783,7 @@
<p><a href=#navigate>Navigate</a><!--DONAV showModalDialog--> the new <a href=#browsing-context>browsing context</a> to
the <a href=#absolute-url>absolute URL</a> that resulted from <a href=#resolve-a-url title="resolve a url">resolving</a>
<var title="">url</var> earlier, with <a href=#replacement-enabled>replacement enabled</a>, and with the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
as the <a href=#source-browsing-context>source browsing context</a>.</p>
</li>
@@ -73283,15 +73247,16 @@
<!--CLEANUP-->
<p>User agents must throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception if <a href=#resolve-a-url title="resolve a
url">resolving</a> the <var title="">url</var> argument relative to the
- <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> is not successful.</p>
+ <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> is not successful.</p>
<p class=note>The resulting <a href=#absolute-url>absolute URL</a> would by definition not be a <a href=#valid-url>valid
URL</a> as it would include the string "<code title="">%s</code>" which is not a valid
component in a URL.</p>
+<!--CLEANUP-->
<p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception if the resulting <a href=#absolute-url>absolute
- URL</a> has an <a href=#origin>origin</a> that differs from the <a href=#origin>origin</a> of the
- <a href=#entry-script>entry script</a>.</p>
+ URL</a> has an <a href=#origin>origin</a> that differs from the <a href=#origin>origin</a> specified by the
+ <a href=#entry-settings-object>entry settings object</a>.</p>
<p class=note>This is forcibly the case if the <code title="">%s</code> placeholder is in the
scheme, host, or port parts of the URL.</p>
@@ -73304,7 +73269,7 @@
literal string "<code title="">%s</code>" in the <var title="">url</var> argument with an
escaped version of the <a href=#absolute-url>absolute URL</a> of the content in question (as defined below),
then <a href=#resolve-a-url title="resolve a url">resolve</a> the resulting URL, relative to the <a href=#api-base-url>API
- base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> at the time the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> methods were
+ base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> at the time the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> methods were
invoked, and then <a href=#navigate>navigate</a><!--DONAV user--> an appropriate <a href=#browsing-context>browsing
context</a> to the resulting URL using the GET method (<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a> for non-HTTP URLs).</p>
@@ -73514,13 +73479,14 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a URL">Resolve</a> the string relative to the <a href=#api-base-url>API base URL</a>
- specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ specified by the <a href=#entry-settings-object>entry settings object</a>.</li>
<li><p>If this fails, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception, aborting the
method.</li>
+<!--CLEANUP-->
<li><p>If the resulting <a href=#absolute-url>absolute URL</a>'s <a href=#origin>origin</a> is not the <a href=#same-origin>same
- origin</a> as that of the <a href=#entry-script>entry script</a>, throw a <code><a href=#securityerror>SecurityError</a></code>
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, throw a <code><a href=#securityerror>SecurityError</a></code>
exception, aborting the method.</li>
<li><p>Return the resulting <a href=#absolute-url>absolute URL</a> as the result of preprocessing the
@@ -74143,7 +74109,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the value of the method's first argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>.</li>
<li><p>If this fails, abort these steps.</li>
@@ -74159,15 +74125,17 @@
stub method that never returns a non-zero value, or may arbitrarily ignore invocations with
particular arguments for security, privacy, or usability reasons.</li>
- <li><p>If the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> is an opaque identifier (i.e.
+<!--CLEANUP-->
+ <li><p>If the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is an opaque identifier (i.e.
it has no host component), then return 0 and abort these steps.</li>
- <li><p>Let <var title="">host1</var> be the host component of the <a href=#origin>origin</a> of the
- <a href=#entry-script>entry script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">host1</var> be the host component of the <a href=#origin>origin</a> specified by the
+ <a href=#entry-settings-object>entry settings object</a>.</li>
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <var title="">scriptURL</var> argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a>.</li>
<li><p>If this fails, return 0 and abort these steps.</li>
@@ -74312,8 +74280,9 @@
steps.</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's image is not the <a href=#same-origin>same
- origin</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, then throw a
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<!--REMOVE-TOPIC:Security-->
@@ -74350,8 +74319,9 @@
<code><a href=#invalidstateerror>InvalidStateError</a></code> exception and abort these steps.</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#origin>origin</a> of the <code><a href=#the-video-element>video</a></code> element is not the <a href=#same-origin>same
- origin</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, then throw a
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<!--REMOVE-TOPIC:Security-->
@@ -78104,7 +78074,7 @@
<code>EventSource()</code> constructor is invoked, the UA must run these steps:</p>
<ol><!--CLEANUP--><li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <a href=#url>URL</a> specified in the first
- argument, relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ argument, relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a>.
</li>
@@ -78126,8 +78096,8 @@
<!--CLEANUP-->
<p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of the resulting <a href=#absolute-url>absolute
- URL</a> using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
- object</a>, with the <i>mode</i> being <var title="">CORS mode</var>, and the <i title="">origin</i> being the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a><!--, and the
+ URL</a> using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-settings-object>entry settings
+ object</a>, with the <i>mode</i> being <var title="">CORS mode</var>, and the <i title="">origin</i> being the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a><!--, and the
<i>default origin behaviour</i> set to <i>fail</i> (though it has no effect in the "Anonymous"
and "Use Credentials" modes)-->, and process the resource obtained in this fashion, if any, as
described below.</p>
@@ -78899,8 +78869,9 @@
<var title="">secure</var>. If this fails, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort
these steps. <a href=#refsWSP>[WSP]</a></li>
- <li><p>If <var title="">secure</var> is false but the <a href=#origin>origin</a> of the <a href=#entry-script>entry
- script</a> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
+<!--CLEANUP-->
+ <li><p>If <var title="">secure</var> is false but the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<li>
@@ -78930,8 +78901,9 @@
WebSocket protocol specification, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these
steps. <a href=#refsWSP>[WSP]</a></li>
+<!--CLEANUP-->
<li><p>Let <var title="">origin</var> be the <a href=#ascii-serialization-of-an-origin title="ASCII serialization of an origin">ASCII
- serialization</a> of the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a>, <a href=#converted-to-ascii-lowercase>converted
+ serialization</a> of the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, <a href=#converted-to-ascii-lowercase>converted
to ASCII lowercase</a>.</li>
<li><p>Return a new <code><a href=#websocket>WebSocket</a></code> object, but continue these steps
@@ -79796,7 +79768,7 @@
<!--CLEANUP-->
<p>If the <var title="">targetOrigin</var> argument is a single literal U+002F SOLIDUS character
(/), and the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which the method was
- invoked does not have the <a href=#same-origin>same origin</a> as the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ invoked does not have the <a href=#same-origin>same origin</a> as the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-settings-object>entry settings
object</a>, then abort these steps silently.</p>
<p>Otherwise, if the <var title="">targetOrigin</var> argument is an <a href=#absolute-url>absolute URL</a>,
@@ -79816,10 +79788,10 @@
<code><a href=#messageevent>MessageEvent</a></code> interface, with the event type <code title=event-message><a href=#event-message>message</a></code>, which does not bubble, is not cancelable, and has no
default action. The <code title=dom-MessageEvent-data><a href=#dom-messageevent-data>data</a></code> attribute must be
initialized to the value of <var title="">message clone</var>, the <code title=dom-MessageEvent-origin><a href=#dom-messageevent-origin>origin</a></code> attribute must be initialized to the <a href=#unicode-serialization-of-an-origin title="Unicode serialization of an origin">Unicode serialization</a> of the
- <a href=#origin>origin</a> of the <a href=#incumbent-script>incumbent script</a>, the <code title=dom-MessageEvent-source><a href=#dom-messageevent-source>source</a></code> attribute must be initialized to the
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, the <code title=dom-MessageEvent-source><a href=#dom-messageevent-source>source</a></code> attribute must be initialized to the
<code><a href=#windowproxy>WindowProxy</a></code> object corresponding to the
<a href=#global-object>global object</a> (a <code><a href=#window>Window</a></code> object) specified by the
- <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>,
+ <a href=#incumbent-settings-object>incumbent settings object</a>,
and the <code title=dom-MessageEvent-ports><a href=#dom-messageevent-ports>ports</a></code> attribute must be initialized to the <var title="">new ports</var> array.
</p>
<!-- invariant: the global object is always a Window if the script can see this method -->
@@ -80056,13 +80028,11 @@
called, it must run the following algorithm:</p>
<ol><!--CLEANUP--><li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a>
- of the <a href=#incumbent-script>incumbent script</a>, and let <var title="">port1</var> be that object.</li>
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>, and let <var title="">port1</var> be that object.</li>
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a>
- of the <a href=#incumbent-script>incumbent script</a>, and let <var title="">port2</var> be that object.</li>
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>, and let <var title="">port2</var> be that object.</li>
<li><p><a href=#entangle>Entangle</a> the <var title="">port1</var> and <var title="">port2</var>
objects.</li>
@@ -80394,7 +80364,7 @@
<li><p>Let <var title="">message</var> be the method's first argument.</p></li>
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span
- title="concept-port-owner">owner</span> is the <span>incumbent script</span>'s <span>settings
+ title="concept-port-owner">owner</span> is the <span>incumbent settings
object</span>, and let <var title="">port1</var> be that object.</p></li>
<li><p>If the <var title="">source port</var> is not entangled with another port, then return
@@ -81685,11 +81655,8 @@
<tbody><!-- v2-onclose <tr><td><dfn title="handler-WorkerGlobalScope-onclose"><code>onclose</code></dfn> <td> <code title="event-worker-close">close</code> --><tr><td><dfn id=handler-workerglobalscope-onerror title=handler-WorkerGlobalScope-onerror><code>onerror</code></dfn> <td> <code title=event-error>error</code>
<tr><td><dfn id=handler-workerglobalscope-onoffline title=handler-WorkerGlobalScope-onoffline><code>onoffline</code></dfn> <td> <code title=event-offline><a href=#event-offline>offline</a></code> <!-- new -->
<tr><td><dfn id=handler-workerglobalscope-ononline title=handler-WorkerGlobalScope-ononline><code>ononline</code></dfn> <td> <code title=event-online><a href=#event-online>online</a></code> <!-- new -->
- </table><hr><p>Each <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object has a <dfn id=worker-origin>worker origin</dfn> that is set when the
- object is created.</p>
-
- <p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is
- the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> when the constructor was called. For
+ </table><hr><!--CLEANUP--><p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is
+ the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> when the constructor was called. For
other <a href=#url title=URL>URLs</a>, this is the <a href=#origin>origin</a> of the value of the
<a href=#absolute-url>absolute URL</a> given in the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location></a></code> attribute.</p>
@@ -81858,8 +81825,7 @@
<h4 id=processing-model-7><span class=secno>10.2.4 </span>Processing model</h4>
<!--CLEANUP-->
- <p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with <a href=#url>URL</a> <var title="">url</var>, a <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>,
- and an <a href=#origin>origin</a> <var title="">owner origin</var>, it
+ <p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with <a href=#url>URL</a> <var title="">url</var> and a <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>, it
must run the following steps:</p>
<ol><li id=worker-processing-model-top>
@@ -81886,9 +81852,11 @@
<li>
+<!--CLEANUP-->
<p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> the resource identified by <var title="">url</var>,
- from the <var title="">owner origin</var>, using the <a href=#responsible-document>responsible document</a> specified by <var title="">settings object</var> as the
- <a href=#referrer-source>referrer source</a> (not the specified <a href=#api-referrer-source>API referrer source</a>!), with the <i>synchronous flag</i> set and the <i>force same-origin
+ from the <a href=#origin>origin</a> specified
+ by <var title="">settings object</var>, using the <a href=#responsible-document>responsible document</a> specified by <var title="">settings object</var> as the
+ <a href=#referrer-source>referrer source</a> (not the specified <a href=#api-referrer-source>API referrer source</a>!), and with the <i>synchronous flag</i> set and the <i>force same-origin
flag</i> set.</p> <!-- not http-origin privacy sensitive (looking forward to CORS) -->
<p>If the attempt fails, then for each <code><a href=#worker>Worker</a></code> or <code><a href=#sharedworker>SharedWorker</a></code> object
@@ -82128,14 +82096,18 @@
<p>When the user agent is required to <dfn id=set-up-a-worker-script-settings-object>set up a worker script settings object</dfn>, given a
<var title="">worker global scope</var>, it must run the following steps:</p>
- <ol><li><p>Let <var title="">inherited responsible browsing context</var> be the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings
+ <ol><!--CLEANUP--><li><p>Let <var title="">inherited responsible browsing context</var> be the <a href=#responsible-browsing-context>responsible
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings
object</a>.</li>
+<!--CLEANUP-->
<li><p>Let <var title="">inherited responsible document</var> be the <a href=#responsible-document>responsible
- document</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings
+ document</a> specified by the <a href=#incumbent-settings-object>incumbent settings
object</a>.</li>
+ <li><p>Let <var title="">inherited origin</var> be the <a href=#origin>origin</a> specified by the
+ <a href=#incumbent-settings-object>incumbent settings object</a>.</li>
+
<li><p>Let <var title="">worker event loop</var> be a newly created <a href=#event-loop>event
loop</a>.</li>
@@ -82209,6 +82181,13 @@
</dd>
+ <dt>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a></dt>
+ <dd>
+
+ <p>Return <var title="">inherited origin</var>.</p>
+
+ </dd>
+
</dl></li>
<li><p>Return <var title="">settings object</var>.</li>
@@ -82271,7 +82250,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <var title="">scriptURL</var> argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> when
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> when
the method was invoked.</li>
<li><p>If this fails, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps.</li>
@@ -82284,7 +82263,7 @@
<p>If the <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> component of <var title="">worker URL</var>
is not "<code title=data-protocol>data</code>", and the <a href=#origin>origin</a> of <var title="">worker URL</var>
is not the <a href=#same-origin title="same origin">same</a> as the
- origin of the <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
abort these steps.</p>
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
@@ -82294,8 +82273,8 @@
</li>
- <li><p>Create a new <code><a href=#dedicatedworkerglobalscope>DedicatedWorkerGlobalScope</a></code> object whose <a href=#worker-origin>worker
- origin</a> is the origin of the <a href=#entry-script>entry script</a>. Let <var title="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code><a href=#dedicatedworkerglobalscope>DedicatedWorkerGlobalScope</a></code> object. Let <var title="">worker global
scope</var> be this new object.</li>
<li><p><a href=#set-up-a-worker-script-settings-object>Set up a worker script settings object</a> with <var title="">worker global
@@ -82306,7 +82285,7 @@
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent script</a>. Let
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>. Let
this be the <var title="">outside port</var>.</li>
<li><p>Associate the <var title="">outside port</var> with <var title="">worker</var>.</li>
@@ -82333,8 +82312,7 @@
<!--CLEANUP-->
<p>Let <var title="">docs</var> be the <a href=#list-of-relevant-document-objects-to-add>list of relevant <code>Document</code> objects to
- add</a> given the <a href=#settings-object>settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</p>
+ add</a> given the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82349,19 +82327,18 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object (i.e. we are creating a nested worker),
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object (i.e. we are creating a nested worker),
add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of
- the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global object</a> of the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
<li>
+<!--CLEANUP-->
<p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">worker
- URL</var>, the <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>, and the
- <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> as the <var title="">owner
- origin</var>.</p>
+ URL</var> and the <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>.</p>
</li>
@@ -82396,10 +82373,11 @@
<li>
+<!--CLEANUP-->
<p>If the <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> component of <var title="">parsed
scriptURL</var> is not "<code title=data-protocol>data</code>", and the <a href=#origin>origin</a> of
- <var title="">scriptURL</var> is not the <a href=#same-origin title="same origin">same</a> as the origin of
- the <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
+ <var title="">scriptURL</var> is not the <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> specified by
+ the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
steps.</p>
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
@@ -82412,8 +82390,7 @@
<li>
<p>Let <var title="">docs</var> be the <a href=#list-of-relevant-document-objects-to-add>list of relevant <code>Document</code> objects to
- add</a> given the <a href=#settings-object>settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</p>
+ add</a> given the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82426,7 +82403,7 @@
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent script</a>. Let
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>. Let
this be the <var title="">outside port</var>.</li>
<li><p>Assign <var title="">outside port</var> to the <code title=dom-SharedWorker-port><a href=#dom-sharedworker-port>port</a></code> attribute of <var title="">worker</var>.</li>
@@ -82435,8 +82412,11 @@
<li>
+<!--CLEANUP-->
<p>If <var title="">name</var> is not the empty string and there exists a
- <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#dom-workerglobalscope-closing title=dom-WorkerGlobalScope-closing>closing</a> flag is false, whose <code title=dom-WorkerGlobalScope-name>name</code> attribute is exactly equal to <var title="">name</var>, and whose <a href=#worker-origin>worker origin</a> is the <a href=#same-origin>same origin</a> as
+ <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#dom-workerglobalscope-closing title=dom-WorkerGlobalScope-closing>closing</a> flag is false, whose <code title=dom-WorkerGlobalScope-name>name</code> attribute is exactly equal to <var title="">name</var>, and that is the <a href=#global-object>global object</a> specified by a
+ <a href=#script-settings-object>script settings object</a> that specifies as its <a href=#origin>origin</a> the
+ <a href=#same-origin>same origin</a> as the <a href=#origin>origin</a> of
<var title="">scriptURL</var>, then let <var title="">worker global scope</var> be that
<code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object.</p>
@@ -82448,9 +82428,11 @@
<li>
+<!--CLEANUP-->
<p>If <var title="">worker global scope</var> is not null, but the user agent has been
- configured to disallow communication between the <a href=#incumbent-script>incumbent script</a> and the worker
- represented by the <var title="">worker global scope</var>, then set <var title="">worker
+ configured to disallow communication between the worker
+ represented by the <var title="">worker global scope</var> and the <a href=#concept-script title=concept-script>scripts</a>
+ whose <a href=#settings-object title="settings object">settings objects</a> are the <a href=#incumbent-settings-object>incumbent settings object</a>, then set <var title="">worker
global scope</var> to null.</p>
<p class=note>For example, a user agent could have a development mode that isolates a
@@ -82501,11 +82483,11 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global
scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global
- object</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82515,8 +82497,8 @@
<!-- OTHERWISE: -->
- <li><p>Create a new <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#worker-origin>worker
- origin</a> is the origin of the <a href=#entry-script>entry script</a>. Let <var title="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object. Let <var title="">worker global
scope</var> be this new object.</li>
<li><p><a href=#set-up-a-worker-script-settings-object>Set up a worker script settings object</a> with <var title="">worker global
@@ -82558,17 +82540,18 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent
- script</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
+ is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global
- object</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
<li>
- <p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">scriptURL</var>, the <a href=#script-settings-object>script settings object</a> <var title="">settings
- object</var>, and the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> as the <var title="">owner origin</var>.</p>
+<!--CLEANUP-->
+ <p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">scriptURL</var> and the <a href=#script-settings-object>script settings object</a> <var title="">settings
+ object</var>.</p>
</li>
@@ -82599,8 +82582,9 @@
<ol><li><p>If there are no arguments, return without doing anything. Abort these steps.</li>
- <li><p>Let <var title="">settings object</var> be the <a href=#script-settings-object>script settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">settings object</var> be the
+ <a href=#incumbent-settings-object>incumbent settings object</a>.</li>
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> each argument.</li>
@@ -82609,8 +82593,8 @@
<li>
<!--CLEANUP-->
- <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource identified by the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from the <a href=#entry-script>entry script</a>'s
- <a href=#origin>origin</a>, using the <a href=#api-referrer-source>API referrer source</a> specified by <var title="">settings
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource identified by the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from the <a href=#origin>origin</a> specified by <var title="">settings object</var>,
+ using the <a href=#api-referrer-source>API referrer source</a> specified by <var title="">settings
object</var>, and with the <i>synchronous flag</i> set.</p> <!-- not
http-origin privacy sensitive -->
@@ -82644,8 +82628,9 @@
<a href=#url>URL</a> from which <var title="">source</var> was obtained, <var title="">language</var> as the scripting language, and <var title="">settings object</var> as
the <a href=#script-settings-object>script settings object</a>.</p>
+<!--CLEANUP-->
<p>If the script came from a resource whose <a href=#url>URL</a> does not have the <a href=#same-origin>same
- origin</a> as the <a href=#worker-origin>worker origin</a>, then pass the <var title="">muted
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then pass the <var title="">muted
errors</var> flag to the <a href=#create-a-script>create a script</a> algorithm as well.</p>
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
@@ -82655,9 +82640,9 @@
<p>If it failed to parse, then throw an ECMAScript <code title=js-SyntaxError><a href=#js-syntaxerror>SyntaxError</a></code> exception and abort all these steps. <a href=#refsECMA262>[ECMA262]</a></p>
+<!--CLEANUP-->
<p>If an exception was thrown or if the script was prematurely aborted, then abort all these
- steps, letting the exception or aborting continue to be processed by the <a href=#incumbent-script>incumbent
- script</a>.</p>
+ steps, letting the exception or aborting continue to be processed by the calling <a href=#concept-script title=concept-script>script</a>.</p>
<p>If the "<a href=#kill-a-worker>kill a worker</a>" or "<a href=#terminate-a-worker>terminate a worker</a>" algorithms abort
the script then abort all these steps.</p>
Modified: index
===================================================================
--- index 2013-11-07 22:41:52 UTC (rev 8261)
+++ index 2013-11-08 23:21:01 UTC (rev 8262)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 7 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 8 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -8492,12 +8492,14 @@
<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>
+<!--CLEANUP-->
<p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-script>incumbent script</a>
- has an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
+ properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a>
+ specifies an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>.</p>
- <p>When the <a href=#incumbent-script>incumbent script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than
+<!--CLEANUP-->
+ <p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <code><a href=#document>Document</a></code> object's <a href=#effective-script-origin>effective script origin</a>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
@@ -9096,7 +9098,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the method's first argument, relative to the
<a href=#api-base-url>API base URL</a> specified by the
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>. If this is not
+ <a href=#entry-settings-object>entry settings object</a>. If this is not
successful, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps. Otherwise, let <var title="">url</var> be the resulting <a href=#absolute-url>absolute URL</a>.</li>
<li><p>If the <a href=#origin>origin</a> of <var title="">url</var> is not the same as the
@@ -9123,8 +9125,8 @@
<!--CLEANUP-->
<li><p><a href=#fetch>Fetch</a><!--FETCH--> <var title="">url</var> from the <a href=#origin>origin</a> of
- <var title="">document</var>, using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, with the <i title="">synchronous flag</i> set and the <i title="">force same-origin flag</i> set.</li>
+ <var title="">document</var>, using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, with the <i title="">synchronous flag</i> set and the <i title="">force same-origin flag</i> set.</li>
<li>
@@ -17484,7 +17486,8 @@
browsing context name</a>, using the value of the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would result
in there not being a chosen browsing context, then run these substeps:</p>
- <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
+ <ol><li><p>If there is an <a href=#entry-settings-object>entry settings object</a>, throw an
+ <code><a href=#invalidaccesserror>InvalidAccessError</a></code> exception.</li>
<li><p>Abort these steps without following the hyperlink.</li>
@@ -31325,7 +31328,7 @@
<code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute as the browsing context name, would
result in there not being a chosen browsing context, then run these substeps:</p>
- <ol><li><p>If there is an <a href=#entry-script>entry script</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
+ <ol><!--CLEANUP--><li><p>If there is an <a href=#entry-settings-object>entry settings object</a>, throw an <code><a href=#invalidaccesserror>InvalidAccessError</a></code>
exception.</li>
<li><p>Abort these steps without following the hyperlink.</li>
@@ -55754,9 +55757,10 @@
object's bitmap image data must be used as the source image.</p>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<p><dfn id=the-image-argument-is-not-origin-clean>The <var title="">image argument</var> is not origin-clean</dfn> if it is an
<code><a href=#htmlimageelement>HTMLImageElement</a></code> or <code><a href=#htmlvideoelement>HTMLVideoElement</a></code> whose <a href=#origin>origin</a> is not
- the <a href=#same-origin title="same origin">same</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>,
+ the <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>,
or if it is an <code><a href=#htmlcanvaselement>HTMLCanvasElement</a></code> whose bitmap's <a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag is false, or if it is a
<code><a href=#canvasrenderingcontext2d>CanvasRenderingContext2D</a></code> object whose <a href=#scratch-bitmap>scratch bitmap</a>'s <a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag is false.</p>
<!--REMOVE-TOPIC:Security-->
@@ -56257,9 +56261,10 @@
</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#text-preparation-algorithm>text preparation algorithm</a> used a font that has an <a href=#origin>origin</a>
- that is not the <a href=#same-origin title="same origin">same</a> as the <a href=#entry-script>entry script</a>'s
- <a href=#origin>origin</a> (even if "using a font" means just checking if that font has a particular
+ that is not the <a href=#same-origin title="same origin">same</a> as the
+ <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> (even if "using a font" means just checking if that font has a particular
glyph in it before falling back to another font), then set the <a href=#scratch-bitmap>scratch bitmap</a>'s
<a href=#concept-canvas-origin-clean title=concept-canvas-origin-clean>origin-clean</a> flag to false.</li> <!--
because fonts could consider sensitive material, I guess; and because that sensitivity could
@@ -63650,9 +63655,10 @@
<ol><li><p>If <var title="">d</var> is not a <code><a href=#document>Document</a></code> in a <a href=#nested-browsing-context>nested browsing
context</a>, return null and abort these steps.</li>
+<!--CLEANUP-->
<li><p>If the <a href=#browsing-context-container>browsing context container</a>'s <code><a href=#document>Document</a></code> does not have the
- <a href=#same-origin title="same origin">same</a> <a href=#effective-script-origin>effective script origin</a> as the <a href=#entry-script>entry
- script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
+ <a href=#same-origin title="same origin">same</a> <a href=#effective-script-origin>effective script origin</a> as the <a href=#effective-script-origin>effective script origin</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<li><p>Return the <a href=#browsing-context-container>browsing context container</a> for <var title="">b</var>.</li>
@@ -64276,8 +64282,9 @@
how cross-origin cross-global access to <code><a href=#window>Window</a></code> and <code><a href=#location>Location</a></code> objects
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
+<!--CLEANUP-->
<p id=security-2>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#window>Window</a></code> object are accessed when the <a href=#incumbent-script>incumbent script</a> has
+ properties of a <code><a href=#window>Window</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a> specifies
an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a> as
<a href=#concept-document-window title=concept-document-window>the <code>Window</code> object's
<code>Document</code></a>'s <a href=#effective-script-origin>effective script origin</a>, with the following
@@ -64309,7 +64316,7 @@
<li>The <a href=#dynamic-nested-browsing-context-properties>dynamic nested browsing context properties</a>
- </ul><p>When the <a href=#incumbent-script>incumbent script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than
+ </ul><!--CLEANUP--><p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <a href=#concept-document-window title=concept-document-window><code>Window</code> object's
<code>Document</code></a>'s <a href=#effective-script-origin>effective script origin</a>, the user agent must act as if
any changes to that <code><a href=#window>Window</a></code> object's properties, getters, setters, etc, were not
@@ -64399,7 +64406,7 @@
<p>The first argument, <var title="">url</var>, must be a <a href=#valid-non-empty-url>valid non-empty URL</a> for a
page to load in the browsing context. If the first argument is the empty string, then the <var title="">url</var> argument must be interpreted as "<code><a href=#about:blank>about:blank</a></code>". Otherwise, the
argument must be <a href=#resolve-a-url title="resolve a url">resolved</a> to an <a href=#absolute-url>absolute URL</a> (or
- an error), relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ an error), relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a> when the method was invoked.</p>
<p>The second argument, <var title="">target</var>, specifies the <a href=#browsing-context-name title="browsing context
@@ -64440,7 +64447,7 @@
context</a> was just created as part of <a href=#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name>the rules for choosing a browsing context given a
browsing context name</a>, then <a href=#replacement-enabled title="replacement enabled">replacement must be
enabled</a>. The navigation must be done with the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a> as the <a href=#source-browsing-context>source browsing
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a> as the <a href=#source-browsing-context>source browsing
context</a>. If the <a href=#resolve-a-url>resolve a URL</a> algorithm failed, then the user agent may either
instead <a href=#navigate>navigate</a> to an inline error page, using the same replacement behavior and
source browsing context behavior as described earlier in this paragraph; or treat the <var title="">url</var> as "<code><a href=#about:blank>about:blank</a></code>", acting as described in the next paragraph.</p>
@@ -64472,13 +64479,13 @@
<a href=#script-closable>script-closable</a>.</li>
<!--CLEANUP-->
- <li>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar
+ <li>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is <a href=#familiar-with>familiar
with</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</li>
<!--CLEANUP-->
<li id=sandboxClose>The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the
- <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ <a href=#incumbent-settings-object>incumbent settings object</a>
is <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing
context</a> <var title="">A</var>.</li>
@@ -64529,8 +64536,7 @@
elements that are <a href=#in-a-document title="in a document">in the <code>Document</code></a> that is the
<a href=#active-document>active document</a> of that <code><a href=#window>Window</a></code> object, if that <code><a href=#window>Window</a></code>'s
<a href=#browsing-context>browsing context</a> shares the same <a href=#event-loop>event loop</a> as the <a href=#responsible-document>responsible
- document</a> specified by the <a href=#settings-object>settings object</a> of the
- <a href=#entry-script>entry script</a> accessing the IDL attribute; otherwise,
+ document</a> specified by the <a href=#entry-settings-object>entry settings object</a> accessing the IDL attribute; otherwise,
it must return zero.</p>
<!-- in other words, frames are only accessible to same-thread processes -->
@@ -64959,12 +64965,12 @@
<dd>
<p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
- <a href=#origin>origin</a> of the <a href=#incumbent-script>incumbent script</a> when the <a href=#navigate>navigate</a>
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a> when the <a href=#navigate>navigate</a>
algorithm was invoked, or, if no <a href=#concept-script title=concept-script>script</a> was involved, of
the <code><a href=#document>Document</a></code> of the element that initiated the <a href=#navigate title=navigate>navigation</a> to that <a href=#url>URL</a>.</p>
<p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of that
- same <a href=#concept-script title=concept-script>script</a> or <code><a href=#document>Document</a></code>.</p>
+ same <a href=#script-settings-object>script settings object</a> or <code><a href=#document>Document</a></code>.</p>
</dd>
@@ -65082,81 +65088,9 @@
</dd>
-
- <dt>For scripts</dt>
-
- <dd>
-
- <p>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a> of a script are determined
- from another resource, called the <i>owner</i>:</p>
-
- <dl class=switch><dt>If a script is in a <code><a href=#the-script-element>script</a></code> element</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> to which the <code><a href=#the-script-element>script</a></code> element
- belongs.</dd>
-
-
- <dt>If a script is in an <a href=#event-handler-content-attributes title="event handler content attributes">event handler content
- attribute</a></dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> to which the attribute node belongs.</dd>
-
-
- <dt>If a script is a function or other code reference created by another script</dt>
-
- <dd>The owner is the <a href=#incumbent-script>incumbent script</a> when the function or other code reference
- was created.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> that was returned as the location of an HTTP redirect (<a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a> in other protocols)</dt>
-
- <dd>The owner is the <a href=#url>URL</a> that redirected to the <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> in an attribute</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the element on which the attribute is found.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> in a style sheet</dt>
-
- <dd>The owner is the <a href=#url>URL</a> of the style sheet.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been provided by the user (e.g. by using a
- <i>bookmarklet</i>)</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been declared in markup</dt>
-
- <dd>The owner is the <code><a href=#document>Document</a></code> of the element (e.g. an <code><a href=#the-a-element>a</a></code> or
- <code><a href=#the-area-element>area</a></code> element) that declared the URL.</dd>
-
-
- <dt>If a script is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
- URL</a> to which a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a>, the URL having been provided by script</dt>
-
- <dd>The owner is the <a href=#incumbent-script>incumbent script</a> when the <a href=#navigate>navigate</a> algorithm was
- invoked.</dd>
-
- </dl><p>The <a href=#origin>origin</a> of the script is then an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a> of the owner, and the
- <a href=#effective-script-origin>effective script origin</a> of the script is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of the
- owner.</p>
-
- </dd>
-
</dl><p>Other specifications can override the above definitions by themselves specifying the origin of
- a particular <a href=#url>URL</a>, <code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, font, or
- <a href=#concept-script title=concept-script>script</a>.</p>
+ a particular <a href=#url>URL</a>, <code><a href=#document>Document</a></code>, image, <a href=#media-element>media element</a>, or
+ font.</p>
<!-- e.g.:
@@ -65987,7 +65921,7 @@
<ol><!--CLEANUP--><li><a href=#resolve-a-url title="resolve a url">Resolve</a> the value of the third argument, relative to the
<a href=#api-base-url>API base URL</a> specified by the
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ <a href=#entry-settings-object>entry settings object</a>.</li>
<li>If that fails, throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
@@ -65999,8 +65933,8 @@
<!--CLEANUP-->
<li>If the <a href=#origin>origin</a> of the resulting <a href=#absolute-url>absolute URL</a> is not the same as
- the <a href=#origin>origin</a> of the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, and either the <a href=#concept-url-path title=concept-url-path>path</a> or <a href=#concept-url-query title=concept-url-query>query</a> components of the two <a href=#parsed-url title="parsed URL">parsed
+ the <a href=#origin>origin</a> of the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, and either the <a href=#concept-url-path title=concept-url-path>path</a> or <a href=#concept-url-query title=concept-url-query>query</a> components of the two <a href=#parsed-url title="parsed URL">parsed
URLs</a> compared in the previous step differ, throw a <code><a href=#securityerror>SecurityError</a></code> exception
and abort these steps. (This prevents sandboxed content from spoofing other pages on the same
origin.)</li>
@@ -66258,7 +66192,7 @@
<!--CLEANUP-->
<p>When the <dfn id=dom-location-assign title=dom-location-assign><code>assign(<var title="">url</var>)</code></dfn>
method is invoked, the UA must <a href=#resolve-a-url title="resolve a url">resolve</a> the argument, relative
- to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>, and if that is
+ to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>, and if that is
successful, must <a href=#navigate>navigate</a><!--DONAV location.href/assign--> the <a href=#browsing-context>browsing
context</a> to the specified <var title="">url</var>. If the <a href=#browsing-context>browsing context</a>'s
<a href=#session-history>session history</a> contains only one <code><a href=#document>Document</a></code>, and that was the
@@ -66271,13 +66205,13 @@
<!--CLEANUP-->
<p>When the <dfn id=dom-location-replace title=dom-location-replace><code>replace(<var title="">url</var>)</code></dfn>
method is invoked, the UA must <a href=#resolve-a-url title="resolve a url">resolve</a> the argument, relative
- to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>, and if that is
+ to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>, and if that is
successful, <a href=#navigate>navigate</a><!--DONAV location.href/replace--> the <a href=#browsing-context>browsing
context</a> to the specified <var title="">url</var> with <a href=#replacement-enabled>replacement enabled</a>.</p>
<!--CLEANUP-->
<p>Navigation for the <code title=dom-location-assign><a href=#dom-location-assign>assign()</a></code> and <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> methods must be done with the <a href=#responsible-browsing-context>responsible browsing context</a> specified by
- the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a> as the <a href=#source-browsing-context>source
+ the <a href=#incumbent-settings-object>incumbent settings object</a> as the <a href=#source-browsing-context>source
browsing context</a>.</p>
<p>If the <a href=#resolve-a-url title="resolve a url">resolving</a> step of the <code title=dom-location-assign><a href=#dom-location-assign>assign()</a></code> and <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> methods is not successful, then the user agent must
@@ -66343,8 +66277,8 @@
<!--CLEANUP-->
<p>The element's <code><a href=#urlutils>URLUtils</a></code> interface's <a href=#concept-uu-get-the-base title=concept-uu-get-the-base>get the
- base</a> algorithm must return the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a>, if there is one, or null otherwise.</p>
+ base</a> algorithm must return the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a>, if there is one, or null otherwise.</p>
<p>The element's <code><a href=#urlutils>URLUtils</a></code> interface's <a href=#concept-uu-query-encoding title=concept-uu-query-encoding>query
encoding</a> is the <a href="#document's-character-encoding">document's character encoding</a>.</p>
@@ -66390,29 +66324,30 @@
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
<p id=security-3>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
- properties of a <code><a href=#location>Location</a></code> object are accessed when the <a href=#entry-script>entry script</a> has
+ properties of a <code><a href=#location>Location</a></code> object are accessed when the <a href=#entry-settings-object>entry settings object</a> specifies
an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a> as
the <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
context</a>'s <a href=#active-document>active document</a>'s <a href=#effective-script-origin>effective script origin</a>, with the
following exceptions:</p>
<ul><!--CLEANUP--><li>The <code title=dom-url-href><a href=#dom-url-href>href</a></code> setter, if the <a href=#responsible-browsing-context>responsible browsing context</a>
- specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar with</a> the <a href=#browsing-context>browsing
+ specified by the <a href=#entry-settings-object>entry
+ settings object</a> is <a href=#familiar-with>familiar with</a> the <a href=#browsing-context>browsing
context</a> with which the <code><a href=#location>Location</a></code> object is associated
<!--CLEANUP-->
<li>The <code title=dom-location-replace><a href=#dom-location-replace>replace()</a></code> method, if the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#entry-script>entry script</a>'s
- <a href=#settings-object>settings object</a> is <a href=#familiar-with>familiar with</a> the
+ browsing context</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a> is <a href=#familiar-with>familiar with</a> the
<a href=#browsing-context>browsing context</a> with which the <code><a href=#location>Location</a></code> object is associated
+<!--CLEANUP-->
<li>Any properties not defined in the IDL for the <code><a href=#location>Location</a></code> object or indirectly via
- one of those properties (e.g. <code title="">toString()</code>, which is defined via the <code title="">stringifier</code> keyword), if the <a href=#entry-script>entry script</a>'s <a href=#effective-script-origin>effective script
- origin</a> is the <a href=#same-origin>same origin</a> as the <code><a href=#location>Location</a></code> object's associated
+ one of those properties (e.g. <code title="">toString()</code>, which is defined via the <code title="">stringifier</code> keyword), if the <a href=#effective-script-origin>effective script
+ origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is the <a href=#same-origin>same origin</a> as the <code><a href=#location>Location</a></code> object's associated
<code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>
- </ul><p>When the <a href=#entry-script>entry script</a>'s <a href=#effective-script-origin>effective script origin</a> is different than a
+ </ul><p>When the <a href=#effective-script-origin>effective script origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is different than a
<code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
origin</a>, the user agent must act as if any changes to that <code><a href=#location>Location</a></code> object's
properties, getters, setters, etc, were not present, and as if all the properties of that
@@ -69999,14 +69934,6 @@
</dd>
- <dt>An <dfn title="">owner</dfn>, <dfn title="">origin</dfn>, and <dfn title="">effective origin</dfn></dt>
-
- <dd>
-
- <p>There are defined in the <a href=#origin>origin</a> section.</p>
-
- </dd>
-
</dl><hr><p>A <dfn id=script-settings-object>script settings object</dfn> specifies algorithms for obtaining the following:</p>
<dl><dt>A <dfn id=script-execution-environment>script execution environment</dfn> for each language supported by the user agent</dt>
@@ -70111,6 +70038,14 @@
</dd>
+ <dt>An <a href=#origin>origin</a> and an <a href=#effective-script-origin>effective script origin</a></dt>
+
+ <dd>
+
+ <p>An instrument used in security checks.</p>
+
+ </dd>
+
</dl><h5 id=script-settings-for-browsing-contexts><span class=secno>7.1.3.2 </span>Script settings for browsing contexts</h5>
<p>Whenever a new <code><a href=#window>Window</a></code> object is created, it must also create a <a href=#script-settings-object>script
@@ -70184,18 +70119,36 @@
</dd>
+ <dt>The <a href=#origin>origin</a></dt>
+ <dd>
+
+ <p>Return the <a href=#origin>origin</a> of the <code><a href=#document>Document</a></code> with which the
+ <code><a href=#window>Window</a></code> is currently associated.</p>
+
+ </dd>
+
+ <dt>The <a href=#effective-script-origin>effective script origin</a></dt>
+ <dd>
+
+ <p>Return the <a href=#effective-script-origin>effective script origin</a> of the <code><a href=#document>Document</a></code> with which the
+ <code><a href=#window>Window</a></code> is currently associated.</p>
+
+ </dd>
+
</dl><h5 id=calling-scripts><span class=secno>7.1.3.3 </span>Calling scripts</h5>
- <p>Each <a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a> has a <dfn id=stack-of-incumbent-scripts>stack of
- incumbent scripts</dfn>, which must be initially empty. When a new script is <i>pushed</i> onto
- this stack, the specified script is to be added to the stack; when the script on this stack that
+<!--CLEANUP-->
+ <p>Each <a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a> has a <dfn id=stack-of-script-settings-objects>stack of
+ script settings objects</dfn>, which must be initially empty. When a new <a href=#script-settings-object>script settings object</a> is <i>pushed</i> onto
+ this stack, the specified <a href=#script-settings-object>script settings object</a> is to be added to the stack; when the <a href=#script-settings-object>script settings object</a> on this stack that
was most recently pushed onto it is to be <i>popped</i> from the stack, it must be removed.
- Entries on this stack can be labeled as <dfn id=candidate-entry-scripts>candidate entry scripts</dfn>.</p>
+ Entries on this stack can be labeled as <dfn id=candidate-entry-settings-object title="candidate entry settings object">candidate entry settings objects</dfn>.</p>
<p>When a user agent is to <dfn id=jump-to-a-code-entry-point>jump to a code entry-point</dfn> for a <a href=#concept-script title=concept-script>script</a>, the user agent must run the following steps:</p>
<ol><li><p>Let <var title="">s</var> be the given <a href=#concept-script title=concept-script>script</a>.</li>
+<!--CLEANUP-->
<li><p><a href=#prepare-to-run-a-script-based-callback>Prepare to run a script-based callback</a> with <var title="">s</var> as both the
new incumbent <a href=#concept-script title=concept-script>script</a> and the owner <a href=#concept-script title=concept-script>script</a>. If this returns "do not run" then abort these
steps.</li>
@@ -70221,49 +70174,56 @@
<li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a> for the <a href=#responsible-browsing-context>responsible browsing context</a> specified by <var title="">o</var>'s <a href=#settings-object>settings object</a>, then return
"do not run" and abort these steps.</p>
- <li><p>Push <var title="">s</var> onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>, and label it
- as a <a href=#candidate-entry-scripts title="candidate entry scripts">candidate entry script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Push <var title="">s</var>'s <a href=#settings-object>settings object</a> onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>, and label it
+ as a <a href=#candidate-entry-settings-object>candidate entry settings object</a>.</li>
<li><p>Return "run".</li>
- </ol><p>The steps to <dfn id=prepare-to-run-a-non-script-based-callback>prepare to run a non-script-based callback</dfn> are as follows. They are
- invoked with a new incumbent <a href=#concept-script title=concept-script>script</a> <var title="">s</var> and,
+ </ol><!--CLEANUP--><p>The steps to <dfn id=prepare-to-run-a-non-script-based-callback>prepare to run a non-script-based callback</dfn> are as follows. They are
+ invoked with a new <a href=#script-settings-object>script settings object</a> <var title="">s</var> and,
in principle, return either "run" or "do not run" (though in practice they always return
"run").</p>
- <ol><li><p>Push <var title="">s</var> onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>.</li>
+ <ol><li><p>Push <var title="">s</var> onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>.</li>
<li><p>Return "run".</li>
</ol><p>The steps to <dfn id=clean-up-after-running-a-callback>clean up after running a callback</dfn> are as follows:</p>
- <ol><li><p>Pop the current <a href=#incumbent-script>incumbent script</a> from the <a href=#stack-of-incumbent-scripts>stack of incumbent
- scripts</a>.</li>
+ <ol><!--CLEANUP--><li><p>Pop the current <a href=#incumbent-settings-object>incumbent settings object</a> from the <a href=#stack-of-script-settings-objects>stack of script settings
+ objects</a>.</li>
- <li><p>If the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> is now empty, <a href=#run-the-global-script-clean-up-jobs>run the global script
+<!--CLEANUP-->
+ <li><p>If the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> is now empty, <a href=#run-the-global-script-clean-up-jobs>run the global script
clean-up jobs</a>. (These cannot run scripts.)</li>
- <li><p>If the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> is now empty, <a href=#perform-a-microtask-checkpoint>perform a microtask
+<!--CLEANUP-->
+ <li><p>If the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> is now empty, <a href=#perform-a-microtask-checkpoint>perform a microtask
checkpoint</a>. (If this runs scripts, these algorithms will be invoked reentrantly.)</li>
</ol><p class=note>These algorithms are not invoked by one script directly calling another, but they
can be invoked reentrantly in an indirect manner, e.g. if a script dispatches an event which has
event listeners registered.</p>
- <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <a href=#concept-script title=concept-script>script</a> corresponding to that <i>SourceElements</i> must be pushed
- onto the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> before the evaluation begins, and popped when the
+<!--CLEANUP-->
+ <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <a href=#settings-object>settings object</a> of the <a href=#concept-script title=concept-script>script</a> corresponding to that <i>SourceElements</i> must be pushed
+ onto the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> before the evaluation begins, and popped when the
evaluation ends (regardless of whether it's an abrupt completion or not).</p>
- <p>The <dfn id=entry-script>entry script</dfn> is the most-recently added <a href=#concept-script title=concept-script>script</a> in the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> that is
- labeled as a <a href=#candidate-entry-scripts title="candidate entry scripts">candidate entry script</a>. If the stack is
- empty, or has no entries labeled as such, then there is no <a href=#entry-script>entry script</a>. It is used
+<!--CLEANUP-->
+ <p>The <dfn id=entry-settings-object>entry settings object</dfn> is the most-recently added <a href=#script-settings-object>script settings object</a>
+ in the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> that is
+ labeled as a <a href=#candidate-entry-settings-object>candidate entry settings object</a>. If the stack is
+ empty, or has no entries labeled as such, then there is no <a href=#entry-settings-object>entry settings object</a>. It is used
to obtain, amongst other things, the <a href=#api-base-url>API base URL</a> to <a href=#resolve-a-url title="resolve a
url">resolve</a> relative <a href=#url title=URL>URLs</a> used in scripts running in that
<a href=#unit-of-related-similar-origin-browsing-contexts>unit of related similar-origin browsing contexts</a>.</p>
- <p>The <dfn id=incumbent-script>incumbent script</dfn> is the <a href=#concept-script title=concept-script>script</a> in the
- <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> that was most-recently added (i.e. the last one on the
- stack). If the stack is empty, then there is no <a href=#incumbent-script>incumbent script</a>. It is used in some
+<!--CLEANUP-->
+ <p>The <dfn id=incumbent-settings-object>incumbent settings object</dfn> is the <a href=#script-settings-object>script settings object</a> in the
+ <a href=#stack-of-script-settings-objects>stack of script settings objects</a> that was most-recently added (i.e. the last one on the
+ stack). If the stack is empty, then there is no <a href=#incumbent-settings-object>incumbent settings object</a>. It is used in some
security checks.</p>
<p class=note>The WebIDL specification also uses these algorithms. <a href=#refsWEBIDL>[WEBIDL]</a></p>
@@ -70697,10 +70657,11 @@
<ol><li><p>Let <var title="">task source</var> be the <a href=#task-source>task source</a> of the currently
running <a href=#concept-task title=concept-task>task</a>.</li>
- <li><p>Let <var title="">old stack of incumbent scripts</var> be a copy of the <a href=#stack-of-incumbent-scripts>stack of
- incumbent scripts</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">old stack of script settings objects</var> be a copy of the <a href=#stack-of-script-settings-objects>stack of
+ script settings objects</a>.</li>
- <li><p>Empty the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a>.</li>
+ <li><p>Empty the <a href=#stack-of-script-settings-objects>stack of script settings objects</a>.</li>
<li><p><a href=#run-the-global-script-clean-up-jobs>Run the global script clean-up jobs</a>.</li>
@@ -70722,8 +70683,9 @@
source</a> <var title="">task source</var>. Wait until this task runs before continuing these
steps.</li>
- <li><p>Replace the <a href=#stack-of-incumbent-scripts>stack of incumbent scripts</a> with the <var title="">old stack of
- incumbent scripts</var>.</li>
+<!--CLEANUP-->
+ <li><p>Replace the <a href=#stack-of-script-settings-objects>stack of script settings objects</a> with the <var title="">old stack of
+ script settings objects</var>.</li>
<li><p>Return to the caller.</li>
@@ -71908,7 +71870,7 @@
<!--CLEANUP-->
<li><p>Change <a href="#the-document's-address">the document's address</a> to the <a href="#the-document's-address" title="the document's
address">address</a> of the <a href=#responsible-document>responsible document</a> specified by
- the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ the <a href=#entry-settings-object>entry settings object</a>.</li>
<!-- <span>the document's referrer</span> stays the same -->
@@ -72692,9 +72654,10 @@
<ol><li>
+<!--CLEANUP-->
<p><a href=#resolve-a-url title="resolve a url">Resolve</a> <var title="">url</var> relative to the
<a href=#api-base-url>API base URL</a> specified by
- <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</p>
+ the <a href=#entry-settings-object>entry settings object</a>.</p>
<p>If this fails, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps.</p>
@@ -72725,16 +72688,17 @@
<!--CLEANUP-->
<p>If the <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href=#active-document>active document</a> of the
- <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> has its <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> set,
+ <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> has its <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> set,
then return the empty string and abort these steps.</p>
</li>
<li>
- <p>Let <var title="">incumbent origin</var> be the <a href=#effective-script-origin>effective script origin</a> of the
- <a href=#incumbent-script>incumbent script</a> at the time the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method was called.</p>
+<!--CLEANUP-->
+ <p>Let <var title="">incumbent origin</var> be the <a href=#effective-script-origin>effective script origin</a> specified by the
+ <a href=#incumbent-settings-object>incumbent settings object</a> at the time the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method was called.</p>
</li>
@@ -72782,8 +72746,8 @@
<!--CLEANUP-->
<p>Set all the flags in the new browsing context's <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a> that
are set in the <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href=#active-document>active document</a> of
- the <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a>. The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ the <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a>. The <a href=#responsible-browsing-context>responsible browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
must be set as the new browsing context's <a href=#one-permitted-sandboxed-navigator>one permitted sandboxed
navigator</a>.</p>
@@ -72819,7 +72783,7 @@
<p><a href=#navigate>Navigate</a><!--DONAV showModalDialog--> the new <a href=#browsing-context>browsing context</a> to
the <a href=#absolute-url>absolute URL</a> that resulted from <a href=#resolve-a-url title="resolve a url">resolving</a>
<var title="">url</var> earlier, with <a href=#replacement-enabled>replacement enabled</a>, and with the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
as the <a href=#source-browsing-context>source browsing context</a>.</p>
</li>
@@ -73283,15 +73247,16 @@
<!--CLEANUP-->
<p>User agents must throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception if <a href=#resolve-a-url title="resolve a
url">resolving</a> the <var title="">url</var> argument relative to the
- <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> is not successful.</p>
+ <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> is not successful.</p>
<p class=note>The resulting <a href=#absolute-url>absolute URL</a> would by definition not be a <a href=#valid-url>valid
URL</a> as it would include the string "<code title="">%s</code>" which is not a valid
component in a URL.</p>
+<!--CLEANUP-->
<p>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception if the resulting <a href=#absolute-url>absolute
- URL</a> has an <a href=#origin>origin</a> that differs from the <a href=#origin>origin</a> of the
- <a href=#entry-script>entry script</a>.</p>
+ URL</a> has an <a href=#origin>origin</a> that differs from the <a href=#origin>origin</a> specified by the
+ <a href=#entry-settings-object>entry settings object</a>.</p>
<p class=note>This is forcibly the case if the <code title="">%s</code> placeholder is in the
scheme, host, or port parts of the URL.</p>
@@ -73304,7 +73269,7 @@
literal string "<code title="">%s</code>" in the <var title="">url</var> argument with an
escaped version of the <a href=#absolute-url>absolute URL</a> of the content in question (as defined below),
then <a href=#resolve-a-url title="resolve a url">resolve</a> the resulting URL, relative to the <a href=#api-base-url>API
- base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> at the time the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> methods were
+ base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> at the time the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> or <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> methods were
invoked, and then <a href=#navigate>navigate</a><!--DONAV user--> an appropriate <a href=#browsing-context>browsing
context</a> to the resulting URL using the GET method (<a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a> for non-HTTP URLs).</p>
@@ -73514,13 +73479,14 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a URL">Resolve</a> the string relative to the <a href=#api-base-url>API base URL</a>
- specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ specified by the <a href=#entry-settings-object>entry settings object</a>.</li>
<li><p>If this fails, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception, aborting the
method.</li>
+<!--CLEANUP-->
<li><p>If the resulting <a href=#absolute-url>absolute URL</a>'s <a href=#origin>origin</a> is not the <a href=#same-origin>same
- origin</a> as that of the <a href=#entry-script>entry script</a>, throw a <code><a href=#securityerror>SecurityError</a></code>
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, throw a <code><a href=#securityerror>SecurityError</a></code>
exception, aborting the method.</li>
<li><p>Return the resulting <a href=#absolute-url>absolute URL</a> as the result of preprocessing the
@@ -74143,7 +74109,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the value of the method's first argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a>.</li>
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a>.</li>
<li><p>If this fails, abort these steps.</li>
@@ -74159,15 +74125,17 @@
stub method that never returns a non-zero value, or may arbitrarily ignore invocations with
particular arguments for security, privacy, or usability reasons.</li>
- <li><p>If the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> is an opaque identifier (i.e.
+<!--CLEANUP-->
+ <li><p>If the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> is an opaque identifier (i.e.
it has no host component), then return 0 and abort these steps.</li>
- <li><p>Let <var title="">host1</var> be the host component of the <a href=#origin>origin</a> of the
- <a href=#entry-script>entry script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">host1</var> be the host component of the <a href=#origin>origin</a> specified by the
+ <a href=#entry-settings-object>entry settings object</a>.</li>
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <var title="">scriptURL</var> argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a>.</li>
<li><p>If this fails, return 0 and abort these steps.</li>
@@ -74312,8 +74280,9 @@
steps.</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#origin>origin</a> of the <code><a href=#the-img-element>img</a></code> element's image is not the <a href=#same-origin>same
- origin</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, then throw a
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<!--REMOVE-TOPIC:Security-->
@@ -74350,8 +74319,9 @@
<code><a href=#invalidstateerror>InvalidStateError</a></code> exception and abort these steps.</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <a href=#origin>origin</a> of the <code><a href=#the-video-element>video</a></code> element is not the <a href=#same-origin>same
- origin</a> as the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a>, then throw a
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<!--REMOVE-TOPIC:Security-->
@@ -78104,7 +78074,7 @@
<code>EventSource()</code> constructor is invoked, the UA must run these steps:</p>
<ol><!--CLEANUP--><li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <a href=#url>URL</a> specified in the first
- argument, relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ argument, relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings
object</a>.
</li>
@@ -78126,8 +78096,8 @@
<!--CLEANUP-->
<p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a><!--FETCH--> of the resulting <a href=#absolute-url>absolute
- URL</a> using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
- object</a>, with the <i>mode</i> being <var title="">CORS mode</var>, and the <i title="">origin</i> being the <a href=#entry-script>entry script</a>'s <a href=#origin>origin</a><!--, and the
+ URL</a> using the <a href=#api-referrer-source>API referrer source</a> specified by the <a href=#entry-settings-object>entry settings
+ object</a>, with the <i>mode</i> being <var title="">CORS mode</var>, and the <i title="">origin</i> being the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a><!--, and the
<i>default origin behaviour</i> set to <i>fail</i> (though it has no effect in the "Anonymous"
and "Use Credentials" modes)-->, and process the resource obtained in this fashion, if any, as
described below.</p>
@@ -78899,8 +78869,9 @@
<var title="">secure</var>. If this fails, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort
these steps. <a href=#refsWSP>[WSP]</a></li>
- <li><p>If <var title="">secure</var> is false but the <a href=#origin>origin</a> of the <a href=#entry-script>entry
- script</a> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
+<!--CLEANUP-->
+ <li><p>If <var title="">secure</var> is false but the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry
+ settings object</a> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
<code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</li>
<li>
@@ -78930,8 +78901,9 @@
WebSocket protocol specification, then throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these
steps. <a href=#refsWSP>[WSP]</a></li>
+<!--CLEANUP-->
<li><p>Let <var title="">origin</var> be the <a href=#ascii-serialization-of-an-origin title="ASCII serialization of an origin">ASCII
- serialization</a> of the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a>, <a href=#converted-to-ascii-lowercase>converted
+ serialization</a> of the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a>, <a href=#converted-to-ascii-lowercase>converted
to ASCII lowercase</a>.</li>
<li><p>Return a new <code><a href=#websocket>WebSocket</a></code> object, but continue these steps
@@ -79796,7 +79768,7 @@
<!--CLEANUP-->
<p>If the <var title="">targetOrigin</var> argument is a single literal U+002F SOLIDUS character
(/), and the <code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which the method was
- invoked does not have the <a href=#same-origin>same origin</a> as the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings
+ invoked does not have the <a href=#same-origin>same origin</a> as the <a href=#responsible-document>responsible document</a> specified by the <a href=#entry-settings-object>entry settings
object</a>, then abort these steps silently.</p>
<p>Otherwise, if the <var title="">targetOrigin</var> argument is an <a href=#absolute-url>absolute URL</a>,
@@ -79816,10 +79788,10 @@
<code><a href=#messageevent>MessageEvent</a></code> interface, with the event type <code title=event-message><a href=#event-message>message</a></code>, which does not bubble, is not cancelable, and has no
default action. The <code title=dom-MessageEvent-data><a href=#dom-messageevent-data>data</a></code> attribute must be
initialized to the value of <var title="">message clone</var>, the <code title=dom-MessageEvent-origin><a href=#dom-messageevent-origin>origin</a></code> attribute must be initialized to the <a href=#unicode-serialization-of-an-origin title="Unicode serialization of an origin">Unicode serialization</a> of the
- <a href=#origin>origin</a> of the <a href=#incumbent-script>incumbent script</a>, the <code title=dom-MessageEvent-source><a href=#dom-messageevent-source>source</a></code> attribute must be initialized to the
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, the <code title=dom-MessageEvent-source><a href=#dom-messageevent-source>source</a></code> attribute must be initialized to the
<code><a href=#windowproxy>WindowProxy</a></code> object corresponding to the
<a href=#global-object>global object</a> (a <code><a href=#window>Window</a></code> object) specified by the
- <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>,
+ <a href=#incumbent-settings-object>incumbent settings object</a>,
and the <code title=dom-MessageEvent-ports><a href=#dom-messageevent-ports>ports</a></code> attribute must be initialized to the <var title="">new ports</var> array.
</p>
<!-- invariant: the global object is always a Window if the script can see this method -->
@@ -80056,13 +80028,11 @@
called, it must run the following algorithm:</p>
<ol><!--CLEANUP--><li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a>
- of the <a href=#incumbent-script>incumbent script</a>, and let <var title="">port1</var> be that object.</li>
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>, and let <var title="">port1</var> be that object.</li>
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a>
- of the <a href=#incumbent-script>incumbent script</a>, and let <var title="">port2</var> be that object.</li>
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>, and let <var title="">port2</var> be that object.</li>
<li><p><a href=#entangle>Entangle</a> the <var title="">port1</var> and <var title="">port2</var>
objects.</li>
@@ -80394,7 +80364,7 @@
<li><p>Let <var title="">message</var> be the method's first argument.</p></li>
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span
- title="concept-port-owner">owner</span> is the <span>incumbent script</span>'s <span>settings
+ title="concept-port-owner">owner</span> is the <span>incumbent settings
object</span>, and let <var title="">port1</var> be that object.</p></li>
<li><p>If the <var title="">source port</var> is not entangled with another port, then return
@@ -81685,11 +81655,8 @@
<tbody><!-- v2-onclose <tr><td><dfn title="handler-WorkerGlobalScope-onclose"><code>onclose</code></dfn> <td> <code title="event-worker-close">close</code> --><tr><td><dfn id=handler-workerglobalscope-onerror title=handler-WorkerGlobalScope-onerror><code>onerror</code></dfn> <td> <code title=event-error>error</code>
<tr><td><dfn id=handler-workerglobalscope-onoffline title=handler-WorkerGlobalScope-onoffline><code>onoffline</code></dfn> <td> <code title=event-offline><a href=#event-offline>offline</a></code> <!-- new -->
<tr><td><dfn id=handler-workerglobalscope-ononline title=handler-WorkerGlobalScope-ononline><code>ononline</code></dfn> <td> <code title=event-online><a href=#event-online>online</a></code> <!-- new -->
- </table><hr><p>Each <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object has a <dfn id=worker-origin>worker origin</dfn> that is set when the
- object is created.</p>
-
- <p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is
- the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> when the constructor was called. For
+ </table><hr><!--CLEANUP--><p class=note>For <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, this is
+ the <a href=#origin>origin</a> specified by the <a href=#entry-settings-object>entry settings object</a> when the constructor was called. For
other <a href=#url title=URL>URLs</a>, this is the <a href=#origin>origin</a> of the value of the
<a href=#absolute-url>absolute URL</a> given in the worker's <code title=dom-WorkerGlobalScope-location><a href=#dom-workerglobalscope-location></a></code> attribute.</p>
@@ -81858,8 +81825,7 @@
<h4 id=processing-model-7><span class=secno>10.2.4 </span>Processing model</h4>
<!--CLEANUP-->
- <p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with <a href=#url>URL</a> <var title="">url</var>, a <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>,
- and an <a href=#origin>origin</a> <var title="">owner origin</var>, it
+ <p>When a user agent is to <dfn id=run-a-worker>run a worker</dfn> for a script with <a href=#url>URL</a> <var title="">url</var> and a <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>, it
must run the following steps:</p>
<ol><li id=worker-processing-model-top>
@@ -81886,9 +81852,11 @@
<li>
+<!--CLEANUP-->
<p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> the resource identified by <var title="">url</var>,
- from the <var title="">owner origin</var>, using the <a href=#responsible-document>responsible document</a> specified by <var title="">settings object</var> as the
- <a href=#referrer-source>referrer source</a> (not the specified <a href=#api-referrer-source>API referrer source</a>!), with the <i>synchronous flag</i> set and the <i>force same-origin
+ from the <a href=#origin>origin</a> specified
+ by <var title="">settings object</var>, using the <a href=#responsible-document>responsible document</a> specified by <var title="">settings object</var> as the
+ <a href=#referrer-source>referrer source</a> (not the specified <a href=#api-referrer-source>API referrer source</a>!), and with the <i>synchronous flag</i> set and the <i>force same-origin
flag</i> set.</p> <!-- not http-origin privacy sensitive (looking forward to CORS) -->
<p>If the attempt fails, then for each <code><a href=#worker>Worker</a></code> or <code><a href=#sharedworker>SharedWorker</a></code> object
@@ -82128,14 +82096,18 @@
<p>When the user agent is required to <dfn id=set-up-a-worker-script-settings-object>set up a worker script settings object</dfn>, given a
<var title="">worker global scope</var>, it must run the following steps:</p>
- <ol><li><p>Let <var title="">inherited responsible browsing context</var> be the <a href=#responsible-browsing-context>responsible
- browsing context</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings
+ <ol><!--CLEANUP--><li><p>Let <var title="">inherited responsible browsing context</var> be the <a href=#responsible-browsing-context>responsible
+ browsing context</a> specified by the <a href=#incumbent-settings-object>incumbent settings
object</a>.</li>
+<!--CLEANUP-->
<li><p>Let <var title="">inherited responsible document</var> be the <a href=#responsible-document>responsible
- document</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings
+ document</a> specified by the <a href=#incumbent-settings-object>incumbent settings
object</a>.</li>
+ <li><p>Let <var title="">inherited origin</var> be the <a href=#origin>origin</a> specified by the
+ <a href=#incumbent-settings-object>incumbent settings object</a>.</li>
+
<li><p>Let <var title="">worker event loop</var> be a newly created <a href=#event-loop>event
loop</a>.</li>
@@ -82209,6 +82181,13 @@
</dd>
+ <dt>The <a href=#origin>origin</a> and <a href=#effective-script-origin>effective script origin</a></dt>
+ <dd>
+
+ <p>Return <var title="">inherited origin</var>.</p>
+
+ </dd>
+
</dl></li>
<li><p>Return <var title="">settings object</var>.</li>
@@ -82271,7 +82250,7 @@
<!--CLEANUP-->
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> the <var title="">scriptURL</var> argument
- relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-script>entry script</a>'s <a href=#settings-object>settings object</a> when
+ relative to the <a href=#api-base-url>API base URL</a> specified by the <a href=#entry-settings-object>entry settings object</a> when
the method was invoked.</li>
<li><p>If this fails, throw a <code><a href=#syntaxerror>SyntaxError</a></code> exception and abort these steps.</li>
@@ -82284,7 +82263,7 @@
<p>If the <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> component of <var title="">worker URL</var>
is not "<code title=data-protocol>data</code>", and the <a href=#origin>origin</a> of <var title="">worker URL</var>
is not the <a href=#same-origin title="same origin">same</a> as the
- origin of the <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
+ <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
abort these steps.</p>
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
@@ -82294,8 +82273,8 @@
</li>
- <li><p>Create a new <code><a href=#dedicatedworkerglobalscope>DedicatedWorkerGlobalScope</a></code> object whose <a href=#worker-origin>worker
- origin</a> is the origin of the <a href=#entry-script>entry script</a>. Let <var title="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code><a href=#dedicatedworkerglobalscope>DedicatedWorkerGlobalScope</a></code> object. Let <var title="">worker global
scope</var> be this new object.</li>
<li><p><a href=#set-up-a-worker-script-settings-object>Set up a worker script settings object</a> with <var title="">worker global
@@ -82306,7 +82285,7 @@
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent script</a>. Let
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>. Let
this be the <var title="">outside port</var>.</li>
<li><p>Associate the <var title="">outside port</var> with <var title="">worker</var>.</li>
@@ -82333,8 +82312,7 @@
<!--CLEANUP-->
<p>Let <var title="">docs</var> be the <a href=#list-of-relevant-document-objects-to-add>list of relevant <code>Document</code> objects to
- add</a> given the <a href=#settings-object>settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</p>
+ add</a> given the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82349,19 +82327,18 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object (i.e. we are creating a nested worker),
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object (i.e. we are creating a nested worker),
add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of
- the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global object</a> of the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ the <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
<li>
+<!--CLEANUP-->
<p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">worker
- URL</var>, the <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>, and the
- <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> as the <var title="">owner
- origin</var>.</p>
+ URL</var> and the <a href=#script-settings-object>script settings object</a> <var title="">settings object</var>.</p>
</li>
@@ -82396,10 +82373,11 @@
<li>
+<!--CLEANUP-->
<p>If the <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> component of <var title="">parsed
scriptURL</var> is not "<code title=data-protocol>data</code>", and the <a href=#origin>origin</a> of
- <var title="">scriptURL</var> is not the <a href=#same-origin title="same origin">same</a> as the origin of
- the <a href=#entry-script>entry script</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
+ <var title="">scriptURL</var> is not the <a href=#same-origin title="same origin">same</a> as the <a href=#origin>origin</a> specified by
+ the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
steps.</p>
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
@@ -82412,8 +82390,7 @@
<li>
<p>Let <var title="">docs</var> be the <a href=#list-of-relevant-document-objects-to-add>list of relevant <code>Document</code> objects to
- add</a> given the <a href=#settings-object>settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</p>
+ add</a> given the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82426,7 +82403,7 @@
<!--CLEANUP-->
<li><p><a href=#create-a-new-messageport-object>Create a new <code>MessagePort</code> object</a> whose <a href=#concept-port-owner title=concept-port-owner>owner</a>
- is the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent script</a>. Let
+ is the <a href=#incumbent-settings-object>incumbent settings object</a>. Let
this be the <var title="">outside port</var>.</li>
<li><p>Assign <var title="">outside port</var> to the <code title=dom-SharedWorker-port><a href=#dom-sharedworker-port>port</a></code> attribute of <var title="">worker</var>.</li>
@@ -82435,8 +82412,11 @@
<li>
+<!--CLEANUP-->
<p>If <var title="">name</var> is not the empty string and there exists a
- <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#dom-workerglobalscope-closing title=dom-WorkerGlobalScope-closing>closing</a> flag is false, whose <code title=dom-WorkerGlobalScope-name>name</code> attribute is exactly equal to <var title="">name</var>, and whose <a href=#worker-origin>worker origin</a> is the <a href=#same-origin>same origin</a> as
+ <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#dom-workerglobalscope-closing title=dom-WorkerGlobalScope-closing>closing</a> flag is false, whose <code title=dom-WorkerGlobalScope-name>name</code> attribute is exactly equal to <var title="">name</var>, and that is the <a href=#global-object>global object</a> specified by a
+ <a href=#script-settings-object>script settings object</a> that specifies as its <a href=#origin>origin</a> the
+ <a href=#same-origin>same origin</a> as the <a href=#origin>origin</a> of
<var title="">scriptURL</var>, then let <var title="">worker global scope</var> be that
<code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object.</p>
@@ -82448,9 +82428,11 @@
<li>
+<!--CLEANUP-->
<p>If <var title="">worker global scope</var> is not null, but the user agent has been
- configured to disallow communication between the <a href=#incumbent-script>incumbent script</a> and the worker
- represented by the <var title="">worker global scope</var>, then set <var title="">worker
+ configured to disallow communication between the worker
+ represented by the <var title="">worker global scope</var> and the <a href=#concept-script title=concept-script>scripts</a>
+ whose <a href=#settings-object title="settings object">settings objects</a> are the <a href=#incumbent-settings-object>incumbent settings object</a>, then set <var title="">worker
global scope</var> to null.</p>
<p class=note>For example, a user agent could have a development mode that isolates a
@@ -82501,11 +82483,11 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-script>incumbent
- script</a>'s <a href=#settings-object>settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent
+ settings object</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global
scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global
- object</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
@@ -82515,8 +82497,8 @@
<!-- OTHERWISE: -->
- <li><p>Create a new <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object whose <a href=#worker-origin>worker
- origin</a> is the origin of the <a href=#entry-script>entry script</a>. Let <var title="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code><a href=#sharedworkerglobalscope>SharedWorkerGlobalScope</a></code> object. Let <var title="">worker global
scope</var> be this new object.</li>
<li><p><a href=#set-up-a-worker-script-settings-object>Set up a worker script settings object</a> with <var title="">worker global
@@ -82558,17 +82540,18 @@
<li>
<!--CLEANUP-->
- <p>If the <a href=#global-object>global object</a> specified by the <a href=#settings-object>settings object</a> of the <a href=#incumbent-script>incumbent
- script</a> is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
+ <p>If the <a href=#global-object>global object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>
+ is a <code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object, add <var title="">worker global scope</var> to the list of <a href="#the-worker's-workers">the worker's workers</a> of the
<code><a href=#workerglobalscope>WorkerGlobalScope</a></code> object that is the <a href=#global-object>global
- object</a> specified by the <a href=#incumbent-script>incumbent script</a>'s <a href=#settings-object>settings object</a>.</p>
+ object</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>.</p>
</li>
<li>
- <p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">scriptURL</var>, the <a href=#script-settings-object>script settings object</a> <var title="">settings
- object</var>, and the <a href=#origin>origin</a> of the <a href=#entry-script>entry script</a> as the <var title="">owner origin</var>.</p>
+<!--CLEANUP-->
+ <p><a href=#run-a-worker>Run a worker</a> for the script with <a href=#url>URL</a> <var title="">scriptURL</var> and the <a href=#script-settings-object>script settings object</a> <var title="">settings
+ object</var>.</p>
</li>
@@ -82599,8 +82582,9 @@
<ol><li><p>If there are no arguments, return without doing anything. Abort these steps.</li>
- <li><p>Let <var title="">settings object</var> be the <a href=#script-settings-object>script settings object</a> of the
- <a href=#incumbent-script>incumbent script</a>.</li>
+<!--CLEANUP-->
+ <li><p>Let <var title="">settings object</var> be the
+ <a href=#incumbent-settings-object>incumbent settings object</a>.</li>
<li><p><a href=#resolve-a-url title="resolve a url">Resolve</a> each argument.</li>
@@ -82609,8 +82593,8 @@
<li>
<!--CLEANUP-->
- <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource identified by the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from the <a href=#entry-script>entry script</a>'s
- <a href=#origin>origin</a>, using the <a href=#api-referrer-source>API referrer source</a> specified by <var title="">settings
+ <p>Attempt to <a href=#fetch>fetch</a><!--FETCH--> each resource identified by the resulting <a href=#absolute-url title="absolute URL">absolute URLs</a>, from the <a href=#origin>origin</a> specified by <var title="">settings object</var>,
+ using the <a href=#api-referrer-source>API referrer source</a> specified by <var title="">settings
object</var>, and with the <i>synchronous flag</i> set.</p> <!-- not
http-origin privacy sensitive -->
@@ -82644,8 +82628,9 @@
<a href=#url>URL</a> from which <var title="">source</var> was obtained, <var title="">language</var> as the scripting language, and <var title="">settings object</var> as
the <a href=#script-settings-object>script settings object</a>.</p>
+<!--CLEANUP-->
<p>If the script came from a resource whose <a href=#url>URL</a> does not have the <a href=#same-origin>same
- origin</a> as the <a href=#worker-origin>worker origin</a>, then pass the <var title="">muted
+ origin</a> as the <a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then pass the <var title="">muted
errors</var> flag to the <a href=#create-a-script>create a script</a> algorithm as well.</p>
<p>Let the newly created <a href=#concept-script title=concept-script>script</a> run until it either
@@ -82655,9 +82640,9 @@
<p>If it failed to parse, then throw an ECMAScript <code title=js-SyntaxError><a href=#js-syntaxerror>SyntaxError</a></code> exception and abort all these steps. <a href=#refsECMA262>[ECMA262]</a></p>
+<!--CLEANUP-->
<p>If an exception was thrown or if the script was prematurely aborted, then abort all these
- steps, letting the exception or aborting continue to be processed by the <a href=#incumbent-script>incumbent
- script</a>.</p>
+ steps, letting the exception or aborting continue to be processed by the calling <a href=#concept-script title=concept-script>script</a>.</p>
<p>If the "<a href=#kill-a-worker>kill a worker</a>" or "<a href=#terminate-a-worker>terminate a worker</a>" algorithms abort
the script then abort all these steps.</p>
Modified: source
===================================================================
--- source 2013-11-07 22:41:52 UTC (rev 8261)
+++ source 2013-11-08 23:21:01 UTC (rev 8262)
@@ -8131,12 +8131,14 @@
<!--ADD-TOPIC:Security-->
<h4 id="security-document">Security</h4>
+<!--CLEANUP-->
<p id="security">User agents must throw a <code>SecurityError</code> exception whenever any
- properties of a <code>Document</code> object are accessed when the <span>incumbent script</span>
- has an <span>effective script origin</span> that is not the <span data-x="same origin">same</span>
+ properties of a <code>Document</code> object are accessed when the <span>incumbent settings object</span>
+ specifies an <span>effective script origin</span> that is not the <span data-x="same origin">same</span>
as the <code>Document</code>'s <span>effective script origin</span>.</p>
- <p>When the <span>incumbent script</span>'s <span>effective script origin</span> is different than
+<!--CLEANUP-->
+ <p>When the <span>incumbent settings object</span> specifies an <span>effective script origin</span> that is different than
a <code>Document</code> object's <span>effective script origin</span>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
@@ -8873,7 +8875,7 @@
<!--CLEANUP-->
<li><p><span data-x="resolve a url">Resolve</span> the method's first argument, relative to the
<span>API base URL</span> specified by the
- <span>entry script</span>'s <span>settings object</span>. If this is not
+ <span>entry settings object</span>. If this is not
successful, throw a <code>SyntaxError</code> exception and abort these steps. Otherwise, let <var
data-x="">url</var> be the resulting <span>absolute URL</span>.</p></li>
@@ -8902,8 +8904,8 @@
<!--CLEANUP-->
<li><p><span>Fetch</span><!--FETCH--> <var data-x="">url</var> from the <span>origin</span> of
- <var data-x="">document</var>, using the <span>API referrer source</span> specified by the <span>entry script</span>'s
- <span>settings object</span>, with the <i data-x="">synchronous flag</i> set and the <i
+ <var data-x="">document</var>, using the <span>API referrer source</span> specified by the <span>entry
+ settings object</span>, with the <i data-x="">synchronous flag</i> set and the <i
data-x="">force same-origin flag</i> set.</p></li>
<li>
@@ -18198,7 +18200,8 @@
<ol>
- <li><p>If there is an <span>entry script</span>, throw an <code>InvalidAccessError</code> exception.</p></li>
+ <li><p>If there is an <span>entry settings object</span>, throw an
+ <code>InvalidAccessError</code> exception.</p></li>
<li><p>Abort these steps without following the hyperlink.</p></li>
@@ -33873,7 +33876,8 @@
<ol>
- <li><p>If there is an <span>entry script</span>, throw an <code>InvalidAccessError</code>
+<!--CLEANUP-->
+ <li><p>If there is an <span>entry settings object</span>, throw an <code>InvalidAccessError</code>
exception.</p></li>
<li><p>Abort these steps without following the hyperlink.</p></li>
@@ -61846,9 +61850,10 @@
object's bitmap image data must be used as the source image.</p>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<p><dfn>The <var data-x="">image argument</var> is not origin-clean</dfn> if it is an
<code>HTMLImageElement</code> or <code>HTMLVideoElement</code> whose <span>origin</span> is not
- the <span data-x="same origin">same</span> as the <span>entry script</span>'s <span>origin</span>,
+ the <span data-x="same origin">same</span> as the <span>origin</span> specified by the <span>entry settings object</span>,
or if it is an <code>HTMLCanvasElement</code> whose bitmap's <span
data-x="concept-canvas-origin-clean">origin-clean</span> flag is false, or if it is a
<code>CanvasRenderingContext2D</code> object whose <span>scratch bitmap</span>'s <span
@@ -62465,9 +62470,10 @@
</li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <span>text preparation algorithm</span> used a font that has an <span>origin</span>
- that is not the <span data-x="same origin">same</span> as the <span>entry script</span>'s
- <span>origin</span> (even if "using a font" means just checking if that font has a particular
+ that is not the <span data-x="same origin">same</span> as the
+ <span>origin</span> specified by the <span>entry settings object</span> (even if "using a font" means just checking if that font has a particular
glyph in it before falling back to another font), then set the <span>scratch bitmap</span>'s
<span data-x="concept-canvas-origin-clean">origin-clean</span> flag to false.</p></li> <!--
because fonts could consider sensitive material, I guess; and because that sensitivity could
@@ -70796,9 +70802,10 @@
<li><p>If <var data-x="">d</var> is not a <code>Document</code> in a <span>nested browsing
context</span>, return null and abort these steps.</p></li>
+<!--CLEANUP-->
<li><p>If the <span>browsing context container</span>'s <code>Document</code> does not have the
- <span data-x="same origin">same</span> <span>effective script origin</span> as the <span>entry
- script</span>, then throw a <code>SecurityError</code> exception and abort these steps.</p></li>
+ <span data-x="same origin">same</span> <span>effective script origin</span> as the <span>effective script origin</span> specified by the <span>entry
+ settings object</span>, then throw a <code>SecurityError</code> exception and abort these steps.</p></li>
<li><p>Return the <span>browsing context container</span> for <var data-x="">b</var>.</p></li>
@@ -71505,8 +71512,9 @@
how cross-origin cross-global access to <code>Window</code> and <code>Location</code> objects
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
+<!--CLEANUP-->
<p id="security-2">User agents must throw a <code>SecurityError</code> exception whenever any
- properties of a <code>Window</code> object are accessed when the <span>incumbent script</span> has
+ properties of a <code>Window</code> object are accessed when the <span>incumbent settings object</span> specifies
an <span>effective script origin</span> that is not the <span data-x="same origin">same</span> as
<span data-x="concept-document-window">the <code>Window</code> object's
<code>Document</code></span>'s <span>effective script origin</span>, with the following
@@ -71542,7 +71550,8 @@
</ul>
- <p>When the <span>incumbent script</span>'s <span>effective script origin</span> is different than
+<!--CLEANUP-->
+ <p>When the <span>incumbent settings object</span> specifies an <span>effective script origin</span> that is different than
a <span data-x="concept-document-window"><code>Window</code> object's
<code>Document</code></span>'s <span>effective script origin</span>, the user agent must act as if
any changes to that <code>Window</code> object's properties, getters, setters, etc, were not
@@ -71639,7 +71648,7 @@
page to load in the browsing context. If the first argument is the empty string, then the <var
data-x="">url</var> argument must be interpreted as "<code>about:blank</code>". Otherwise, the
argument must be <span data-x="resolve a url">resolved</span> to an <span>absolute URL</span> (or
- an error), relative to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings
+ an error), relative to the <span>API base URL</span> specified by the <span>entry settings
object</span> when the method was invoked.</p>
<p>The second argument, <var data-x="">target</var>, specifies the <span data-x="browsing context
@@ -71683,7 +71692,7 @@
context</span> was just created as part of <span>the rules for choosing a browsing context given a
browsing context name</span>, then <span data-x="replacement enabled">replacement must be
enabled</span>. The navigation must be done with the <span>responsible
- browsing context</span> specified by the <span>incumbent script</span>'s <span>settings object</span> as the <span>source browsing
+ browsing context</span> specified by the <span>incumbent settings object</span> as the <span>source browsing
context</span>. If the <span>resolve a URL</span> algorithm failed, then the user agent may either
instead <span>navigate</span> to an inline error page, using the same replacement behavior and
source browsing context behavior as described earlier in this paragraph; or treat the <var
@@ -71725,13 +71734,13 @@
<!--CLEANUP-->
<li>The <span>responsible browsing context</span> specified by the <span>incumbent
- script</span>'s <span>settings object</span> is <span>familiar
+ settings object</span> is <span>familiar
with</span> the <span>browsing context</span> <var
data-x="">A</var>.</li>
<!--CLEANUP-->
<li id="sandboxClose">The <span>responsible browsing context</span> specified by the
- <span>incumbent script</span>'s <span>settings object</span>
+ <span>incumbent settings object</span>
is <span>allowed to navigate</span> the <span>browsing
context</span> <var data-x="">A</var>.</li>
@@ -71788,8 +71797,7 @@
elements that are <span data-x="in a document">in the <code>Document</code></span> that is the
<span>active document</span> of that <code>Window</code> object, if that <code>Window</code>'s
<span>browsing context</span> shares the same <span>event loop</span> as the <span>responsible
- document</span> specified by the <span>settings object</span> of the
- <span>entry script</span> accessing the IDL attribute; otherwise,
+ document</span> specified by the <span>entry settings object</span> accessing the IDL attribute; otherwise,
it must return zero.</p>
<!-- in other words, frames are only accessible to same-thread processes -->
@@ -72291,14 +72299,14 @@
<dd>
<p>The <span>origin</span> is an <span data-x="concept-origin-alias">alias</span> to the
- <span>origin</span> of the <span>incumbent script</span> when the <span>navigate</span>
+ <span>origin</span> specified by the <span>incumbent settings object</span> when the <span>navigate</span>
algorithm was invoked, or, if no <span data-x="concept-script">script</span> was involved, of
the <code>Document</code> of the element that initiated the <span
data-x="navigate">navigation</span> to that <span>URL</span>.</p>
<p>The <span>effective script origin</span> is initially an <span
data-x="concept-origin-alias">alias</span> to the <span>effective script origin</span> of that
- same <span data-x="concept-script">script</span> or <code>Document</code>.</p>
+ same <span>script settings object</span> or <code>Document</code>.</p>
</dd>
@@ -72433,93 +72441,11 @@
</dd>
-
- <dt>For scripts</dt>
-
- <dd>
-
- <p>The <span>origin</span> and <span>effective script origin</span> of a script are determined
- from another resource, called the <i>owner</i>:</p>
-
- <dl class="switch">
-
- <dt>If a script is in a <code>script</code> element</dt>
-
- <dd>The owner is the <code>Document</code> to which the <code>script</code> element
- belongs.</dd>
-
-
- <dt>If a script is in an <span data-x="event handler content attributes">event handler content
- attribute</span></dt>
-
- <dd>The owner is the <code>Document</code> to which the attribute node belongs.</dd>
-
-
- <dt>If a script is a function or other code reference created by another script</dt>
-
- <dd>The owner is the <span>incumbent script</span> when the function or other code reference
- was created.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> that was returned as the location of an HTTP redirect (<span
- data-x="concept-http-equivalent-codes">or equivalent</span> in other protocols)</dt>
-
- <dd>The owner is the <span>URL</span> that redirected to the <span data-x="javascript
- protocol"><code data-x="">javascript:</code> URL</span>.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> in an attribute</dt>
-
- <dd>The owner is the <code>Document</code> of the element on which the attribute is found.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> in a style sheet</dt>
-
- <dd>The owner is the <span>URL</span> of the style sheet.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> to which a <span>browsing context</span> is being <span
- data-x="navigate">navigated</span>, the URL having been provided by the user (e.g. by using a
- <i>bookmarklet</i>)</dt>
-
- <dd>The owner is the <code>Document</code> of the <span>browsing context</span>'s <span>active
- document</span>.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> to which a <span>browsing context</span> is being <span
- data-x="navigate">navigated</span>, the URL having been declared in markup</dt>
-
- <dd>The owner is the <code>Document</code> of the element (e.g. an <code>a</code> or
- <code>area</code> element) that declared the URL.</dd>
-
-
- <dt>If a script is a <span data-x="javascript protocol"><code data-x="">javascript:</code>
- URL</span> to which a <span>browsing context</span> is being <span
- data-x="navigate">navigated</span>, the URL having been provided by script</dt>
-
- <dd>The owner is the <span>incumbent script</span> when the <span>navigate</span> algorithm was
- invoked.</dd>
-
- </dl>
-
- <p>The <span>origin</span> of the script is then an <span
- data-x="concept-origin-alias">alias</span> to the <span>origin</span> of the owner, and the
- <span>effective script origin</span> of the script is an <span
- data-x="concept-origin-alias">alias</span> to the <span>effective script origin</span> of the
- owner.</p>
-
- </dd>
-
</dl>
<p>Other specifications can override the above definitions by themselves specifying the origin of
- a particular <span>URL</span>, <code>Document</code>, image, <span>media element</span>, font, or
- <span data-x="concept-script">script</span>.</p>
+ a particular <span>URL</span>, <code>Document</code>, image, <span>media element</span>, or
+ font.</p>
<!-- e.g.:
@@ -73484,7 +73410,7 @@
<!--CLEANUP-->
<li><span data-x="resolve a url">Resolve</span> the value of the third argument, relative to the
<span>API base URL</span> specified by the
- <span>entry script</span>'s <span>settings object</span>.</li>
+ <span>entry settings object</span>.</li>
<li>If that fails, throw a <code>SecurityError</code> exception and abort these steps.</li>
@@ -73497,8 +73423,8 @@
<!--CLEANUP-->
<li>If the <span>origin</span> of the resulting <span>absolute URL</span> is not the same as
- the <span>origin</span> of the <span>responsible document</span> specified by the <span>entry script</span>'s
- <span>settings object</span>, and either the <span data-x="concept-url-path">path</span> or <span
+ the <span>origin</span> of the <span>responsible document</span> specified by the <span>entry
+ settings object</span>, and either the <span data-x="concept-url-path">path</span> or <span
data-x="concept-url-query">query</span> components of the two <span data-x="parsed URL">parsed
URLs</span> compared in the previous step differ, throw a <code>SecurityError</code> exception
and abort these steps. (This prevents sandboxed content from spoofing other pages on the same
@@ -73783,7 +73709,7 @@
<!--CLEANUP-->
<p>When the <dfn data-x="dom-location-assign"><code>assign(<var data-x="">url</var>)</code></dfn>
method is invoked, the UA must <span data-x="resolve a url">resolve</span> the argument, relative
- to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings object</span>, and if that is
+ to the <span>API base URL</span> specified by the <span>entry settings object</span>, and if that is
successful, must <span>navigate</span><!--DONAV location.href/assign--> the <span>browsing
context</span> to the specified <var data-x="">url</var>. If the <span>browsing context</span>'s
<span>session history</span> contains only one <code>Document</code>, and that was the
@@ -73796,14 +73722,14 @@
<!--CLEANUP-->
<p>When the <dfn data-x="dom-location-replace"><code>replace(<var data-x="">url</var>)</code></dfn>
method is invoked, the UA must <span data-x="resolve a url">resolve</span> the argument, relative
- to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings object</span>, and if that is
+ to the <span>API base URL</span> specified by the <span>entry settings object</span>, and if that is
successful, <span>navigate</span><!--DONAV location.href/replace--> the <span>browsing
context</span> to the specified <var data-x="">url</var> with <span>replacement enabled</span>.</p>
<!--CLEANUP-->
<p>Navigation for the <code data-x="dom-location-assign">assign()</code> and <code
data-x="dom-location-replace">replace()</code> methods must be done with the <span>responsible browsing context</span> specified by
- the <span>incumbent script</span>'s <span>settings object</span> as the <span>source
+ the <span>incumbent settings object</span> as the <span>source
browsing context</span>.</p>
<p>If the <span data-x="resolve a url">resolving</span> step of the <code
@@ -73879,8 +73805,8 @@
<!--CLEANUP-->
<p>The element's <code>URLUtils</code> interface's <span data-x="concept-uu-get-the-base">get the
- base</span> algorithm must return the <span>API base URL</span> specified by the <span>entry script</span>'s
- <span>settings object</span>, if there is one, or null otherwise.</p>
+ base</span> algorithm must return the <span>API base URL</span> specified by the <span>entry
+ settings object</span>, if there is one, or null otherwise.</p>
<p>The element's <code>URLUtils</code> interface's <span data-x="concept-uu-query-encoding">query
encoding</span> is the <span>document's character encoding</span>.</p>
@@ -73938,7 +73864,7 @@
should work. See <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701">bug 20701</a>.</p>
<p id="security-3">User agents must throw a <code>SecurityError</code> exception whenever any
- properties of a <code>Location</code> object are accessed when the <span>entry script</span> has
+ properties of a <code>Location</code> object are accessed when the <span>entry settings object</span> specifies
an <span>effective script origin</span> that is not the <span data-x="same origin">same</span> as
the <code>Location</code> object's associated <code>Document</code>'s <span>browsing
context</span>'s <span>active document</span>'s <span>effective script origin</span>, with the
@@ -73948,25 +73874,26 @@
<!--CLEANUP-->
<li>The <code data-x="dom-url-href">href</code> setter, if the <span>responsible browsing context</span>
- specified by the <span>entry script</span>'s
- <span>settings object</span> is <span>familiar with</span> the <span>browsing
+ specified by the <span>entry
+ settings object</span> is <span>familiar with</span> the <span>browsing
context</span> with which the <code>Location</code> object is associated
<!--CLEANUP-->
<li>The <code data-x="dom-location-replace">replace()</code> method, if the <span>responsible
- browsing context</span> specified by the <span>entry script</span>'s
- <span>settings object</span> is <span>familiar with</span> the
+ browsing context</span> specified by the <span>entry
+ settings object</span> is <span>familiar with</span> the
<span>browsing context</span> with which the <code>Location</code> object is associated
+<!--CLEANUP-->
<li>Any properties not defined in the IDL for the <code>Location</code> object or indirectly via
one of those properties (e.g. <code data-x="">toString()</code>, which is defined via the <code
- data-x="">stringifier</code> keyword), if the <span>entry script</span>'s <span>effective script
- origin</span> is the <span>same origin</span> as the <code>Location</code> object's associated
+ data-x="">stringifier</code> keyword), if the <span>effective script
+ origin</span> specified by the <span>entry settings object</span> is the <span>same origin</span> as the <code>Location</code> object's associated
<code>Document</code>'s <span>effective script origin</span>
</ul>
- <p>When the <span>entry script</span>'s <span>effective script origin</span> is different than a
+ <p>When the <span>effective script origin</span> specified by the <span>entry settings object</span> is different than a
<code>Location</code> object's associated <code>Document</code>'s <span>effective script
origin</span>, the user agent must act as if any changes to that <code>Location</code> object's
properties, getters, setters, etc, were not present, and as if all the properties of that
@@ -78113,14 +78040,6 @@
</dd>
- <dt>An <dfn data-x="">owner</dfn>, <dfn data-x="">origin</dfn>, and <dfn data-x="">effective origin</dfn></dt>
-
- <dd>
-
- <p>There are defined in the <span>origin</span> section.</p>
-
- </dd>
-
</dl>
<hr>
@@ -78237,6 +78156,14 @@
</dd>
+ <dt>An <span>origin</span> and an <span>effective script origin</span></dt>
+
+ <dd>
+
+ <p>An instrument used in security checks.</p>
+
+ </dd>
+
</dl>
@@ -78316,6 +78243,22 @@
</dd>
+ <dt>The <span>origin</span></dt>
+ <dd>
+
+ <p>Return the <span>origin</span> of the <code>Document</code> with which the
+ <code>Window</code> is currently associated.</p>
+
+ </dd>
+
+ <dt>The <span>effective script origin</span></dt>
+ <dd>
+
+ <p>Return the <span>effective script origin</span> of the <code>Document</code> with which the
+ <code>Window</code> is currently associated.</p>
+
+ </dd>
+
</dl>
@@ -78323,11 +78266,12 @@
<h5>Calling scripts</h5>
+<!--CLEANUP-->
<p>Each <span>unit of related similar-origin browsing contexts</span> has a <dfn>stack of
- incumbent scripts</dfn>, which must be initially empty. When a new script is <i>pushed</i> onto
- this stack, the specified script is to be added to the stack; when the script on this stack that
+ script settings objects</dfn>, which must be initially empty. When a new <span>script settings object</span> is <i>pushed</i> onto
+ this stack, the specified <span>script settings object</span> is to be added to the stack; when the <span>script settings object</span> on this stack that
was most recently pushed onto it is to be <i>popped</i> from the stack, it must be removed.
- Entries on this stack can be labeled as <dfn>candidate entry scripts</dfn>.</p>
+ Entries on this stack can be labeled as <dfn data-x="candidate entry settings object">candidate entry settings objects</dfn>.</p>
<p>When a user agent is to <dfn>jump to a code entry-point</dfn> for a <span
data-x="concept-script">script</span>, the user agent must run the following steps:</p>
@@ -78337,6 +78281,7 @@
<li><p>Let <var data-x="">s</var> be the given <span
data-x="concept-script">script</span>.</p></li>
+<!--CLEANUP-->
<li><p><span>Prepare to run a script-based callback</span> with <var data-x="">s</var> as both the
new incumbent <span data-x="concept-script">script</span> and the owner <span
data-x="concept-script">script</span>. If this returns "do not run" then abort these
@@ -78369,21 +78314,23 @@
data-x="">o</var>'s <span>settings object</span>, then return
"do not run" and abort these steps.</p>
- <li><p>Push <var data-x="">s</var> onto the <span>stack of incumbent scripts</span>, and label it
- as a <span data-x="candidate entry scripts">candidate entry script</span>.</p></li>
+<!--CLEANUP-->
+ <li><p>Push <var data-x="">s</var>'s <span>settings object</span> onto the <span>stack of script settings objects</span>, and label it
+ as a <span>candidate entry settings object</span>.</p></li>
<li><p>Return "run".</p></li>
</ol>
+<!--CLEANUP-->
<p>The steps to <dfn>prepare to run a non-script-based callback</dfn> are as follows. They are
- invoked with a new incumbent <span data-x="concept-script">script</span> <var data-x="">s</var> and,
+ invoked with a new <span>script settings object</span> <var data-x="">s</var> and,
in principle, return either "run" or "do not run" (though in practice they always return
"run").</p>
<ol>
- <li><p>Push <var data-x="">s</var> onto the <span>stack of incumbent scripts</span>.</p></li>
+ <li><p>Push <var data-x="">s</var> onto the <span>stack of script settings objects</span>.</p></li>
<li><p>Return "run".</p></li>
@@ -78393,13 +78340,16 @@
<ol>
- <li><p>Pop the current <span>incumbent script</span> from the <span>stack of incumbent
- scripts</span>.</p></li>
+<!--CLEANUP-->
+ <li><p>Pop the current <span>incumbent settings object</span> from the <span>stack of script settings
+ objects</span>.</p></li>
- <li><p>If the <span>stack of incumbent scripts</span> is now empty, <span>run the global script
+<!--CLEANUP-->
+ <li><p>If the <span>stack of script settings objects</span> is now empty, <span>run the global script
clean-up jobs</span>. (These cannot run scripts.)</p></li>
- <li><p>If the <span>stack of incumbent scripts</span> is now empty, <span>perform a microtask
+<!--CLEANUP-->
+ <li><p>If the <span>stack of script settings objects</span> is now empty, <span>perform a microtask
checkpoint</span>. (If this runs scripts, these algorithms will be invoked reentrantly.)</p></li>
</ol>
@@ -78408,22 +78358,25 @@
can be invoked reentrantly in an indirect manner, e.g. if a script dispatches an event which has
event listeners registered.</p>
- <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <span
+<!--CLEANUP-->
+ <p>When a JavaScript <i>SourceElements</i> production is to be evaluated, the <span>settings object</span> of the <span
data-x="concept-script">script</span> corresponding to that <i>SourceElements</i> must be pushed
- onto the <span>stack of incumbent scripts</span> before the evaluation begins, and popped when the
+ onto the <span>stack of script settings objects</span> before the evaluation begins, and popped when the
evaluation ends (regardless of whether it's an abrupt completion or not).</p>
- <p>The <dfn>entry script</dfn> is the most-recently added <span
- data-x="concept-script">script</span> in the <span>stack of incumbent scripts</span> that is
- labeled as a <span data-x="candidate entry scripts">candidate entry script</span>. If the stack is
- empty, or has no entries labeled as such, then there is no <span>entry script</span>. It is used
+<!--CLEANUP-->
+ <p>The <dfn>entry settings object</dfn> is the most-recently added <span>script settings object</span>
+ in the <span>stack of script settings objects</span> that is
+ labeled as a <span>candidate entry settings object</span>. If the stack is
+ empty, or has no entries labeled as such, then there is no <span>entry settings object</span>. It is used
to obtain, amongst other things, the <span>API base URL</span> to <span data-x="resolve a
url">resolve</span> relative <span data-x="URL">URLs</span> used in scripts running in that
<span>unit of related similar-origin browsing contexts</span>.</p>
- <p>The <dfn>incumbent script</dfn> is the <span data-x="concept-script">script</span> in the
- <span>stack of incumbent scripts</span> that was most-recently added (i.e. the last one on the
- stack). If the stack is empty, then there is no <span>incumbent script</span>. It is used in some
+<!--CLEANUP-->
+ <p>The <dfn>incumbent settings object</dfn> is the <span>script settings object</span> in the
+ <span>stack of script settings objects</span> that was most-recently added (i.e. the last one on the
+ stack). If the stack is empty, then there is no <span>incumbent settings object</span>. It is used in some
security checks.</p>
<p class="note">The WebIDL specification also uses these algorithms. <a
@@ -78927,10 +78880,11 @@
<li><p>Let <var data-x="">task source</var> be the <span>task source</span> of the currently
running <span data-x="concept-task">task</span>.</p></li>
- <li><p>Let <var data-x="">old stack of incumbent scripts</var> be a copy of the <span>stack of
- incumbent scripts</span>.</p></li>
+<!--CLEANUP-->
+ <li><p>Let <var data-x="">old stack of script settings objects</var> be a copy of the <span>stack of
+ script settings objects</span>.</p></li>
- <li><p>Empty the <span>stack of incumbent scripts</span>.</p></li>
+ <li><p>Empty the <span>stack of script settings objects</span>.</p></li>
<li><p><span>Run the global script clean-up jobs</span>.</p></li>
@@ -78952,8 +78906,9 @@
source</span> <var data-x="">task source</var>. Wait until this task runs before continuing these
steps.</p></li>
- <li><p>Replace the <span>stack of incumbent scripts</span> with the <var data-x="">old stack of
- incumbent scripts</var>.</p></li>
+<!--CLEANUP-->
+ <li><p>Replace the <span>stack of script settings objects</span> with the <var data-x="">old stack of
+ script settings objects</var>.</p></li>
<li><p>Return to the caller.</p></li>
@@ -80315,7 +80270,7 @@
<!--CLEANUP-->
<li><p>Change <span>the document's address</span> to the <span data-x="the document's
address">address</span> of the <span>responsible document</span> specified by
- the <span>entry script</span>'s <span>settings object</span>.</p></li>
+ the <span>entry settings object</span>.</p></li>
<!-- <span>the document's referrer</span> stays the same -->
@@ -81206,9 +81161,10 @@
<li>
+<!--CLEANUP-->
<p><span data-x="resolve a url">Resolve</span> <var data-x="">url</var> relative to the
<span>API base URL</span> specified by
- <span>entry script</span>'s <span>settings object</span>.</p>
+ the <span>entry settings object</span>.</p>
<p>If this fails, then throw a <code>SyntaxError</code> exception and abort these steps.</p>
@@ -81241,15 +81197,16 @@
<!--CLEANUP-->
<p>If the <span>active sandboxing flag set</span> of the <span>active document</span> of the
<span>responsible browsing context</span> specified by the <span>incumbent
- script</span>'s <span>settings object</span> has its <span>sandboxed auxiliary navigation browsing context flag</span> set,
+ settings object</span> has its <span>sandboxed auxiliary navigation browsing context flag</span> set,
then return the empty string and abort these steps.</p>
</li>
<li>
- <p>Let <var data-x="">incumbent origin</var> be the <span>effective script origin</span> of the
- <span>incumbent script</span> at the time the <code
+<!--CLEANUP-->
+ <p>Let <var data-x="">incumbent origin</var> be the <span>effective script origin</span> specified by the
+ <span>incumbent settings object</span> at the time the <code
data-x="dom-showModalDialog">showModalDialog()</code> method was called.</p>
</li>
@@ -81305,7 +81262,7 @@
<p>Set all the flags in the new browsing context's <span>popup sandboxing flag set</span> that
are set in the <span>active sandboxing flag set</span> of the <span>active document</span> of
the <span>responsible browsing context</span> specified by the <span>incumbent
- script</span>'s <span>settings object</span>. The <span>responsible browsing context</span> specified by the <span>incumbent script</span>'s <span>settings object</span>
+ settings object</span>. The <span>responsible browsing context</span> specified by the <span>incumbent settings object</span>
must be set as the new browsing context's <span>one permitted sandboxed
navigator</span>.</p>
@@ -81342,7 +81299,7 @@
<p><span>Navigate</span><!--DONAV showModalDialog--> the new <span>browsing context</span> to
the <span>absolute URL</span> that resulted from <span data-x="resolve a url">resolving</span>
<var data-x="">url</var> earlier, with <span>replacement enabled</span>, and with the <span>responsible
- browsing context</span> specified by the <span>incumbent script</span>'s <span>settings object</span>
+ browsing context</span> specified by the <span>incumbent settings object</span>
as the <span>source browsing context</span>.</p>
</li>
@@ -81858,15 +81815,16 @@
<!--CLEANUP-->
<p>User agents must throw a <code>SyntaxError</code> exception if <span data-x="resolve a
url">resolving</span> the <var data-x="">url</var> argument relative to the
- <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings object</span> is not successful.</p>
+ <span>API base URL</span> specified by the <span>entry settings object</span> is not successful.</p>
<p class="note">The resulting <span>absolute URL</span> would by definition not be a <span>valid
URL</span> as it would include the string "<code data-x="">%s</code>" which is not a valid
component in a URL.</p>
+<!--CLEANUP-->
<p>User agents must throw a <code>SecurityError</code> exception if the resulting <span>absolute
- URL</span> has an <span>origin</span> that differs from the <span>origin</span> of the
- <span>entry script</span>.</p>
+ URL</span> has an <span>origin</span> that differs from the <span>origin</span> specified by the
+ <span>entry settings object</span>.</p>
<p class="note">This is forcibly the case if the <code data-x="">%s</code> placeholder is in the
scheme, host, or port parts of the URL.</p>
@@ -81879,7 +81837,7 @@
literal string "<code data-x="">%s</code>" in the <var data-x="">url</var> argument with an
escaped version of the <span>absolute URL</span> of the content in question (as defined below),
then <span data-x="resolve a url">resolve</span> the resulting URL, relative to the <span>API
- base URL</span> specified by the <span>entry script</span>'s <span>settings object</span> at the time the <code
+ base URL</span> specified by the <span>entry settings object</span> at the time the <code
data-x="dom-navigator-registerContentHandler">registerContentHandler()</code> or <code
data-x="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code> methods were
invoked, and then <span>navigate</span><!--DONAV user--> an appropriate <span>browsing
@@ -82124,13 +82082,14 @@
<!--CLEANUP-->
<li><p><span data-x="resolve a URL">Resolve</span> the string relative to the <span>API base URL</span>
- specified by the <span>entry script</span>'s <span>settings object</span>.</p></li>
+ specified by the <span>entry settings object</span>.</p></li>
<li><p>If this fails, then throw a <code>SyntaxError</code> exception, aborting the
method.</p></li>
+<!--CLEANUP-->
<li><p>If the resulting <span>absolute URL</span>'s <span>origin</span> is not the <span>same
- origin</span> as that of the <span>entry script</span>, throw a <code>SecurityError</code>
+ origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>, throw a <code>SecurityError</code>
exception, aborting the method.</p></li>
<li><p>Return the resulting <span>absolute URL</span> as the result of preprocessing the
@@ -82848,7 +82807,7 @@
<!--CLEANUP-->
<li><p><span data-x="resolve a url">Resolve</span> the value of the method's first argument
- relative to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings object</span>.</p></li>
+ relative to the <span>API base URL</span> specified by the <span>entry settings object</span>.</p></li>
<li><p>If this fails, abort these steps.</p></li>
@@ -82869,15 +82828,17 @@
stub method that never returns a non-zero value, or may arbitrarily ignore invocations with
particular arguments for security, privacy, or usability reasons.</p></li>
- <li><p>If the <span>origin</span> of the <span>entry script</span> is an opaque identifier (i.e.
+<!--CLEANUP-->
+ <li><p>If the <span>origin</span> specified by the <span>entry settings object</span> is an opaque identifier (i.e.
it has no host component), then return 0 and abort these steps.</p></li>
- <li><p>Let <var data-x="">host1</var> be the host component of the <span>origin</span> of the
- <span>entry script</span>.</p></li>
+<!--CLEANUP-->
+ <li><p>Let <var data-x="">host1</var> be the host component of the <span>origin</span> specified by the
+ <span>entry settings object</span>.</p></li>
<!--CLEANUP-->
<li><p><span data-x="resolve a url">Resolve</span> the <var data-x="">scriptURL</var> argument
- relative to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings
+ relative to the <span>API base URL</span> specified by the <span>entry settings
object</span>.</p></li>
<li><p>If this fails, return 0 and abort these steps.</p></li>
@@ -83038,8 +82999,9 @@
steps.</p></li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <span>origin</span> of the <code>img</code> element's image is not the <span>same
- origin</span> as the <span>entry script</span>'s <span>origin</span>, then throw a
+ origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>, then throw a
<code>SecurityError</code> exception and abort these steps.</p></li>
<!--REMOVE-TOPIC:Security-->
@@ -83082,8 +83044,9 @@
<code>InvalidStateError</code> exception and abort these steps.</p></li>
<!--ADD-TOPIC:Security-->
+<!--CLEANUP-->
<li><p>If the <span>origin</span> of the <code>video</code> element is not the <span>same
- origin</span> as the <span>entry script</span>'s <span>origin</span>, then throw a
+ origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>, then throw a
<code>SecurityError</code> exception and abort these steps.</p></li>
<!--REMOVE-TOPIC:Security-->
@@ -87436,7 +87399,7 @@
<!--CLEANUP-->
<li><p><span data-x="resolve a url">Resolve</span> the <span>URL</span> specified in the first
- argument, relative to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings
+ argument, relative to the <span>API base URL</span> specified by the <span>entry settings
object</span>.
<!--END complete-->
<a href="#refsHTML">[HTML]</a>
@@ -87465,9 +87428,9 @@
<!--CLEANUP-->
<p>Do a <span>potentially CORS-enabled fetch</span><!--FETCH--> of the resulting <span>absolute
- URL</span> using the <span>API referrer source</span> specified by the <span>entry script</span>'s <span>settings
+ URL</span> using the <span>API referrer source</span> specified by the <span>entry settings
object</span>, with the <i>mode</i> being <var data-x="">CORS mode</var>, and the <i
- data-x="">origin</i> being the <span>entry script</span>'s <span>origin</span><!--, and the
+ data-x="">origin</i> being the <span>origin</span> specified by the <span>entry settings object</span><!--, and the
<i>default origin behaviour</i> set to <i>fail</i> (though it has no effect in the "Anonymous"
and "Use Credentials" modes)-->, and process the resource obtained in this fashion, if any, as
described below.</p>
@@ -88349,8 +88312,9 @@
<var data-x="">secure</var>. If this fails, throw a <code>SyntaxError</code> exception and abort
these steps. <a href="#refsWSP">[WSP]</a></p></li>
- <li><p>If <var data-x="">secure</var> is false but the <span>origin</span> of the <span>entry
- script</span> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
+<!--CLEANUP-->
+ <li><p>If <var data-x="">secure</var> is false but the <span>origin</span> specified by the <span>entry
+ settings object</span> has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a
<code>SecurityError</code> exception and abort these steps.</p></li>
<li>
@@ -88383,8 +88347,9 @@
WebSocket protocol specification, then throw a <code>SyntaxError</code> exception and abort these
steps. <a href="#refsWSP">[WSP]</a></p></li>
+<!--CLEANUP-->
<li><p>Let <var data-x="">origin</var> be the <span data-x="ASCII serialization of an origin">ASCII
- serialization</span> of the <span>origin</span> of the <span>entry script</span>, <span>converted
+ serialization</span> of the <span>origin</span> specified by the <span>entry settings object</span>, <span>converted
to ASCII lowercase</span>.</p></li>
<li><p>Return a new <code>WebSocket</code> object, but continue these steps
@@ -89426,7 +89391,7 @@
<!--CLEANUP-->
<p>If the <var data-x="">targetOrigin</var> argument is a single literal U+002F SOLIDUS character
(/), and the <code>Document</code> of the <code>Window</code> object on which the method was
- invoked does not have the <span>same origin</span> as the <span>responsible document</span> specified by the <span>entry script</span>'s <span>settings
+ invoked does not have the <span>same origin</span> as the <span>responsible document</span> specified by the <span>entry settings
object</span>, then abort these steps silently.</p>
<p>Otherwise, if the <var data-x="">targetOrigin</var> argument is an <span>absolute URL</span>,
@@ -89449,11 +89414,11 @@
initialized to the value of <var data-x="">message clone</var>, the <code
data-x="dom-MessageEvent-origin">origin</code> attribute must be initialized to the <span
data-x="Unicode serialization of an origin">Unicode serialization</span> of the
- <span>origin</span> of the <span>incumbent script</span>, the <code
+ <span>origin</span> specified by the <span>incumbent settings object</span>, the <code
data-x="dom-MessageEvent-source">source</code> attribute must be initialized to the
<code>WindowProxy</code> object corresponding to the
<span>global object</span> (a <code>Window</code> object) specified by the
- <span>incumbent script</span>'s <span>settings object</span>,
+ <span>incumbent settings object</span>,
and the <code
data-x="dom-MessageEvent-ports">ports</code> attribute must be initialized to the <var
data-x="">new ports</var> array.
@@ -89714,13 +89679,11 @@
<!--CLEANUP-->
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span data-x="concept-port-owner">owner</span>
- is the <span>settings object</span>
- of the <span>incumbent script</span>, and let <var data-x="">port1</var> be that object.</p></li>
+ is the <span>incumbent settings object</span>, and let <var data-x="">port1</var> be that object.</p></li>
<!--CLEANUP-->
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span data-x="concept-port-owner">owner</span>
- is the <span>settings object</span>
- of the <span>incumbent script</span>, and let <var data-x="">port2</var> be that object.</p></li>
+ is the <span>incumbent settings object</span>, and let <var data-x="">port2</var> be that object.</p></li>
<li><p><span>Entangle</span> the <var data-x="">port1</var> and <var data-x="">port2</var>
objects.</p></li>
@@ -90097,7 +90060,7 @@
<li><p>Let <var data-x="">message</var> be the method's first argument.</p></li>
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span
- data-x="concept-port-owner">owner</span> is the <span>incumbent script</span>'s <span>settings
+ data-x="concept-port-owner">owner</span> is the <span>incumbent settings
object</span>, and let <var data-x="">port1</var> be that object.</p></li>
<li><p>If the <var data-x="">source port</var> is not entangled with another port, then return
@@ -90810,11 +90773,9 @@
<hr>
- <p>Each <code>WorkerGlobalScope</code> object has a <dfn>worker origin</dfn> that is set when the
- object is created.</p>
-
+<!--CLEANUP-->
<p class="note">For <span data-x="data protocol"><code data-x="">data:</code> URLs</span>, this is
- the <span>origin</span> of the <span>entry script</span> when the constructor was called. For
+ the <span>origin</span> specified by the <span>entry settings object</span> when the constructor was called. For
other <span data-x="URL">URLs</span>, this is the <span>origin</span> of the value of the
<span>absolute URL</span> given in the worker's <code
data-x="dom-WorkerGlobalScope-location"></code> attribute.</p>
@@ -91007,8 +90968,7 @@
<!--CLEANUP-->
<p>When a user agent is to <dfn>run a worker</dfn> for a script with <span>URL</span> <var
- data-x="">url</var>, a <span>script settings object</span> <var data-x="">settings object</var>,
- and an <span>origin</span> <var data-x="">owner origin</var>, it
+ data-x="">url</var> and a <span>script settings object</span> <var data-x="">settings object</var>, it
must run the following steps:</p>
<ol>
@@ -91037,9 +90997,11 @@
<li>
+<!--CLEANUP-->
<p>Attempt to <span>fetch</span><!--FETCH--> the resource identified by <var data-x="">url</var>,
- from the <var data-x="">owner origin</var>, using the <span>responsible document</span> specified by <var data-x="">settings object</var> as the
- <span>referrer source</span> (not the specified <span>API referrer source</span>!), with the <i>synchronous flag</i> set and the <i>force same-origin
+ from the <span>origin</span> specified
+ by <var data-x="">settings object</var>, using the <span>responsible document</span> specified by <var data-x="">settings object</var> as the
+ <span>referrer source</span> (not the specified <span>API referrer source</span>!), and with the <i>synchronous flag</i> set and the <i>force same-origin
flag</i> set.</p> <!-- not http-origin privacy sensitive (looking forward to CORS) -->
<p>If the attempt fails, then for each <code>Worker</code> or <code>SharedWorker</code> object
@@ -91321,14 +91283,19 @@
<ol>
+<!--CLEANUP-->
<li><p>Let <var data-x="">inherited responsible browsing context</var> be the <span>responsible
- browsing context</span> specified by the <span>incumbent script</span>'s <span>settings
+ browsing context</span> specified by the <span>incumbent settings
object</span>.</p></li>
+<!--CLEANUP-->
<li><p>Let <var data-x="">inherited responsible document</var> be the <span>responsible
- document</span> specified by the <span>incumbent script</span>'s <span>settings
+ document</span> specified by the <span>incumbent settings
object</span>.</p></li>
+ <li><p>Let <var data-x="">inherited origin</var> be the <span>origin</span> specified by the
+ <span>incumbent settings object</span>.</p></li>
+
<li><p>Let <var data-x="">worker event loop</var> be a newly created <span>event
loop</span>.</p></li>
@@ -91404,6 +91371,13 @@
</dd>
+ <dt>The <span>origin</span> and <span>effective script origin</span></dt>
+ <dd>
+
+ <p>Return <var data-x="">inherited origin</var>.</p>
+
+ </dd>
+
</dl>
</li>
@@ -91482,7 +91456,7 @@
<!--CLEANUP-->
<li><p><span data-x="resolve a url">Resolve</span> the <var data-x="">scriptURL</var> argument
- relative to the <span>API base URL</span> specified by the <span>entry script</span>'s <span>settings object</span> when
+ relative to the <span>API base URL</span> specified by the <span>entry settings object</span> when
the method was invoked.</p></li>
<li><p>If this fails, throw a <code>SyntaxError</code> exception and abort these steps.</p></li>
@@ -91495,7 +91469,7 @@
<p>If the <span data-x="concept-url-scheme">scheme</span> component of <var data-x="">worker URL</var>
is not "<code data-x="data-protocol">data</code>", and the <span>origin</span> of <var data-x="">worker URL</var>
is not the <span data-x="same origin">same</span> as the
- origin of the <span>entry script</span>, then throw a <code>SecurityError</code> exception and
+ <span>origin</span> specified by the <span>incumbent settings object</span>, then throw a <code>SecurityError</code> exception and
abort these steps.</p>
<p class="note">Thus, scripts must either be external files with the same scheme, host, and port
@@ -91506,8 +91480,8 @@
</li>
- <li><p>Create a new <code>DedicatedWorkerGlobalScope</code> object whose <span>worker
- origin</span> is the origin of the <span>entry script</span>. Let <var data-x="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code>DedicatedWorkerGlobalScope</code> object. Let <var data-x="">worker global
scope</var> be this new object.</p></li>
<li><p><span>Set up a worker script settings object</span> with <var data-x="">worker global
@@ -91518,7 +91492,7 @@
<!--CLEANUP-->
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span data-x="concept-port-owner">owner</span>
- is the <span>settings object</span> of the <span>incumbent script</span>. Let
+ is the <span>incumbent settings object</span>. Let
this be the <var data-x="">outside port</var>.</p></li>
<li><p>Associate the <var data-x="">outside port</var> with <var data-x="">worker</var>.</p></li>
@@ -91545,8 +91519,7 @@
<!--CLEANUP-->
<p>Let <var data-x="">docs</var> be the <span>list of relevant <code>Document</code> objects to
- add</span> given the <span>settings object</span> of the
- <span>incumbent script</span>.</p>
+ add</span> given the <span>incumbent settings object</span>.</p>
</li>
@@ -91562,18 +91535,17 @@
<!--CLEANUP-->
<p>If the <span>global object</span> specified by the <span>incumbent
- script</span>'s <span>settings object</span> is a <code>WorkerGlobalScope</code> object (i.e. we are creating a nested worker),
+ settings object</span> is a <code>WorkerGlobalScope</code> object (i.e. we are creating a nested worker),
add <var data-x="">worker global scope</var> to the list of <span>the worker's workers</span> of
- the <code>WorkerGlobalScope</code> object that is the <span>global object</span> of the <span>incumbent script</span>'s <span>settings object</span>.</p>
+ the <code>WorkerGlobalScope</code> object that is the <span>global object</span> specified by the <span>incumbent settings object</span>.</p>
</li>
<li>
+<!--CLEANUP-->
<p><span>Run a worker</span> for the script with <span>URL</span> <var data-x="">worker
- URL</var>, the <span>script settings object</span> <var data-x="">settings object</var>, and the
- <span>origin</span> of the <span>entry script</span> as the <var data-x="">owner
- origin</var>.</p>
+ URL</var> and the <span>script settings object</span> <var data-x="">settings object</var>.</p>
</li>
@@ -91616,10 +91588,11 @@
<li>
+<!--CLEANUP-->
<p>If the <span data-x="concept-url-scheme">scheme</span> component of <var data-x="">parsed
scriptURL</var> is not "<code data-x="data-protocol">data</code>", and the <span>origin</span> of
- <var data-x="">scriptURL</var> is not the <span data-x="same origin">same</span> as the origin of
- the <span>entry script</span>, then throw a <code>SecurityError</code> exception and abort these
+ <var data-x="">scriptURL</var> is not the <span data-x="same origin">same</span> as the <span>origin</span> specified by
+ the <span>incumbent settings object</span>, then throw a <code>SecurityError</code> exception and abort these
steps.</p>
<p class="note">Thus, scripts must either be external files with the same scheme, host, and port
@@ -91633,8 +91606,7 @@
<li>
<p>Let <var data-x="">docs</var> be the <span>list of relevant <code>Document</code> objects to
- add</span> given the <span>settings object</span> of the
- <span>incumbent script</span>.</p>
+ add</span> given the <span>incumbent settings object</span>.</p>
</li>
@@ -91650,7 +91622,7 @@
<!--CLEANUP-->
<li><p><span>Create a new <code>MessagePort</code> object</span> whose <span data-x="concept-port-owner">owner</span>
- is the <span>settings object</span> of the <span>incumbent script</span>. Let
+ is the <span>incumbent settings object</span>. Let
this be the <var data-x="">outside port</var>.</p></li>
<li><p>Assign <var data-x="">outside port</var> to the <code
@@ -91660,11 +91632,14 @@
<li>
+<!--CLEANUP-->
<p>If <var data-x="">name</var> is not the empty string and there exists a
<code>SharedWorkerGlobalScope</code> object whose <span
data-x="dom-WorkerGlobalScope-closing">closing</span> flag is false, whose <code
data-x="dom-WorkerGlobalScope-name">name</code> attribute is exactly equal to <var
- data-x="">name</var>, and whose <span>worker origin</span> is the <span>same origin</span> as
+ data-x="">name</var>, and that is the <span>global object</span> specified by a
+ <span>script settings object</span> that specifies as its <span>origin</span> the
+ <span>same origin</span> as the <span>origin</span> of
<var data-x="">scriptURL</var>, then let <var data-x="">worker global scope</var> be that
<code>SharedWorkerGlobalScope</code> object.</p>
@@ -91680,9 +91655,11 @@
<li>
+<!--CLEANUP-->
<p>If <var data-x="">worker global scope</var> is not null, but the user agent has been
- configured to disallow communication between the <span>incumbent script</span> and the worker
- represented by the <var data-x="">worker global scope</var>, then set <var data-x="">worker
+ configured to disallow communication between the worker
+ represented by the <var data-x="">worker global scope</var> and the <span data-x="concept-script">scripts</span>
+ whose <span data-x="settings object">settings objects</span> are the <span>incumbent settings object</span>, then set <var data-x="">worker
global scope</var> to null.</p>
<p class="note">For example, a user agent could have a development mode that isolates a
@@ -91740,10 +91717,10 @@
<!--CLEANUP-->
<p>If the <span>global object</span> specified by the <span>incumbent
- script</span>'s <span>settings object</span> is a <code>WorkerGlobalScope</code> object, add <var data-x="">worker global
+ settings object</span> is a <code>WorkerGlobalScope</code> object, add <var data-x="">worker global
scope</var> to the list of <span>the worker's workers</span> of the
<code>WorkerGlobalScope</code> object that is the <span>global
- object</span> specified by the <span>incumbent script</span>'s <span>settings object</span>.</p>
+ object</span> specified by the <span>incumbent settings object</span>.</p>
</li>
@@ -91755,8 +91732,8 @@
<!-- OTHERWISE: -->
- <li><p>Create a new <code>SharedWorkerGlobalScope</code> object whose <span>worker
- origin</span> is the origin of the <span>entry script</span>. Let <var data-x="">worker global
+<!--CLEANUP-->
+ <li><p>Create a new <code>SharedWorkerGlobalScope</code> object. Let <var data-x="">worker global
scope</var> be this new object.</p></li>
<li><p><span>Set up a worker script settings object</span> with <var data-x="">worker global
@@ -91803,20 +91780,20 @@
<li>
<!--CLEANUP-->
- <p>If the <span>global object</span> specified by the <span>settings object</span> of the <span>incumbent
- script</span> is a <code>WorkerGlobalScope</code> object, add <var
+ <p>If the <span>global object</span> specified by the <span>incumbent settings object</span>
+ is a <code>WorkerGlobalScope</code> object, add <var
data-x="">worker global scope</var> to the list of <span>the worker's workers</span> of the
<code>WorkerGlobalScope</code> object that is the <span>global
- object</span> specified by the <span>incumbent script</span>'s <span>settings object</span>.</p>
+ object</span> specified by the <span>incumbent settings object</span>.</p>
</li>
<li>
+<!--CLEANUP-->
<p><span>Run a worker</span> for the script with <span>URL</span> <var
- data-x="">scriptURL</var>, the <span>script settings object</span> <var data-x="">settings
- object</var>, and the <span>origin</span> of the <span>entry script</span> as the <var
- data-x="">owner origin</var>.</p>
+ data-x="">scriptURL</var> and the <span>script settings object</span> <var data-x="">settings
+ object</var>.</p>
</li>
@@ -91859,8 +91836,9 @@
<li><p>If there are no arguments, return without doing anything. Abort these steps.</p></li>
- <li><p>Let <var data-x="">settings object</var> be the <span>script settings object</span> of the
- <span>incumbent script</span>.</p></li>
+<!--CLEANUP-->
+ <li><p>Let <var data-x="">settings object</var> be the
+ <span>incumbent settings object</span>.</p></li>
<li><p><span data-x="resolve a url">Resolve</span> each argument.</p></li>
@@ -91870,8 +91848,8 @@
<!--CLEANUP-->
<p>Attempt to <span>fetch</span><!--FETCH--> each resource identified by the resulting <span
- data-x="absolute URL">absolute URLs</span>, from the <span>entry script</span>'s
- <span>origin</span>, using the <span>API referrer source</span> specified by <var data-x="">settings
+ data-x="absolute URL">absolute URLs</span>, from the <span>origin</span> specified by <var data-x="">settings object</var>,
+ using the <span>API referrer source</span> specified by <var data-x="">settings
object</var>, and with the <i>synchronous flag</i> set.</p> <!-- not
http-origin privacy sensitive -->
@@ -91908,8 +91886,9 @@
data-x="">language</var> as the scripting language, and <var data-x="">settings object</var> as
the <span>script settings object</span>.</p>
+<!--CLEANUP-->
<p>If the script came from a resource whose <span>URL</span> does not have the <span>same
- origin</span> as the <span>worker origin</span>, then pass the <var data-x="">muted
+ origin</span> as the <span>origin</span> specified by the <span>incumbent settings object</span>, then pass the <var data-x="">muted
errors</var> flag to the <span>create a script</span> algorithm as well.</p>
<p>Let the newly created <span data-x="concept-script">script</span> run until it either
@@ -91921,9 +91900,9 @@
data-x="js-SyntaxError">SyntaxError</code> exception and abort all these steps. <a
href="#refsECMA262">[ECMA262]</a></p>
+<!--CLEANUP-->
<p>If an exception was thrown or if the script was prematurely aborted, then abort all these
- steps, letting the exception or aborting continue to be processed by the <span>incumbent
- script</span>.</p>
+ steps, letting the exception or aborting continue to be processed by the calling <span data-x="concept-script">script</span>.</p>
<p>If the "<span>kill a worker</span>" or "<span>terminate a worker</span>" algorithms abort
the script then abort all these steps.</p>
More information about the Commit-Watchers
mailing list