[html5] r8284 - [giow] (2) Move javascript: processing entirely into HTML, and fix its definitio [...]
whatwg at whatwg.org
whatwg at whatwg.org
Fri Nov 15 07:56:17 PST 2013
Author: ianh
Date: 2013-11-15 07:56:16 -0800 (Fri, 15 Nov 2013)
New Revision: 8284
Modified:
complete.html
index
source
Log:
[giow] (2) Move javascript: processing entirely into HTML, and fix its definitions to match reality better at the same time.
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=13720
Affected topics: DOM APIs, HTML, Security, Workers
Modified: complete.html
===================================================================
--- complete.html 2013-11-14 22:19:58 UTC (rev 8283)
+++ complete.html 2013-11-15 15:56:16 UTC (rev 8284)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 14 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 15 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -1022,15 +1022,14 @@
<li><a href=#definitions-1><span class=secno>7.1.4.1 </span>Definitions</a></li>
<li><a href=#processing-model-4><span class=secno>7.1.4.2 </span>Processing model</a></li>
<li><a href=#generic-task-sources><span class=secno>7.1.4.3 </span>Generic task sources</a></ol></li>
- <li><a href=#javascript-protocol><span class=secno>7.1.5 </span>The <code title="">javascript:</code> URL scheme</a></li>
- <li><a href=#events><span class=secno>7.1.6 </span>Events</a>
+ <li><a href=#events><span class=secno>7.1.5 </span>Events</a>
<ol>
- <li><a href=#event-handler-attributes><span class=secno>7.1.6.1 </span>Event handlers</a></li>
- <li><a href=#event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.6.2 </span>Event handlers on elements, <code>Document</code> objects, and <code>Window</code> objects</a>
+ <li><a href=#event-handler-attributes><span class=secno>7.1.5.1 </span>Event handlers</a></li>
+ <li><a href=#event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.5.2 </span>Event handlers on elements, <code>Document</code> objects, and <code>Window</code> objects</a>
<ol>
- <li><a href=#idl-definitions><span class=secno>7.1.6.2.1 </span>IDL definitions</a></ol></li>
- <li><a href=#event-firing><span class=secno>7.1.6.3 </span>Event firing</a></li>
- <li><a href=#events-and-the-window-object><span class=secno>7.1.6.4 </span>Events and the <code>Window</code> object</a></ol></ol></li>
+ <li><a href=#idl-definitions><span class=secno>7.1.5.2.1 </span>IDL definitions</a></ol></li>
+ <li><a href=#event-firing><span class=secno>7.1.5.3 </span>Event firing</a></li>
+ <li><a href=#events-and-the-window-object><span class=secno>7.1.5.4 </span>Events and the <code>Window</code> object</a></ol></ol></li>
<li><a href=#atob><span class=secno>7.2 </span>Base64 utility methods</a></li>
<li><a href=#dynamic-markup-insertion><span class=secno>7.3 </span>Dynamic markup insertion</a>
<ol>
@@ -3540,7 +3539,7 @@
<li>The <dfn id=url-parser>URL parser</dfn>
<li><dfn id=parsed-url>Parsed URL</dfn>
<li>The <dfn id=concept-url-scheme title=concept-url-scheme>scheme</dfn> component of a <a href=#parsed-url>parsed URL</a>
- <li>The <dfn id=concept-url-scheme-data title="concept-url-scheme data">scheme data</dfn> component of a <a href=#parsed-url>parsed URL</a>
+ <li>The <dfn id=concept-url-scheme-data title=concept-url-scheme-data>scheme data</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-username title=concept-url-username>username</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-password title=concept-url-password>password</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-host title=concept-url-host>host</dfn> component of a <a href=#parsed-url>parsed URL</a>
@@ -6897,8 +6896,7 @@
<li>
<p>If <var title="">referrer</var> is not the empty string, is not a <a href=#data-protocol title="data
- protocol"><code title="">data:</code> URL</a>, is not a <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>, and is not the <a href=#url>URL</a>
+ protocol"><code title="">data:</code> URL</a>, and is not the <a href=#url>URL</a>
"<code><a href=#about:blank>about:blank</a></code>", then generate the <i>address of the resource from which Request-URIs
are obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic)
header from <var title="">referrer</var>. <a href=#refsHTTP>[HTTP]</a></p>
@@ -6944,9 +6942,10 @@
<dfn id=about:blank><code>about:blank</code></dfn>, then the resource is immediately available and consists of
the empty string, with no metadata.</p>
+<!--CLEANUP-->
<p>Otherwise, at a time convenient to the user and the user agent, download (or otherwise
obtain) the resource, applying the semantics of the relevant specifications (e.g. performing an
- HTTP GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code> URLs</span></a>, etc).</p>
+ HTTP GET or POST operation, or reading the file from disk, or expanding <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, etc).</p>
<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are obtained</i> generated in the earlier
@@ -7202,7 +7201,6 @@
<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
- <dt>If the <var title="">URL</var> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is <code><a href=#about:blank>about:blank</a></code></dt>
<dd>
@@ -7228,7 +7226,7 @@
<p>Set <var title="">URL</var> to the target URL of the redirect and return to the top of
the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> algorithm (this time, one of the other
branches below might be taken, based on the value of <var title="">mode</var><!-- but if
- it's a data: or javascript: URL, we'll stay here -->).</p>
+ it's a data: URL, we'll stay here -->).</p>
</dd>
@@ -51601,12 +51599,6 @@
<p>The resource obtained in this fashion can be either <a href=#cors-same-origin>CORS-same-origin</a> or
<a href=#cors-cross-origin>CORS-cross-origin</a>. This only affects how error reporting happens.</p>
- <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>, then the user agent must not, despite
- the requirements in the definition of the <a href=#fetch title=fetch>fetching</a> algorithm,
- actually execute the script in the URL; instead the user agent must act as if it had received
- an empty HTTP 400 response.</p>
-
<p>For performance reasons, user agents may start fetching the script (as defined above) as
soon as the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is set, instead, in the hope
that the element will be inserted into the document (and that the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute won't change value in the
@@ -64958,21 +64950,6 @@
</dd>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript
- protocol"><code>javascript:</code> URL</a></dt>
-
- <dd>
-
- <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
- <a href=#origin>origin</a> of the script of that <a href=#javascript-protocol title="javascript
- protocol"><code>javascript:</code> URL</a>.</p>
-
- <p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a> of the
- <code><a href=#document>Document</a></code>.</p>
-
- </dd>
-
-
<dt>If a <code><a href=#document>Document</a></code> was served over the network and has an address that uses a URL
scheme with a server-based naming authority</dt>
@@ -65002,8 +64979,7 @@
</dd>
- <dt>If a <code><a href=#document>Document</a></code> has the <a href="#the-document's-address" title="the document's address">address</a>
- "<code><a href=#about:blank>about:blank</a></code>"</dt>
+ <dt>If a <code><a href=#document>Document</a></code> is the initial "<code><a href=#about:blank>about:blank</a></code>" document</dt>
<dd>
@@ -65014,6 +64990,20 @@
</dd>
+ <dt>If a <code><a href=#document>Document</a></code> was created as part of the processing for <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code> URLs</a></dt>
+
+ <dd>
+
+ <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+ <a href=#origin>origin</a> of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a>
+ being navigated when the <a href=#navigate>navigate</a> algorithm was invoked.</p>
+
+ <p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of that
+ same <code><a href=#document>Document</a></code>.</p>
+
+ </dd>
+
+
<dt>If a <code><a href=#document>Document</a></code> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a></dt>
<dd>
@@ -66591,50 +66581,164 @@
<li>
- <p>If the resource has already been obtained (e.g. because it is being used to populate an
- <code><a href=#the-object-element>object</a></code> element's new <a href=#child-browsing-context>child browsing context</a>), then skip this step.</p>
+ <p>This is the step that attempts to obtain the resource, if necessary. Jump to the first
+ appropriate substep:</p>
- <p>Otherwise:</p>
+ <dl><dt>If the resource has already been obtained (e.g. because it is being used to populate an
+ <code><a href=#the-object-element>object</a></code> element's new <a href=#child-browsing-context>child browsing context</a>)</dt>
- <p>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and there are <a href=#relevant-application-cache title="relevant
- application cache">relevant application caches</a> that are identified by a URL with the
- <a href=#same-origin>same origin</a> as the URL in question, and that have this URL as one of their entries,
- excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>, and whose
- <a href=#concept-appcache-mode title=concept-appcache-mode>mode</a> is <a href=#concept-appcache-mode-fast title=concept-appcache-mode-fast>fast</a>, and the user agent is not in a mode where it
- will avoid using <a href=#application-cache title="application cache">application caches</a> then
- <a href=#fetch>fetch</a> the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most
- appropriate application cache</a> of those that match.</p>
+ <dd><p>Skip this step. The data is already available.</dd>
- <p class=example>For example, imagine an HTML page with an associated application cache
- displaying an image and a form, where the image is also used by several other application
- caches. If the user right-clicks on the image and chooses "View Image", then the user agent
- could decide to show the image from any of those caches, but it is likely that the most useful
- cache for the user would be the one that was used for the aforementioned HTML page. On the other
- hand, if the user submits the form, and the form does a POST submission, then the user agent
- will not use an application cache at all; the submission will be made to the network.</p>
+ <dt>If the new resource is a <a href=#url>URL</a> whose <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> is <code title="javascript
+ protocol"><a href=#javascript-protocol>javascript</a></code></dt>
- <p>Otherwise, <a href=#fetch>fetch</a><!--FETCH--> the new resource, with the <i>manual redirect
- flag</i> set.</p>
+ <dd>
+ <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
+
+ <p><a href=#queue-a-task>Queue a task</a> to run <dfn id=javascript-protocol title="javascript protocol">these "<code title="">javascript:</code> URL" steps</dfn>:</p>
+
+ <ol id=concept-js-deref><li><p>If the <a href=#origin>origin</a> of the <a href=#source-browsing-context>source browsing context</a> is not the
+ <a href=#same-origin>same origin</a> as the <a href=#origin>origin</a> of the <a href=#active-document>active document</a> of
+ the <a href=#browsing-context>browsing context</a> being navigated, then act as if the result of evaluating
+ the script was the void value, and jump to the step labeled <i>process results</i>
+ below.</li>
+
+ <li><p>Apply the <a href=#url-parser>URL parser</a> to the <a href=#url>URL</a> being navigated.</li>
+
+ <li><p>Let <var title="">parsed URL</var> be the result of the <a href=#url-parser>URL
+ parser</a>.</li>
+
+ <li><p>Let <var title="">script source</var> be the empty string.</li>
+
+ <li><p>Append <var title="">parsed URL</var>'s <a href=#concept-url-scheme-data title=concept-url-scheme-data>scheme
+ data</a> component to <var title="">script source</var>.</li>
+
+ <li><p>If <var title="">parsed URL</var>'s <a href=#concept-url-query title=concept-url-query>query</a>
+ component is not null, then first append a U+003F QUESTION MARK character (?) to <var title="">script source</var>, and then append <var title="">parsed URL</var>'s <a href=#concept-url-query title=concept-url-query>query</a> component to <var title="">script
+ source</var>.</li>
+
+ <li><p>If <var title="">parsed URL</var>'s <a href=#concept-url-fragment title=concept-url-fragment>fragment</a> component is not null, then first append a
+ U+003F QUESTION MARK character (?) to <var title="">script source</var>, and then append
+ <var title="">parsed URL</var>'s <a href=#concept-url-fragment title=concept-url-fragment>fragment</a>
+ component to <var title="">script source</var>.</li>
+
+ <li><p>Replace <var title="">script source</var> with the result of applying the
+ <a href=#percent-decode>percent decode</a> algorithm to <var title="">script source</var>.</li>
+
+ <li><p>Replace <var title="">script source</var> with the result of applying the <a href=#utf-8-decode>UTF-8
+ decode</a> algorithm to <var title="">script source</var>.</li>
+
+ <!-- <body onload="w('test')"> and javascript:%EF%BB%BF'test' both work, so we assume
+ that JavaScript is stripping the BOM, and we don't have to -->
+
+ <!--
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2639 -> about:blank
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2640 -> javascript:'test' in Firefox, about:blank otherwise
+ -->
+ <li><p>Let <var title="">address</var> be the <a href="#the-document's-address" title="the document's
+ address">address</a> of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing
+ context</a> being navigated.</li>
+
+ <li>
+
+ <p><a href=#create-a-script>Create a script</a>, using <var title="">script source</var> as the script
+ source, <var title="">address</var> as the script source URL, JavaScript as the scripting
+ language, and the <a href=#script-settings-object>script settings object</a> of the <code><a href=#window>Window</a></code> object of
+ the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a> being navigated.</p>
+
+ <p>Let <var title="">result</var> be the return value of the <a href=#code-entry-point>code entry-point</a>
+ of this <a href=#concept-script title=concept-script>script</a>. If an exception was thrown, let <var title="">result</var> be void instead. (The result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
+
+ </li>
+
+ <li>
+
+ <p><i>Process results</i>: If the result of executing the script is void (there is no return
+ value), then the result of obtaining the resource for the URL is <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>equivalent to</a> an HTTP resource with an HTTP
+ 204 No Content response.</p>
+
+ <p>Otherwise, the result of obtaining the resource for the URL is <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>equivalent</a> to an HTTP resource with a 200 OK
+ response whose <a href=#content-type title=Content-Type>Content-Type metadata</a> is
+ <code><a href=#text/html>text/html</a></code> and whose response body is the return value converted to a string
+ value.</p>
+
+ <p>When it comes time to <a href="#set-the-document's-address">set the document's address</a> in the <a href=#navigate title=navigate>navigation algorithm</a>, use <var title="">address</var> as the
+ <a href=#override-url>override URL</a>.</p>
+
+ </li>
+
+ </ol><div class=example>
+
+ <p>So for example a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
+ URL</a> in an <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code> attribute of an
+ <code><a href=#the-a-element>a</a></code> element would only be evaluated when the link was <a href=#following-hyperlinks title="following
+ hyperlinks">followed</a>, while such a URL in the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute of an <code><a href=#the-iframe-element>iframe</a></code> element would be
+ evaluated in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s own <a href=#nested-browsing-context>nested browsing
+ context</a> when the <code><a href=#the-iframe-element>iframe</a></code> is being set up; once evaluated, its return value
+ (if it was not void) would replace that <a href=#browsing-context>browsing context</a>'s document, thus also
+ changing the <code><a href=#window>Window</a></code> object of that <a href=#browsing-context>browsing context</a>.</p>
+
+ </div>
+
+ </dd>
+
+ <dt>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and there are <a href=#relevant-application-cache title="relevant
+ application cache">relevant application caches</a> that are identified by a URL with the
+ <a href=#same-origin>same origin</a> as the URL in question, and that have this URL as one of their
+ entries, excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>,
+ and whose <a href=#concept-appcache-mode title=concept-appcache-mode>mode</a> is <a href=#concept-appcache-mode-fast title=concept-appcache-mode-fast>fast</a>, and the user agent is not in a mode where it
+ will avoid using <a href=#application-cache title="application cache">application caches</a></dt>
+
+ <dd>
+
+ <p><a href=#fetch>Fetch</a> the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most
+ appropriate application cache</a> of those that match.</p>
+
+ <p class=example>For example, imagine an HTML page with an associated application cache
+ displaying an image and a form, where the image is also used by several other application
+ caches. If the user right-clicks on the image and chooses "View Image", then the user agent
+ could decide to show the image from any of those caches, but it is likely that the most useful
+ cache for the user would be the one that was used for the aforementioned HTML page. On the
+ other hand, if the user submits the form, and the form does a POST submission, then the user
+ agent will not use an application cache at all; the submission will be made to the
+ network.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the new resource, with the <i>manual redirect flag</i>
+ set.</p>
+
+ </dd>
+
+ </dl><p>If the <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then in the
+ time between this step and either the creation of a <code><a href=#document>Document</a></code> object or the <!-- XXX
+ bug 23633 --> <span>canceling</span> of the <a href=#navigate title=navigate>navigation</a>
+ algorithm<!-- /XXX bug 23633 -->, whichever happens first, the <a href=#browsing-context>browsing context</a>
+ must be put in the <a href=#delaying-load-events-mode>delaying <code title=event-load>load</code> events mode</a>.</p>
+ <!-- this is what makes <iframe> elements delay the load event of their parent browsing context
+ when their child browsing context is in between this step and the step that starts the parser.
+ -->
+
+ <p>If the steps above invoked the <a href=#fetch>fetch</a> algorith, the following requirements also
+ apply:</p>
+
<p>If the resource is being fetched using a method other than one <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a> HTTP's GET<!-- or HEAD (but that can't
happen) -->, or, if the <a href=#navigate title=navigate>navigation algorithm</a> was invoked as a
- result of the <a href=#concept-form-submit title=concept-form-submit>form submission algorithm</a>, then the <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <a href=#origin>origin</a> of the
- <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing context</a>, if any.</p> <!--
+ result of the <a href=#concept-form-submit title=concept-form-submit>form submission algorithm</a>, then the
+ <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <a href=#origin>origin</a> of
+ the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing context</a>, if any.</p> <!--
potentially http-origin privacy sensitive -->
- <p>If the <a href=#browsing-context>browsing context</a> being navigated is a <a href=#child-browsing-context>child browsing context</a>
- for an <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching
- algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element's
- <a href=#browsing-context-scope-origin>browsing context scope origin</a>, if it has one.</p> <!-- potentially http-origin
- privacy sensitive -->
+ <p>Otherwise, if the <a href=#browsing-context>browsing context</a> being navigated is a <a href=#child-browsing-context>child browsing
+ context</a> for an <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or
+ <code><a href=#the-object-element>object</a></code> element's <a href=#browsing-context-scope-origin>browsing context scope origin</a>, if it has one.</p>
+ <!-- potentially http-origin privacy sensitive -->
- <p>If the <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then in the
- time between the <a href=#fetch>fetch</a> algorithm being started by this step, and either the
- creation of a <code><a href=#document>Document</a></code> object or the canceling of the <a href=#fetch>fetch</a> or <a href=#navigate title=navigate>navigation</a> algorithms, the <a href=#browsing-context>browsing context</a> must be put in
- the <a href=#delaying-load-events-mode>delaying <code title=event-load>load</code> events mode</a>.</p> <!-- this is
- what makes <iframe> elements delay the load event of their parent browsing context when their
- child browsing context is in between this step and the step that starts the parser. -->
-
</li>
<li>
@@ -66839,8 +66943,8 @@
its <a href="#the-document's-address" title="the document's address">address</a> set to that <a href=#url>URL</a>
instead.</p>
- <p class=note>An <a href=#override-url title="override URL">override URL</a> is set when <a href=#concept-js-deref title=concept-js-deref>dereferencing a <code>javascript:</code> URL</a> and when performing
- <a href=#an-overridden-reload>an overridden reload</a>.</p>
+ <p class=note>An <a href=#override-url title="override URL">override URL</a> is set when <a href=#javascript-protocol title="javascript protocol">dereferencing a <code>javascript:</code> URL</a> and when
+ performing <a href=#an-overridden-reload>an overridden reload</a>.</p>
<p><dfn id=create-a-document-object title="create a Document object">Creating a new <code>Document</code> object</dfn>: when
a <code><a href=#document>Document</a></code> is created as part of the above steps, the user agent must additionally
@@ -69890,8 +69994,7 @@
<ul><li>Processing of <code><a href=#the-script-element>script</a></code> elements.</li>
- <li>Processing of inline <code title="javascript protocol"><a href=#javascript-protocol>javascript:</a></code> URLs (e.g. the
- <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute of <code><a href=#the-img-element>img</a></code> elements, or an <code title="">@import</code> rule in a CSS <code><a href=#the-style-element>style</a></code> element block).</li>
+ <li>Navigating to <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code> URLs</a>.</li>
<li>Event handlers, whether registered through the DOM using <code title="">addEventListener()</code>, by explicit <a href=#event-handler-content-attributes>event handler content attributes</a>, by
<a href=#event-handler-idl-attributes>event handler IDL attributes</a>, or otherwise.</li>
@@ -70823,106 +70926,12 @@
</dl></div>
- <div class=impl>
- <!-- SCRIPT EXEC -->
- <h4 id=javascript-protocol><span class=secno>7.1.5 </span><dfn title="javascript protocol">The <code title="">javascript:</code> URL scheme</dfn></h4>
- <p>When a <a href=#url>URL</a> using the <code title="">javascript:</code> scheme is <dfn id=concept-js-deref title=concept-js-deref>dereferenced</dfn>, the user agent must run the following steps:</p>
+ <h4 id=events><span class=secno>7.1.5 </span>Events</h4>
- <ol><li><p>Let the script source be the string obtained using the content retrieval operation defined
- for <code title="">javascript:</code> URLs. <a href=#refsJSURL>[JSURL]</a></li>
+ <h5 id=event-handler-attributes><span class=secno>7.1.5.1 </span>Event handlers</h5>
- <li>
-
- <p>Use the appropriate step from the following list:</p>
-
- <dl><dt>If a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a> to a
- <code>javascript:</code> URL, and the <a href=#source-browsing-context>source browsing context</a> for that navigation,
- if any, has <a href=#concept-bc-noscript title=concept-bc-noscript>scripting disabled</a></dt>
-
- <dd>
-
- <p>Let <var title="">result</var> be void.</p>
-
- </dd>
-
- <dt>If a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a> to a
- <code>javascript:</code> URL, and the <a href=#active-document>active document</a> of that browsing context has
- the <a href=#same-origin>same origin</a> as the script given by that URL</dt>
-
- <dd>
-
- <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
-
- <p>Let <var title="">address</var> be the <a href="#the-document's-address" title="the document's address">address</a>
- of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a> being navigated.</p>
-
- <p>If <var title="">address</var> is <code><a href=#about:blank>about:blank</a></code>, and the <a href=#browsing-context>browsing
- context</a> being navigated has a <a href=#creator-browsing-context>creator browsing context</a>, then let <var title="">address</var> be the <a href="#the-document's-address" title="the document's address">address</a> of the
- <a href=#creator-document>creator <code>Document</code></a> instead.</p>
-
- <p><a href=#create-a-script>Create a script</a>, using the aforementioned script source, the <a href=#url>URL</a>
- of the resource where the <code>javascript:</code> URL, was found, JavaScript as the scripting
- language, and the <a href=#script-settings-object>script settings object</a> of the <code><a href=#window>Window</a></code> object of the
- <a href=#active-document>active document</a>.</p>
-
- <p>Let <var title="">result</var> be the return value of the <a href=#code-entry-point>code entry-point</a>
- of this <a href=#concept-script title=concept-script>script</a>. If an exception was thrown, let <var title="">result</var> be void instead. (The result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
-
- <p>When it comes time to <a href="#set-the-document's-address">set the document's address</a> in the <a href=#navigate title=navigate>navigation algorithm</a>, use <var title="">address</var> as the
- <a href=#override-url>override URL</a>.</p>
-
- </dd>
-
- <dt>Otherwise</dt>
-
- <dd>
-
- <p>Let <var title="">result</var> be void.</p>
-
- </dd>
-
- </dl></li>
-
- <li>
-
- <p>If the result of executing the script is void (there is no return value), then the URL must
- be treated in a manner equivalent to an HTTP resource with an HTTP 204 No Content response.</p>
-
- <p>Otherwise, the URL must be treated in a manner equivalent to an HTTP resource with a 200 OK
- response whose <a href=#content-type title=Content-Type>Content-Type metadata</a> is <code><a href=#text/html>text/html</a></code>
- and whose response body is the return value converted to a string value.</p>
-
- <p class=note>Certain contexts, in particular <code><a href=#the-img-element>img</a></code> elements, ignore the <a href=#content-type title=Content-Type>Content-Type metadata</a>.</p>
-
- </li>
-
- </ol><div class=example>
-
- <p>So for example a <code title="">javascript:</code> URL for a <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute of an <code><a href=#the-img-element>img</a></code> element would be evaluated in
- the context of an empty object as soon as the attribute is set; it would then be sniffed to
- determine the image type and decoded as an image.</p>
-
- <p>A <code title="">javascript:</code> URL in an <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>
- attribute of an <code><a href=#the-a-element>a</a></code> element would only be evaluated when the link was <a href=#following-hyperlinks title="following hyperlinks">followed</a>.</p>
-
- <p>The <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute of an <code><a href=#the-iframe-element>iframe</a></code> element would
- be evaluated in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s own <a href=#browsing-context>browsing context</a>; once
- evaluated, its return value (if it was not void) would replace that <a href=#browsing-context>browsing
- context</a>'s document, thus changing the variables visible in that <a href=#browsing-context>browsing
- context</a>.</p>
-
- </div>
-
- </div>
-
-
-
- <h4 id=events><span class=secno>7.1.6 </span>Events</h4>
-
- <h5 id=event-handler-attributes><span class=secno>7.1.6.1 </span>Event handlers</h5>
-
<!--test: <a href="http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A...%3Cscript%3E%0Aw(a%3Ddocument.implementation.createDocument(null%2C%20null%2C%20null))%3B%0Aw(a.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'html')))%3B%0Aw(b%3Da.firstChild.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'body')))%3B%0Aw(b.test%20%3D%20w)%3B%0Aw(b.setAttribute('onclick'%2C%20'test(%22fire%3A%20%22%20%2B%20event)'))%3B%0Aw(b.onclick)%3B%0Aw(e%3Da.createEvent('Event'))%3B%0Aw(e.initEvent('click'%2C%20false%2C%20false))%3B%0Aw(b.dispatchEvent(e))%3B%0A%3C%2Fscript%3E">test</a>-->
<p>Many objects can have <dfn id=event-handlers>event handlers</dfn> specified. These act as non-capture event
@@ -71304,7 +71313,7 @@
<!-- onreadystatechange is also defined specially, using [LenientThis]; see IDL -->
- <h5 id=event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.6.2 </span>Event handlers on elements, <code><a href=#document>Document</a></code> objects, and <code><a href=#window>Window</a></code> objects</h5>
+ <h5 id=event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.5.2 </span>Event handlers on elements, <code><a href=#document>Document</a></code> objects, and <code><a href=#window>Window</a></code> objects</h5>
<p>The following are the <a href=#event-handlers>event handlers</a> (and their corresponding <a href=#event-handler-event-type title="event
handler event type">event handler event types</a>) <span class=impl>that must be</span>
@@ -71428,7 +71437,7 @@
<table><thead><tr><th><a href=#event-handlers title="event handlers">Event handler</a> <th><a href=#event-handler-event-type>Event handler event type</a>
<tbody><tr><td><dfn id=handler-onreadystatechange title=handler-onreadystatechange><code>onreadystatechange</code></dfn> <td> <code title=event-readystatechange><a href=#event-readystatechange>readystatechange</a></code>
- </table><h6 id=idl-definitions><span class=secno>7.1.6.2.1 </span>IDL definitions</h6>
+ </table><h6 id=idl-definitions><span class=secno>7.1.5.2.1 </span>IDL definitions</h6>
<pre class=idl>[NoInterfaceObject]
interface <dfn id=globaleventhandlers>GlobalEventHandlers</dfn> {
@@ -71515,7 +71524,7 @@
<div class=impl>
- <h5 id=event-firing><span class=secno>7.1.6.3 </span>Event firing</h5>
+ <h5 id=event-firing><span class=secno>7.1.5.3 </span>Event firing</h5>
<p>Certain operations and methods are defined as firing events on elements. For example, the <code title=dom-click><a href=#dom-click>click()</a></code> method on the <code><a href=#htmlelement>HTMLElement</a></code> interface is defined as
firing a <code title=event-click><a href=#event-click>click</a></code> event on the element. <a href=#refsDOMEVENTS>[DOMEVENTS]</a></p>
@@ -71546,7 +71555,7 @@
<div class=impl>
- <h5 id=events-and-the-window-object><span class=secno>7.1.6.4 </span>Events and the <code><a href=#window>Window</a></code> object</h5>
+ <h5 id=events-and-the-window-object><span class=secno>7.1.5.4 </span>Events and the <code><a href=#window>Window</a></code> object</h5>
<p>When an event is dispatched at a DOM node in a <code><a href=#document>Document</a></code> in a <a href=#browsing-context>browsing
context</a>, if the event is not a <code title=event-load>load</code> event, the user agent
@@ -78278,8 +78287,7 @@
<p>HTTP 200 OK responses that have a <a href=#content-type>Content-Type</a> specifying an unsupported type, or
that have no <a href=#content-type>Content-Type</a> at all, must cause the user agent to <a href=#fail-the-connection>fail the
- connection</a>.</p> <!-- about:blank is defined as having no MIME type; javascript: as having
- the type text/html -->
+ connection</a>.</p> <!-- about:blank is defined as having no MIME type -->
<p>HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required should be treated
transparently as for any other subresource.</p>
@@ -82509,9 +82517,10 @@
<a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
abort these steps.</p>
+<!--CLEANUP-->
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>.
- For example, you can't load a script from a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code> page couldn't start workers
+ For example, an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -82624,9 +82633,10 @@
the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
steps.</p>
+<!--CLEANUP-->
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>.
- For example, you can't load a script from a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code> page couldn't start workers
+ For example, and an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -101102,11 +101112,6 @@
<dt id=refsJSON>[JSON]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc4627>The application/json Media Type for JavaScript Object Notation (JSON)</a></cite>, D. Crockford. IETF.</dd>
- <dt id=refsJSURL>[JSURL]</dt>
- <dd><cite><a href=http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme>The 'javascript' resource identifier scheme</a></cite>, B. Höhrmann. IETF.
- <!-- Sadly this reference has been dead for a while. Unfortunately it's the closest thing we current have to a spec. -->
- </dd>
-
<dt id=refsMAILTO>[MAILTO]</dt>
<dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc6068>The 'mailto' URI scheme</a></cite>, M. Duerst, L. Masinter, J. Zawinski. IETF.</dd>
Modified: index
===================================================================
--- index 2013-11-14 22:19:58 UTC (rev 8283)
+++ index 2013-11-15 15:56:16 UTC (rev 8284)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 14 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 15 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -1022,15 +1022,14 @@
<li><a href=#definitions-1><span class=secno>7.1.4.1 </span>Definitions</a></li>
<li><a href=#processing-model-4><span class=secno>7.1.4.2 </span>Processing model</a></li>
<li><a href=#generic-task-sources><span class=secno>7.1.4.3 </span>Generic task sources</a></ol></li>
- <li><a href=#javascript-protocol><span class=secno>7.1.5 </span>The <code title="">javascript:</code> URL scheme</a></li>
- <li><a href=#events><span class=secno>7.1.6 </span>Events</a>
+ <li><a href=#events><span class=secno>7.1.5 </span>Events</a>
<ol>
- <li><a href=#event-handler-attributes><span class=secno>7.1.6.1 </span>Event handlers</a></li>
- <li><a href=#event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.6.2 </span>Event handlers on elements, <code>Document</code> objects, and <code>Window</code> objects</a>
+ <li><a href=#event-handler-attributes><span class=secno>7.1.5.1 </span>Event handlers</a></li>
+ <li><a href=#event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.5.2 </span>Event handlers on elements, <code>Document</code> objects, and <code>Window</code> objects</a>
<ol>
- <li><a href=#idl-definitions><span class=secno>7.1.6.2.1 </span>IDL definitions</a></ol></li>
- <li><a href=#event-firing><span class=secno>7.1.6.3 </span>Event firing</a></li>
- <li><a href=#events-and-the-window-object><span class=secno>7.1.6.4 </span>Events and the <code>Window</code> object</a></ol></ol></li>
+ <li><a href=#idl-definitions><span class=secno>7.1.5.2.1 </span>IDL definitions</a></ol></li>
+ <li><a href=#event-firing><span class=secno>7.1.5.3 </span>Event firing</a></li>
+ <li><a href=#events-and-the-window-object><span class=secno>7.1.5.4 </span>Events and the <code>Window</code> object</a></ol></ol></li>
<li><a href=#atob><span class=secno>7.2 </span>Base64 utility methods</a></li>
<li><a href=#dynamic-markup-insertion><span class=secno>7.3 </span>Dynamic markup insertion</a>
<ol>
@@ -3540,7 +3539,7 @@
<li>The <dfn id=url-parser>URL parser</dfn>
<li><dfn id=parsed-url>Parsed URL</dfn>
<li>The <dfn id=concept-url-scheme title=concept-url-scheme>scheme</dfn> component of a <a href=#parsed-url>parsed URL</a>
- <li>The <dfn id=concept-url-scheme-data title="concept-url-scheme data">scheme data</dfn> component of a <a href=#parsed-url>parsed URL</a>
+ <li>The <dfn id=concept-url-scheme-data title=concept-url-scheme-data>scheme data</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-username title=concept-url-username>username</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-password title=concept-url-password>password</dfn> component of a <a href=#parsed-url>parsed URL</a>
<li>The <dfn id=concept-url-host title=concept-url-host>host</dfn> component of a <a href=#parsed-url>parsed URL</a>
@@ -6897,8 +6896,7 @@
<li>
<p>If <var title="">referrer</var> is not the empty string, is not a <a href=#data-protocol title="data
- protocol"><code title="">data:</code> URL</a>, is not a <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>, and is not the <a href=#url>URL</a>
+ protocol"><code title="">data:</code> URL</a>, and is not the <a href=#url>URL</a>
"<code><a href=#about:blank>about:blank</a></code>", then generate the <i>address of the resource from which Request-URIs
are obtained</i> as required by HTTP for the <code title=http-referer>Referer</code> (sic)
header from <var title="">referrer</var>. <a href=#refsHTTP>[HTTP]</a></p>
@@ -6944,9 +6942,10 @@
<dfn id=about:blank><code>about:blank</code></dfn>, then the resource is immediately available and consists of
the empty string, with no metadata.</p>
+<!--CLEANUP-->
<p>Otherwise, at a time convenient to the user and the user agent, download (or otherwise
obtain) the resource, applying the semantics of the relevant specifications (e.g. performing an
- HTTP GET or POST operation, or reading the file from disk, <a href=#concept-js-deref title=concept-js-deref>dereferencing <span title="javascript protocol"><code title="">javascript:</code> URLs</span></a>, etc).</p>
+ HTTP GET or POST operation, or reading the file from disk, or expanding <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>, etc).</p>
<p>For the purposes of the <code title=http-referer>Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are obtained</i> generated in the earlier
@@ -7202,7 +7201,6 @@
<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
- <dt>If the <var title="">URL</var> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is <code><a href=#about:blank>about:blank</a></code></dt>
<dd>
@@ -7228,7 +7226,7 @@
<p>Set <var title="">URL</var> to the target URL of the redirect and return to the top of
the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> algorithm (this time, one of the other
branches below might be taken, based on the value of <var title="">mode</var><!-- but if
- it's a data: or javascript: URL, we'll stay here -->).</p>
+ it's a data: URL, we'll stay here -->).</p>
</dd>
@@ -51601,12 +51599,6 @@
<p>The resource obtained in this fashion can be either <a href=#cors-same-origin>CORS-same-origin</a> or
<a href=#cors-cross-origin>CORS-cross-origin</a>. This only affects how error reporting happens.</p>
- <p>For historical reasons, if the <a href=#url>URL</a> is a <a href=#javascript-protocol title="javascript
- protocol"><code title="">javascript:</code> URL</a>, then the user agent must not, despite
- the requirements in the definition of the <a href=#fetch title=fetch>fetching</a> algorithm,
- actually execute the script in the URL; instead the user agent must act as if it had received
- an empty HTTP 400 response.</p>
-
<p>For performance reasons, user agents may start fetching the script (as defined above) as
soon as the <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is set, instead, in the hope
that the element will be inserted into the document (and that the <code title=attr-script-crossorigin><a href=#attr-script-crossorigin>crossorigin</a></code> attribute won't change value in the
@@ -64958,21 +64950,6 @@
</dd>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a <a href=#javascript-protocol title="javascript
- protocol"><code>javascript:</code> URL</a></dt>
-
- <dd>
-
- <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
- <a href=#origin>origin</a> of the script of that <a href=#javascript-protocol title="javascript
- protocol"><code>javascript:</code> URL</a>.</p>
-
- <p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#origin>origin</a> of the
- <code><a href=#document>Document</a></code>.</p>
-
- </dd>
-
-
<dt>If a <code><a href=#document>Document</a></code> was served over the network and has an address that uses a URL
scheme with a server-based naming authority</dt>
@@ -65002,8 +64979,7 @@
</dd>
- <dt>If a <code><a href=#document>Document</a></code> has the <a href="#the-document's-address" title="the document's address">address</a>
- "<code><a href=#about:blank>about:blank</a></code>"</dt>
+ <dt>If a <code><a href=#document>Document</a></code> is the initial "<code><a href=#about:blank>about:blank</a></code>" document</dt>
<dd>
@@ -65014,6 +64990,20 @@
</dd>
+ <dt>If a <code><a href=#document>Document</a></code> was created as part of the processing for <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code> URLs</a></dt>
+
+ <dd>
+
+ <p>The <a href=#origin>origin</a> is an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the
+ <a href=#origin>origin</a> of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a>
+ being navigated when the <a href=#navigate>navigate</a> algorithm was invoked.</p>
+
+ <p>The <a href=#effective-script-origin>effective script origin</a> is initially an <a href=#concept-origin-alias title=concept-origin-alias>alias</a> to the <a href=#effective-script-origin>effective script origin</a> of that
+ same <code><a href=#document>Document</a></code>.</p>
+
+ </dd>
+
+
<dt>If a <code><a href=#document>Document</a></code> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a></dt>
<dd>
@@ -66591,50 +66581,164 @@
<li>
- <p>If the resource has already been obtained (e.g. because it is being used to populate an
- <code><a href=#the-object-element>object</a></code> element's new <a href=#child-browsing-context>child browsing context</a>), then skip this step.</p>
+ <p>This is the step that attempts to obtain the resource, if necessary. Jump to the first
+ appropriate substep:</p>
- <p>Otherwise:</p>
+ <dl><dt>If the resource has already been obtained (e.g. because it is being used to populate an
+ <code><a href=#the-object-element>object</a></code> element's new <a href=#child-browsing-context>child browsing context</a>)</dt>
- <p>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and there are <a href=#relevant-application-cache title="relevant
- application cache">relevant application caches</a> that are identified by a URL with the
- <a href=#same-origin>same origin</a> as the URL in question, and that have this URL as one of their entries,
- excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>, and whose
- <a href=#concept-appcache-mode title=concept-appcache-mode>mode</a> is <a href=#concept-appcache-mode-fast title=concept-appcache-mode-fast>fast</a>, and the user agent is not in a mode where it
- will avoid using <a href=#application-cache title="application cache">application caches</a> then
- <a href=#fetch>fetch</a> the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most
- appropriate application cache</a> of those that match.</p>
+ <dd><p>Skip this step. The data is already available.</dd>
- <p class=example>For example, imagine an HTML page with an associated application cache
- displaying an image and a form, where the image is also used by several other application
- caches. If the user right-clicks on the image and chooses "View Image", then the user agent
- could decide to show the image from any of those caches, but it is likely that the most useful
- cache for the user would be the one that was used for the aforementioned HTML page. On the other
- hand, if the user submits the form, and the form does a POST submission, then the user agent
- will not use an application cache at all; the submission will be made to the network.</p>
+ <dt>If the new resource is a <a href=#url>URL</a> whose <a href=#concept-url-scheme title=concept-url-scheme>scheme</a> is <code title="javascript
+ protocol"><a href=#javascript-protocol>javascript</a></code></dt>
- <p>Otherwise, <a href=#fetch>fetch</a><!--FETCH--> the new resource, with the <i>manual redirect
- flag</i> set.</p>
+ <dd>
+ <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
+
+ <p><a href=#queue-a-task>Queue a task</a> to run <dfn id=javascript-protocol title="javascript protocol">these "<code title="">javascript:</code> URL" steps</dfn>:</p>
+
+ <ol id=concept-js-deref><li><p>If the <a href=#origin>origin</a> of the <a href=#source-browsing-context>source browsing context</a> is not the
+ <a href=#same-origin>same origin</a> as the <a href=#origin>origin</a> of the <a href=#active-document>active document</a> of
+ the <a href=#browsing-context>browsing context</a> being navigated, then act as if the result of evaluating
+ the script was the void value, and jump to the step labeled <i>process results</i>
+ below.</li>
+
+ <li><p>Apply the <a href=#url-parser>URL parser</a> to the <a href=#url>URL</a> being navigated.</li>
+
+ <li><p>Let <var title="">parsed URL</var> be the result of the <a href=#url-parser>URL
+ parser</a>.</li>
+
+ <li><p>Let <var title="">script source</var> be the empty string.</li>
+
+ <li><p>Append <var title="">parsed URL</var>'s <a href=#concept-url-scheme-data title=concept-url-scheme-data>scheme
+ data</a> component to <var title="">script source</var>.</li>
+
+ <li><p>If <var title="">parsed URL</var>'s <a href=#concept-url-query title=concept-url-query>query</a>
+ component is not null, then first append a U+003F QUESTION MARK character (?) to <var title="">script source</var>, and then append <var title="">parsed URL</var>'s <a href=#concept-url-query title=concept-url-query>query</a> component to <var title="">script
+ source</var>.</li>
+
+ <li><p>If <var title="">parsed URL</var>'s <a href=#concept-url-fragment title=concept-url-fragment>fragment</a> component is not null, then first append a
+ U+003F QUESTION MARK character (?) to <var title="">script source</var>, and then append
+ <var title="">parsed URL</var>'s <a href=#concept-url-fragment title=concept-url-fragment>fragment</a>
+ component to <var title="">script source</var>.</li>
+
+ <li><p>Replace <var title="">script source</var> with the result of applying the
+ <a href=#percent-decode>percent decode</a> algorithm to <var title="">script source</var>.</li>
+
+ <li><p>Replace <var title="">script source</var> with the result of applying the <a href=#utf-8-decode>UTF-8
+ decode</a> algorithm to <var title="">script source</var>.</li>
+
+ <!-- <body onload="w('test')"> and javascript:%EF%BB%BF'test' both work, so we assume
+ that JavaScript is stripping the BOM, and we don't have to -->
+
+ <!--
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2639 -> about:blank
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2640 -> javascript:'test' in Firefox, about:blank otherwise
+ -->
+ <li><p>Let <var title="">address</var> be the <a href="#the-document's-address" title="the document's
+ address">address</a> of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing
+ context</a> being navigated.</li>
+
+ <li>
+
+ <p><a href=#create-a-script>Create a script</a>, using <var title="">script source</var> as the script
+ source, <var title="">address</var> as the script source URL, JavaScript as the scripting
+ language, and the <a href=#script-settings-object>script settings object</a> of the <code><a href=#window>Window</a></code> object of
+ the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a> being navigated.</p>
+
+ <p>Let <var title="">result</var> be the return value of the <a href=#code-entry-point>code entry-point</a>
+ of this <a href=#concept-script title=concept-script>script</a>. If an exception was thrown, let <var title="">result</var> be void instead. (The result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
+
+ </li>
+
+ <li>
+
+ <p><i>Process results</i>: If the result of executing the script is void (there is no return
+ value), then the result of obtaining the resource for the URL is <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>equivalent to</a> an HTTP resource with an HTTP
+ 204 No Content response.</p>
+
+ <p>Otherwise, the result of obtaining the resource for the URL is <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>equivalent</a> to an HTTP resource with a 200 OK
+ response whose <a href=#content-type title=Content-Type>Content-Type metadata</a> is
+ <code><a href=#text/html>text/html</a></code> and whose response body is the return value converted to a string
+ value.</p>
+
+ <p>When it comes time to <a href="#set-the-document's-address">set the document's address</a> in the <a href=#navigate title=navigate>navigation algorithm</a>, use <var title="">address</var> as the
+ <a href=#override-url>override URL</a>.</p>
+
+ </li>
+
+ </ol><div class=example>
+
+ <p>So for example a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code>
+ URL</a> in an <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code> attribute of an
+ <code><a href=#the-a-element>a</a></code> element would only be evaluated when the link was <a href=#following-hyperlinks title="following
+ hyperlinks">followed</a>, while such a URL in the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute of an <code><a href=#the-iframe-element>iframe</a></code> element would be
+ evaluated in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s own <a href=#nested-browsing-context>nested browsing
+ context</a> when the <code><a href=#the-iframe-element>iframe</a></code> is being set up; once evaluated, its return value
+ (if it was not void) would replace that <a href=#browsing-context>browsing context</a>'s document, thus also
+ changing the <code><a href=#window>Window</a></code> object of that <a href=#browsing-context>browsing context</a>.</p>
+
+ </div>
+
+ </dd>
+
+ <dt>If the new resource is to be fetched using HTTP GET <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>or equivalent</a>, and there are <a href=#relevant-application-cache title="relevant
+ application cache">relevant application caches</a> that are identified by a URL with the
+ <a href=#same-origin>same origin</a> as the URL in question, and that have this URL as one of their
+ entries, excluding entries marked as <a href=#concept-appcache-foreign title=concept-appcache-foreign>foreign</a>,
+ and whose <a href=#concept-appcache-mode title=concept-appcache-mode>mode</a> is <a href=#concept-appcache-mode-fast title=concept-appcache-mode-fast>fast</a>, and the user agent is not in a mode where it
+ will avoid using <a href=#application-cache title="application cache">application caches</a></dt>
+
+ <dd>
+
+ <p><a href=#fetch>Fetch</a> the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most
+ appropriate application cache</a> of those that match.</p>
+
+ <p class=example>For example, imagine an HTML page with an associated application cache
+ displaying an image and a form, where the image is also used by several other application
+ caches. If the user right-clicks on the image and chooses "View Image", then the user agent
+ could decide to show the image from any of those caches, but it is likely that the most useful
+ cache for the user would be the one that was used for the aforementioned HTML page. On the
+ other hand, if the user submits the form, and the form does a POST submission, then the user
+ agent will not use an application cache at all; the submission will be made to the
+ network.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p><a href=#fetch>Fetch</a><!--FETCH--> the new resource, with the <i>manual redirect flag</i>
+ set.</p>
+
+ </dd>
+
+ </dl><p>If the <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then in the
+ time between this step and either the creation of a <code><a href=#document>Document</a></code> object or the <!-- XXX
+ bug 23633 --> <span>canceling</span> of the <a href=#navigate title=navigate>navigation</a>
+ algorithm<!-- /XXX bug 23633 -->, whichever happens first, the <a href=#browsing-context>browsing context</a>
+ must be put in the <a href=#delaying-load-events-mode>delaying <code title=event-load>load</code> events mode</a>.</p>
+ <!-- this is what makes <iframe> elements delay the load event of their parent browsing context
+ when their child browsing context is in between this step and the step that starts the parser.
+ -->
+
+ <p>If the steps above invoked the <a href=#fetch>fetch</a> algorith, the following requirements also
+ apply:</p>
+
<p>If the resource is being fetched using a method other than one <a href=#concept-http-equivalent-get title=concept-http-equivalent-get>equivalent to</a> HTTP's GET<!-- or HEAD (but that can't
happen) -->, or, if the <a href=#navigate title=navigate>navigation algorithm</a> was invoked as a
- result of the <a href=#concept-form-submit title=concept-form-submit>form submission algorithm</a>, then the <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <a href=#origin>origin</a> of the
- <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing context</a>, if any.</p> <!--
+ result of the <a href=#concept-form-submit title=concept-form-submit>form submission algorithm</a>, then the
+ <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <a href=#origin>origin</a> of
+ the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing context</a>, if any.</p> <!--
potentially http-origin privacy sensitive -->
- <p>If the <a href=#browsing-context>browsing context</a> being navigated is a <a href=#child-browsing-context>child browsing context</a>
- for an <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching
- algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element's
- <a href=#browsing-context-scope-origin>browsing context scope origin</a>, if it has one.</p> <!-- potentially http-origin
- privacy sensitive -->
+ <p>Otherwise, if the <a href=#browsing-context>browsing context</a> being navigated is a <a href=#child-browsing-context>child browsing
+ context</a> for an <code><a href=#the-iframe-element>iframe</a></code> or <code><a href=#the-object-element>object</a></code> element, then the <a href=#fetch title=fetch>fetching algorithm</a> must be invoked from the <code><a href=#the-iframe-element>iframe</a></code> or
+ <code><a href=#the-object-element>object</a></code> element's <a href=#browsing-context-scope-origin>browsing context scope origin</a>, if it has one.</p>
+ <!-- potentially http-origin privacy sensitive -->
- <p>If the <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then in the
- time between the <a href=#fetch>fetch</a> algorithm being started by this step, and either the
- creation of a <code><a href=#document>Document</a></code> object or the canceling of the <a href=#fetch>fetch</a> or <a href=#navigate title=navigate>navigation</a> algorithms, the <a href=#browsing-context>browsing context</a> must be put in
- the <a href=#delaying-load-events-mode>delaying <code title=event-load>load</code> events mode</a>.</p> <!-- this is
- what makes <iframe> elements delay the load event of their parent browsing context when their
- child browsing context is in between this step and the step that starts the parser. -->
-
</li>
<li>
@@ -66839,8 +66943,8 @@
its <a href="#the-document's-address" title="the document's address">address</a> set to that <a href=#url>URL</a>
instead.</p>
- <p class=note>An <a href=#override-url title="override URL">override URL</a> is set when <a href=#concept-js-deref title=concept-js-deref>dereferencing a <code>javascript:</code> URL</a> and when performing
- <a href=#an-overridden-reload>an overridden reload</a>.</p>
+ <p class=note>An <a href=#override-url title="override URL">override URL</a> is set when <a href=#javascript-protocol title="javascript protocol">dereferencing a <code>javascript:</code> URL</a> and when
+ performing <a href=#an-overridden-reload>an overridden reload</a>.</p>
<p><dfn id=create-a-document-object title="create a Document object">Creating a new <code>Document</code> object</dfn>: when
a <code><a href=#document>Document</a></code> is created as part of the above steps, the user agent must additionally
@@ -69890,8 +69994,7 @@
<ul><li>Processing of <code><a href=#the-script-element>script</a></code> elements.</li>
- <li>Processing of inline <code title="javascript protocol"><a href=#javascript-protocol>javascript:</a></code> URLs (e.g. the
- <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute of <code><a href=#the-img-element>img</a></code> elements, or an <code title="">@import</code> rule in a CSS <code><a href=#the-style-element>style</a></code> element block).</li>
+ <li>Navigating to <a href=#javascript-protocol title="javascript protocol"><code>javascript:</code> URLs</a>.</li>
<li>Event handlers, whether registered through the DOM using <code title="">addEventListener()</code>, by explicit <a href=#event-handler-content-attributes>event handler content attributes</a>, by
<a href=#event-handler-idl-attributes>event handler IDL attributes</a>, or otherwise.</li>
@@ -70823,106 +70926,12 @@
</dl></div>
- <div class=impl>
- <!-- SCRIPT EXEC -->
- <h4 id=javascript-protocol><span class=secno>7.1.5 </span><dfn title="javascript protocol">The <code title="">javascript:</code> URL scheme</dfn></h4>
- <p>When a <a href=#url>URL</a> using the <code title="">javascript:</code> scheme is <dfn id=concept-js-deref title=concept-js-deref>dereferenced</dfn>, the user agent must run the following steps:</p>
+ <h4 id=events><span class=secno>7.1.5 </span>Events</h4>
- <ol><li><p>Let the script source be the string obtained using the content retrieval operation defined
- for <code title="">javascript:</code> URLs. <a href=#refsJSURL>[JSURL]</a></li>
+ <h5 id=event-handler-attributes><span class=secno>7.1.5.1 </span>Event handlers</h5>
- <li>
-
- <p>Use the appropriate step from the following list:</p>
-
- <dl><dt>If a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a> to a
- <code>javascript:</code> URL, and the <a href=#source-browsing-context>source browsing context</a> for that navigation,
- if any, has <a href=#concept-bc-noscript title=concept-bc-noscript>scripting disabled</a></dt>
-
- <dd>
-
- <p>Let <var title="">result</var> be void.</p>
-
- </dd>
-
- <dt>If a <a href=#browsing-context>browsing context</a> is being <a href=#navigate title=navigate>navigated</a> to a
- <code>javascript:</code> URL, and the <a href=#active-document>active document</a> of that browsing context has
- the <a href=#same-origin>same origin</a> as the script given by that URL</dt>
-
- <dd>
-
- <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
-
- <p>Let <var title="">address</var> be the <a href="#the-document's-address" title="the document's address">address</a>
- of the <a href=#active-document>active document</a> of the <a href=#browsing-context>browsing context</a> being navigated.</p>
-
- <p>If <var title="">address</var> is <code><a href=#about:blank>about:blank</a></code>, and the <a href=#browsing-context>browsing
- context</a> being navigated has a <a href=#creator-browsing-context>creator browsing context</a>, then let <var title="">address</var> be the <a href="#the-document's-address" title="the document's address">address</a> of the
- <a href=#creator-document>creator <code>Document</code></a> instead.</p>
-
- <p><a href=#create-a-script>Create a script</a>, using the aforementioned script source, the <a href=#url>URL</a>
- of the resource where the <code>javascript:</code> URL, was found, JavaScript as the scripting
- language, and the <a href=#script-settings-object>script settings object</a> of the <code><a href=#window>Window</a></code> object of the
- <a href=#active-document>active document</a>.</p>
-
- <p>Let <var title="">result</var> be the return value of the <a href=#code-entry-point>code entry-point</a>
- of this <a href=#concept-script title=concept-script>script</a>. If an exception was thrown, let <var title="">result</var> be void instead. (The result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
-
- <p>When it comes time to <a href="#set-the-document's-address">set the document's address</a> in the <a href=#navigate title=navigate>navigation algorithm</a>, use <var title="">address</var> as the
- <a href=#override-url>override URL</a>.</p>
-
- </dd>
-
- <dt>Otherwise</dt>
-
- <dd>
-
- <p>Let <var title="">result</var> be void.</p>
-
- </dd>
-
- </dl></li>
-
- <li>
-
- <p>If the result of executing the script is void (there is no return value), then the URL must
- be treated in a manner equivalent to an HTTP resource with an HTTP 204 No Content response.</p>
-
- <p>Otherwise, the URL must be treated in a manner equivalent to an HTTP resource with a 200 OK
- response whose <a href=#content-type title=Content-Type>Content-Type metadata</a> is <code><a href=#text/html>text/html</a></code>
- and whose response body is the return value converted to a string value.</p>
-
- <p class=note>Certain contexts, in particular <code><a href=#the-img-element>img</a></code> elements, ignore the <a href=#content-type title=Content-Type>Content-Type metadata</a>.</p>
-
- </li>
-
- </ol><div class=example>
-
- <p>So for example a <code title="">javascript:</code> URL for a <code title=attr-img-src><a href=#attr-img-src>src</a></code> attribute of an <code><a href=#the-img-element>img</a></code> element would be evaluated in
- the context of an empty object as soon as the attribute is set; it would then be sniffed to
- determine the image type and decoded as an image.</p>
-
- <p>A <code title="">javascript:</code> URL in an <code title=attr-hyperlink-href><a href=#attr-hyperlink-href>href</a></code>
- attribute of an <code><a href=#the-a-element>a</a></code> element would only be evaluated when the link was <a href=#following-hyperlinks title="following hyperlinks">followed</a>.</p>
-
- <p>The <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute of an <code><a href=#the-iframe-element>iframe</a></code> element would
- be evaluated in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s own <a href=#browsing-context>browsing context</a>; once
- evaluated, its return value (if it was not void) would replace that <a href=#browsing-context>browsing
- context</a>'s document, thus changing the variables visible in that <a href=#browsing-context>browsing
- context</a>.</p>
-
- </div>
-
- </div>
-
-
-
- <h4 id=events><span class=secno>7.1.6 </span>Events</h4>
-
- <h5 id=event-handler-attributes><span class=secno>7.1.6.1 </span>Event handlers</h5>
-
<!--test: <a href="http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A...%3Cscript%3E%0Aw(a%3Ddocument.implementation.createDocument(null%2C%20null%2C%20null))%3B%0Aw(a.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'html')))%3B%0Aw(b%3Da.firstChild.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'body')))%3B%0Aw(b.test%20%3D%20w)%3B%0Aw(b.setAttribute('onclick'%2C%20'test(%22fire%3A%20%22%20%2B%20event)'))%3B%0Aw(b.onclick)%3B%0Aw(e%3Da.createEvent('Event'))%3B%0Aw(e.initEvent('click'%2C%20false%2C%20false))%3B%0Aw(b.dispatchEvent(e))%3B%0A%3C%2Fscript%3E">test</a>-->
<p>Many objects can have <dfn id=event-handlers>event handlers</dfn> specified. These act as non-capture event
@@ -71304,7 +71313,7 @@
<!-- onreadystatechange is also defined specially, using [LenientThis]; see IDL -->
- <h5 id=event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.6.2 </span>Event handlers on elements, <code><a href=#document>Document</a></code> objects, and <code><a href=#window>Window</a></code> objects</h5>
+ <h5 id=event-handlers-on-elements,-document-objects,-and-window-objects><span class=secno>7.1.5.2 </span>Event handlers on elements, <code><a href=#document>Document</a></code> objects, and <code><a href=#window>Window</a></code> objects</h5>
<p>The following are the <a href=#event-handlers>event handlers</a> (and their corresponding <a href=#event-handler-event-type title="event
handler event type">event handler event types</a>) <span class=impl>that must be</span>
@@ -71428,7 +71437,7 @@
<table><thead><tr><th><a href=#event-handlers title="event handlers">Event handler</a> <th><a href=#event-handler-event-type>Event handler event type</a>
<tbody><tr><td><dfn id=handler-onreadystatechange title=handler-onreadystatechange><code>onreadystatechange</code></dfn> <td> <code title=event-readystatechange><a href=#event-readystatechange>readystatechange</a></code>
- </table><h6 id=idl-definitions><span class=secno>7.1.6.2.1 </span>IDL definitions</h6>
+ </table><h6 id=idl-definitions><span class=secno>7.1.5.2.1 </span>IDL definitions</h6>
<pre class=idl>[NoInterfaceObject]
interface <dfn id=globaleventhandlers>GlobalEventHandlers</dfn> {
@@ -71515,7 +71524,7 @@
<div class=impl>
- <h5 id=event-firing><span class=secno>7.1.6.3 </span>Event firing</h5>
+ <h5 id=event-firing><span class=secno>7.1.5.3 </span>Event firing</h5>
<p>Certain operations and methods are defined as firing events on elements. For example, the <code title=dom-click><a href=#dom-click>click()</a></code> method on the <code><a href=#htmlelement>HTMLElement</a></code> interface is defined as
firing a <code title=event-click><a href=#event-click>click</a></code> event on the element. <a href=#refsDOMEVENTS>[DOMEVENTS]</a></p>
@@ -71546,7 +71555,7 @@
<div class=impl>
- <h5 id=events-and-the-window-object><span class=secno>7.1.6.4 </span>Events and the <code><a href=#window>Window</a></code> object</h5>
+ <h5 id=events-and-the-window-object><span class=secno>7.1.5.4 </span>Events and the <code><a href=#window>Window</a></code> object</h5>
<p>When an event is dispatched at a DOM node in a <code><a href=#document>Document</a></code> in a <a href=#browsing-context>browsing
context</a>, if the event is not a <code title=event-load>load</code> event, the user agent
@@ -78278,8 +78287,7 @@
<p>HTTP 200 OK responses that have a <a href=#content-type>Content-Type</a> specifying an unsupported type, or
that have no <a href=#content-type>Content-Type</a> at all, must cause the user agent to <a href=#fail-the-connection>fail the
- connection</a>.</p> <!-- about:blank is defined as having no MIME type; javascript: as having
- the type text/html -->
+ connection</a>.</p> <!-- about:blank is defined as having no MIME type -->
<p>HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required should be treated
transparently as for any other subresource.</p>
@@ -82509,9 +82517,10 @@
<a href=#origin>origin</a> specified by the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and
abort these steps.</p>
+<!--CLEANUP-->
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>.
- For example, you can't load a script from a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code> page couldn't start workers
+ For example, an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -82624,9 +82633,10 @@
the <a href=#incumbent-settings-object>incumbent settings object</a>, then throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these
steps.</p>
+<!--CLEANUP-->
<p class=note>Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <a href=#data-protocol title="data protocol"><code title="">data:</code> URLs</a>.
- For example, you can't load a script from a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a>, and an <code>https:</code> page couldn't start workers
+ For example, and an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -101102,11 +101112,6 @@
<dt id=refsJSON>[JSON]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc4627>The application/json Media Type for JavaScript Object Notation (JSON)</a></cite>, D. Crockford. IETF.</dd>
- <dt id=refsJSURL>[JSURL]</dt>
- <dd><cite><a href=http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme>The 'javascript' resource identifier scheme</a></cite>, B. Höhrmann. IETF.
- <!-- Sadly this reference has been dead for a while. Unfortunately it's the closest thing we current have to a spec. -->
- </dd>
-
<dt id=refsMAILTO>[MAILTO]</dt>
<dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc6068>The 'mailto' URI scheme</a></cite>, M. Duerst, L. Masinter, J. Zawinski. IETF.</dd>
Modified: source
===================================================================
--- source 2013-11-14 22:19:58 UTC (rev 8283)
+++ source 2013-11-15 15:56:16 UTC (rev 8284)
@@ -2273,7 +2273,7 @@
<li>The <dfn>URL parser</dfn>
<li><dfn>Parsed URL</dfn>
<li>The <dfn data-x="concept-url-scheme">scheme</dfn> component of a <span>parsed URL</span>
- <li>The <dfn data-x="concept-url-scheme data">scheme data</dfn> component of a <span>parsed URL</span>
+ <li>The <dfn data-x="concept-url-scheme-data">scheme data</dfn> component of a <span>parsed URL</span>
<li>The <dfn data-x="concept-url-username">username</dfn> component of a <span>parsed URL</span>
<li>The <dfn data-x="concept-url-password">password</dfn> component of a <span>parsed URL</span>
<li>The <dfn data-x="concept-url-host">host</dfn> component of a <span>parsed URL</span>
@@ -6288,8 +6288,7 @@
<li>
<p>If <var data-x="">referrer</var> is not the empty string, is not a <span data-x="data
- protocol"><code data-x="">data:</code> URL</span>, is not a <span data-x="javascript
- protocol"><code data-x="">javascript:</code> URL</span>, and is not the <span>URL</span>
+ protocol"><code data-x="">data:</code> URL</span>, and is not the <span>URL</span>
"<code>about:blank</code>", then generate the <i>address of the resource from which Request-URIs
are obtained</i> as required by HTTP for the <code data-x="http-referer">Referer</code> (sic)
header from <var data-x="">referrer</var>. <a href="#refsHTTP">[HTTP]</a></p>
@@ -6338,11 +6337,11 @@
<dfn><code>about:blank</code></dfn>, then the resource is immediately available and consists of
the empty string, with no metadata.</p>
+<!--CLEANUP-->
<p>Otherwise, at a time convenient to the user and the user agent, download (or otherwise
obtain) the resource, applying the semantics of the relevant specifications (e.g. performing an
- HTTP GET or POST operation, or reading the file from disk, <span
- data-x="concept-js-deref">dereferencing <span data-x="javascript protocol"><code
- data-x="">javascript:</code> URLs</span></span>, etc).</p>
+ HTTP GET or POST operation, or reading the file from disk, or expanding <span data-x="data protocol"><code
+ data-x="">data:</code> URLs</span>, etc).</p>
<p>For the purposes of the <code data-x="http-referer">Referer</code> (sic) header, use the
<i>address of the resource from which Request-URIs are obtained</i> generated in the earlier
@@ -6646,7 +6645,6 @@
<dt>If the <var data-x="">URL</var> has the <span>same origin</span> as <var data-x="">origin</var></dt>
<dt>If the <var data-x="">URL</var> is a <span data-x="data protocol"><code data-x="">data:</code> URL</span></dt>
- <dt>If the <var data-x="">URL</var> is a <span data-x="javascript protocol"><code data-x="">javascript:</code> URL</span></dt>
<dt>If the <var data-x="">URL</var> is <code>about:blank</code></dt>
<dd>
@@ -6677,7 +6675,7 @@
<p>Set <var data-x="">URL</var> to the target URL of the redirect and return to the top of
the <span>potentially CORS-enabled fetch</span> algorithm (this time, one of the other
branches below might be taken, based on the value of <var data-x="">mode</var><!-- but if
- it's a data: or javascript: URL, we'll stay here -->).</p>
+ it's a data: URL, we'll stay here -->).</p>
</dd>
@@ -56999,12 +56997,6 @@
<p>The resource obtained in this fashion can be either <span>CORS-same-origin</span> or
<span>CORS-cross-origin</span>. This only affects how error reporting happens.</p>
- <p>For historical reasons, if the <span>URL</span> is a <span data-x="javascript
- protocol"><code data-x="">javascript:</code> URL</span>, then the user agent must not, despite
- the requirements in the definition of the <span data-x="fetch">fetching</span> algorithm,
- actually execute the script in the URL; instead the user agent must act as if it had received
- an empty HTTP 400 response.</p>
-
<p>For performance reasons, user agents may start fetching the script (as defined above) as
soon as the <code data-x="attr-script-src">src</code> attribute is set, instead, in the hope
that the element will be inserted into the document (and that the <code
@@ -72305,22 +72297,6 @@
</dd>
- <dt>If a <code>Document</code> was generated from a <span data-x="javascript
- protocol"><code>javascript:</code> URL</span></dt>
-
- <dd>
-
- <p>The <span>origin</span> is an <span data-x="concept-origin-alias">alias</span> to the
- <span>origin</span> of the script of that <span data-x="javascript
- protocol"><code>javascript:</code> URL</span>.</p>
-
- <p>The <span>effective script origin</span> is initially an <span
- data-x="concept-origin-alias">alias</span> to the <span>origin</span> of the
- <code>Document</code>.</p>
-
- </dd>
-
-
<dt>If a <code>Document</code> was served over the network and has an address that uses a URL
scheme with a server-based naming authority</dt>
@@ -72354,8 +72330,7 @@
</dd>
- <dt>If a <code>Document</code> has the <span data-x="the document's address">address</span>
- "<code>about:blank</code>"</dt>
+ <dt>If a <code>Document</code> is the initial "<code>about:blank</code>" document</dt>
<dd>
@@ -72366,6 +72341,22 @@
</dd>
+ <dt>If a <code>Document</code> was created as part of the processing for <span
+ data-x="javascript protocol"><code>javascript:</code> URLs</span></dt>
+
+ <dd>
+
+ <p>The <span>origin</span> is an <span data-x="concept-origin-alias">alias</span> to the
+ <span>origin</span> of the <span>active document</span> of the <span>browsing context</span>
+ being navigated when the <span>navigate</span> algorithm was invoked.</p>
+
+ <p>The <span>effective script origin</span> is initially an <span
+ data-x="concept-origin-alias">alias</span> to the <span>effective script origin</span> of that
+ same <code>Document</code>.</p>
+
+ </dd>
+
+
<dt>If a <code>Document</code> is <span>an <code>iframe</code> <code
data-x="attr-iframe-srcdoc">srcdoc</code> document</span></dt>
@@ -74167,55 +74158,187 @@
<li>
- <p>If the resource has already been obtained (e.g. because it is being used to populate an
- <code>object</code> element's new <span>child browsing context</span>), then skip this step.</p>
+ <p>This is the step that attempts to obtain the resource, if necessary. Jump to the first
+ appropriate substep:</p>
- <p>Otherwise:</p>
+ <dl>
- <p>If the new resource is to be fetched using HTTP GET <span
- data-x="concept-http-equivalent-get">or equivalent</span>, and there are <span data-x="relevant
- application cache">relevant application caches</span> that are identified by a URL with the
- <span>same origin</span> as the URL in question, and that have this URL as one of their entries,
- excluding entries marked as <span data-x="concept-appcache-foreign">foreign</span>, and whose
- <span data-x="concept-appcache-mode">mode</span> is <span
- data-x="concept-appcache-mode-fast">fast</span>, and the user agent is not in a mode where it
- will avoid using <span data-x="application cache">application caches</span> then
- <span>fetch</span> the resource from the <span data-x="concept-appcache-selection">most
- appropriate application cache</span> of those that match.</p>
+ <dt>If the resource has already been obtained (e.g. because it is being used to populate an
+ <code>object</code> element's new <span>child browsing context</span>)</dt>
- <p class="example">For example, imagine an HTML page with an associated application cache
- displaying an image and a form, where the image is also used by several other application
- caches. If the user right-clicks on the image and chooses "View Image", then the user agent
- could decide to show the image from any of those caches, but it is likely that the most useful
- cache for the user would be the one that was used for the aforementioned HTML page. On the other
- hand, if the user submits the form, and the form does a POST submission, then the user agent
- will not use an application cache at all; the submission will be made to the network.</p>
+ <dd><p>Skip this step. The data is already available.</p></dd>
- <p>Otherwise, <span>fetch</span><!--FETCH--> the new resource, with the <i>manual redirect
- flag</i> set.</p>
+ <dt>If the new resource is a <span>URL</span> whose <span
+ data-x="concept-url-scheme">scheme</span> is <code data-x="javascript
+ protocol">javascript</code></dt>
+ <dd>
+
+ <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
+
+ <p><span>Queue a task</span> to run <dfn data-x="javascript protocol">these "<code
+ data-x="">javascript:</code> URL" steps</dfn>:</p>
+
+ <ol id="concept-js-deref">
+
+ <li><p>If the <span>origin</span> of the <span>source browsing context</span> is not the
+ <span>same origin</span> as the <span>origin</span> of the <span>active document</span> of
+ the <span>browsing context</span> being navigated, then act as if the result of evaluating
+ the script was the void value, and jump to the step labeled <i>process results</i>
+ below.</p></li>
+
+ <li><p>Apply the <span>URL parser</span> to the <span>URL</span> being navigated.</p></li>
+
+ <li><p>Let <var data-x="">parsed URL</var> be the result of the <span>URL
+ parser</span>.</p></li>
+
+ <li><p>Let <var data-x="">script source</var> be the empty string.</p></li>
+
+ <li><p>Append <var data-x="">parsed URL</var>'s <span data-x="concept-url-scheme-data">scheme
+ data</span> component to <var data-x="">script source</var>.</p></li>
+
+ <li><p>If <var data-x="">parsed URL</var>'s <span data-x="concept-url-query">query</span>
+ component is not null, then first append a U+003F QUESTION MARK character (?) to <var
+ data-x="">script source</var>, and then append <var data-x="">parsed URL</var>'s <span
+ data-x="concept-url-query">query</span> component to <var data-x="">script
+ source</var>.</p></li>
+
+ <li><p>If <var data-x="">parsed URL</var>'s <span
+ data-x="concept-url-fragment">fragment</span> component is not null, then first append a
+ U+003F QUESTION MARK character (?) to <var data-x="">script source</var>, and then append
+ <var data-x="">parsed URL</var>'s <span data-x="concept-url-fragment">fragment</span>
+ component to <var data-x="">script source</var>.</p></li>
+
+ <li><p>Replace <var data-x="">script source</var> with the result of applying the
+ <span>percent decode</span> algorithm to <var data-x="">script source</var>.</p></li>
+
+ <li><p>Replace <var data-x="">script source</var> with the result of applying the <span>UTF-8
+ decode</span> algorithm to <var data-x="">script source</var>.</p></li>
+
+ <!-- <body onload="w('test')"> and javascript:%EF%BB%BF'test' both work, so we assume
+ that JavaScript is stripping the BOM, and we don't have to -->
+
+ <!--
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2639 -> about:blank
+ http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2640 -> javascript:'test' in Firefox, about:blank otherwise
+ -->
+ <li><p>Let <var data-x="">address</var> be the <span data-x="the document's
+ address">address</span> of the <span>active document</span> of the <span>browsing
+ context</span> being navigated.</p></li>
+
+ <li>
+
+ <p><span>Create a script</span>, using <var data-x="">script source</var> as the script
+ source, <var data-x="">address</var> as the script source URL, JavaScript as the scripting
+ language, and the <span>script settings object</span> of the <code>Window</code> object of
+ the <span>active document</span> of the <span>browsing context</span> being navigated.</p>
+
+ <p>Let <var data-x="">result</var> be the return value of the <span>code entry-point</span>
+ of this <span data-x="concept-script">script</span>. If an exception was thrown, let <var
+ data-x="">result</var> be void instead. (The result will be void also if <span
+ data-x="concept-bc-noscript">scripting is disabled</span>.)</p>
+
+ </li>
+
+ <li>
+
+ <p><i>Process results</i>: If the result of executing the script is void (there is no return
+ value), then the result of obtaining the resource for the URL is <span
+ data-x="concept-http-equivalent-codes">equivalent to</span> an HTTP resource with an HTTP
+ 204 No Content response.</p>
+
+ <p>Otherwise, the result of obtaining the resource for the URL is <span
+ data-x="concept-http-equivalent-codes">equivalent</span> to an HTTP resource with a 200 OK
+ response whose <span data-x="Content-Type">Content-Type metadata</span> is
+ <code>text/html</code> and whose response body is the return value converted to a string
+ value.</p>
+
+ <p>When it comes time to <span>set the document's address</span> in the <span
+ data-x="navigate">navigation algorithm</span>, use <var data-x="">address</var> as the
+ <span>override URL</span>.</p>
+
+ </li>
+
+ </ol>
+
+ <div class="example">
+
+ <p>So for example a <span data-x="javascript protocol"><code data-x="">javascript:</code>
+ URL</span> in an <code data-x="attr-hyperlink-href">href</code> attribute of an
+ <code>a</code> element would only be evaluated when the link was <span data-x="following
+ hyperlinks">followed</span>, while such a URL in the <code
+ data-x="attr-iframe-src">src</code> attribute of an <code>iframe</code> element would be
+ evaluated in the context of the <code>iframe</code>'s own <span>nested browsing
+ context</span> when the <code>iframe</code> is being set up; once evaluated, its return value
+ (if it was not void) would replace that <span>browsing context</span>'s document, thus also
+ changing the <code>Window</code> object of that <span>browsing context</span>.</p>
+
+ </div>
+
+ </dd>
+
+ <dt>If the new resource is to be fetched using HTTP GET <span
+ data-x="concept-http-equivalent-get">or equivalent</span>, and there are <span data-x="relevant
+ application cache">relevant application caches</span> that are identified by a URL with the
+ <span>same origin</span> as the URL in question, and that have this URL as one of their
+ entries, excluding entries marked as <span data-x="concept-appcache-foreign">foreign</span>,
+ and whose <span data-x="concept-appcache-mode">mode</span> is <span
+ data-x="concept-appcache-mode-fast">fast</span>, and the user agent is not in a mode where it
+ will avoid using <span data-x="application cache">application caches</span></dt>
+
+ <dd>
+
+ <p><span>Fetch</span> the resource from the <span data-x="concept-appcache-selection">most
+ appropriate application cache</span> of those that match.</p>
+
+ <p class="example">For example, imagine an HTML page with an associated application cache
+ displaying an image and a form, where the image is also used by several other application
+ caches. If the user right-clicks on the image and chooses "View Image", then the user agent
+ could decide to show the image from any of those caches, but it is likely that the most useful
+ cache for the user would be the one that was used for the aforementioned HTML page. On the
+ other hand, if the user submits the form, and the form does a POST submission, then the user
+ agent will not use an application cache at all; the submission will be made to the
+ network.</p>
+
+ </dd>
+
+ <dt>Otherwise</dt>
+
+ <dd>
+
+ <p><span>Fetch</span><!--FETCH--> the new resource, with the <i>manual redirect flag</i>
+ set.</p>
+
+ </dd>
+
+ </dl>
+
+ <p>If the <span>browsing context</span> is a <span>nested browsing context</span>, then in the
+ time between this step and either the creation of a <code>Document</code> object or the <!-- XXX
+ bug 23633 --> <span>canceling</span> of the <span data-x="navigate">navigation</span>
+ algorithm<!-- /XXX bug 23633 -->, whichever happens first, the <span>browsing context</span>
+ must be put in the <span>delaying <code data-x="event-load">load</code> events mode</span>.</p>
+ <!-- this is what makes <iframe> elements delay the load event of their parent browsing context
+ when their child browsing context is in between this step and the step that starts the parser.
+ -->
+
+ <p>If the steps above invoked the <span>fetch</span> algorith, the following requirements also
+ apply:</p>
+
<p>If the resource is being fetched using a method other than one <span
data-x="concept-http-equivalent-get">equivalent to</span> HTTP's GET<!-- or HEAD (but that can't
happen) -->, or, if the <span data-x="navigate">navigation algorithm</span> was invoked as a
- result of the <span data-x="concept-form-submit">form submission algorithm</span>, then the <span
- data-x="fetch">fetching algorithm</span> must be invoked from the <span>origin</span> of the
- <span>active document</span> of the <span>source browsing context</span>, if any.</p> <!--
+ result of the <span data-x="concept-form-submit">form submission algorithm</span>, then the
+ <span data-x="fetch">fetching algorithm</span> must be invoked from the <span>origin</span> of
+ the <span>active document</span> of the <span>source browsing context</span>, if any.</p> <!--
potentially http-origin privacy sensitive -->
- <p>If the <span>browsing context</span> being navigated is a <span>child browsing context</span>
- for an <code>iframe</code> or <code>object</code> element, then the <span data-x="fetch">fetching
- algorithm</span> must be invoked from the <code>iframe</code> or <code>object</code> element's
- <span>browsing context scope origin</span>, if it has one.</p> <!-- potentially http-origin
- privacy sensitive -->
+ <p>Otherwise, if the <span>browsing context</span> being navigated is a <span>child browsing
+ context</span> for an <code>iframe</code> or <code>object</code> element, then the <span
+ data-x="fetch">fetching algorithm</span> must be invoked from the <code>iframe</code> or
+ <code>object</code> element's <span>browsing context scope origin</span>, if it has one.</p>
+ <!-- potentially http-origin privacy sensitive -->
- <p>If the <span>browsing context</span> is a <span>nested browsing context</span>, then in the
- time between the <span>fetch</span> algorithm being started by this step, and either the
- creation of a <code>Document</code> object or the canceling of the <span>fetch</span> or <span
- data-x="navigate">navigation</span> algorithms, the <span>browsing context</span> must be put in
- the <span>delaying <code data-x="event-load">load</code> events mode</span>.</p> <!-- this is
- what makes <iframe> elements delay the load event of their parent browsing context when their
- child browsing context is in between this step and the step that starts the parser. -->
-
</li>
<li>
@@ -74441,8 +74564,8 @@
instead.</p>
<p class="note">An <span data-x="override URL">override URL</span> is set when <span
- data-x="concept-js-deref">dereferencing a <code>javascript:</code> URL</span> and when performing
- <span>an overridden reload</span>.</p>
+ data-x="javascript protocol">dereferencing a <code>javascript:</code> URL</span> and when
+ performing <span>an overridden reload</span>.</p>
<p><dfn data-x="create a Document object">Creating a new <code>Document</code> object</dfn>: when
a <code>Document</code> is created as part of the above steps, the user agent must additionally
@@ -77996,9 +78119,7 @@
<li>Processing of <code>script</code> elements.</li>
- <li>Processing of inline <code data-x="javascript protocol">javascript:</code> URLs (e.g. the
- <code data-x="attr-img-src">src</code> attribute of <code>img</code> elements, or an <code
- data-x="">@import</code> rule in a CSS <code>style</code> element block).</li>
+ <li>Navigating to <span data-x="javascript protocol"><code>javascript:</code> URLs</span>.</li>
<li>Event handlers, whether registered through the DOM using <code
data-x="">addEventListener()</code>, by explicit <span>event handler content attributes</span>, by
@@ -79083,118 +79204,8 @@
</div>
- <div class="impl">
- <!-- SCRIPT EXEC -->
- <h4 id="javascript-protocol"><dfn data-x="javascript protocol">The <code data-x="">javascript:</code> URL scheme</dfn></h4>
- <p>When a <span>URL</span> using the <code data-x="">javascript:</code> scheme is <dfn
- data-x="concept-js-deref">dereferenced</dfn>, the user agent must run the following steps:</p>
-
- <ol>
-
- <li><p>Let the script source be the string obtained using the content retrieval operation defined
- for <code data-x="">javascript:</code> URLs. <a href="#refsJSURL">[JSURL]</a></p></li>
-
- <li>
-
- <p>Use the appropriate step from the following list:</p>
-
- <dl>
-
- <dt>If a <span>browsing context</span> is being <span data-x="navigate">navigated</span> to a
- <code>javascript:</code> URL, and the <span>source browsing context</span> for that navigation,
- if any, has <span data-x="concept-bc-noscript">scripting disabled</span></dt>
-
- <dd>
-
- <p>Let <var data-x="">result</var> be void.</p>
-
- </dd>
-
- <dt>If a <span>browsing context</span> is being <span data-x="navigate">navigated</span> to a
- <code>javascript:</code> URL, and the <span>active document</span> of that browsing context has
- the <span>same origin</span> as the script given by that URL</dt>
-
- <dd>
-
- <!-- http://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->
-
- <p>Let <var data-x="">address</var> be the <span data-x="the document's address">address</span>
- of the <span>active document</span> of the <span>browsing context</span> being navigated.</p>
-
- <p>If <var data-x="">address</var> is <code>about:blank</code>, and the <span>browsing
- context</span> being navigated has a <span>creator browsing context</span>, then let <var
- data-x="">address</var> be the <span data-x="the document's address">address</span> of the
- <span>creator <code>Document</code></span> instead.</p>
-
- <p><span>Create a script</span>, using the aforementioned script source, the <span>URL</span>
- of the resource where the <code>javascript:</code> URL, was found, JavaScript as the scripting
- language, and the <span>script settings object</span> of the <code>Window</code> object of the
- <span>active document</span>.</p>
-
- <p>Let <var data-x="">result</var> be the return value of the <span>code entry-point</span>
- of this <span data-x="concept-script">script</span>. If an exception was thrown, let <var
- data-x="">result</var> be void instead. (The result will be void also if <span
- data-x="concept-bc-noscript">scripting is disabled</span>.)</p>
-
- <p>When it comes time to <span>set the document's address</span> in the <span
- data-x="navigate">navigation algorithm</span>, use <var data-x="">address</var> as the
- <span>override URL</span>.</p>
-
- </dd>
-
- <dt>Otherwise</dt>
-
- <dd>
-
- <p>Let <var data-x="">result</var> be void.</p>
-
- </dd>
-
- </dl>
-
- </li>
-
- <li>
-
- <p>If the result of executing the script is void (there is no return value), then the URL must
- be treated in a manner equivalent to an HTTP resource with an HTTP 204 No Content response.</p>
-
- <p>Otherwise, the URL must be treated in a manner equivalent to an HTTP resource with a 200 OK
- response whose <span data-x="Content-Type">Content-Type metadata</span> is <code>text/html</code>
- and whose response body is the return value converted to a string value.</p>
-
- <p class="note">Certain contexts, in particular <code>img</code> elements, ignore the <span
- data-x="Content-Type">Content-Type metadata</span>.</p>
-
- </li>
-
- </ol>
-
- <div class="example">
-
- <p>So for example a <code data-x="">javascript:</code> URL for a <code
- data-x="attr-img-src">src</code> attribute of an <code>img</code> element would be evaluated in
- the context of an empty object as soon as the attribute is set; it would then be sniffed to
- determine the image type and decoded as an image.</p>
-
- <p>A <code data-x="">javascript:</code> URL in an <code data-x="attr-hyperlink-href">href</code>
- attribute of an <code>a</code> element would only be evaluated when the link was <span
- data-x="following hyperlinks">followed</span>.</p>
-
- <p>The <code data-x="attr-iframe-src">src</code> attribute of an <code>iframe</code> element would
- be evaluated in the context of the <code>iframe</code>'s own <span>browsing context</span>; once
- evaluated, its return value (if it was not void) would replace that <span>browsing
- context</span>'s document, thus changing the variables visible in that <span>browsing
- context</span>.</p>
-
- </div>
-
- </div>
-
-
-
<h4>Events</h4>
<h5 id="event-handler-attributes">Event handlers</h5>
@@ -87647,8 +87658,7 @@
<p>HTTP 200 OK responses that have a <span>Content-Type</span> specifying an unsupported type, or
that have no <span>Content-Type</span> at all, must cause the user agent to <span>fail the
- connection</span>.</p> <!-- about:blank is defined as having no MIME type; javascript: as having
- the type text/html -->
+ connection</span>.</p> <!-- about:blank is defined as having no MIME type -->
<p>HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required should be treated
transparently as for any other subresource.</p>
@@ -91761,10 +91771,10 @@
<span>origin</span> specified by the <span>incumbent settings object</span>, then throw a <code>SecurityError</code> exception and
abort these steps.</p>
+<!--CLEANUP-->
<p class="note">Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <span data-x="data protocol"><code data-x="">data:</code> URLs</span>.
- For example, you can't load a script from a <span data-x="javascript protocol"><code
- data-x="">javascript:</code> URL</span>, and an <code>https:</code> page couldn't start workers
+ For example, an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -91885,10 +91895,10 @@
the <span>incumbent settings object</span>, then throw a <code>SecurityError</code> exception and abort these
steps.</p>
+<!--CLEANUP-->
<p class="note">Thus, scripts must either be external files with the same scheme, host, and port
as the original page, or <span data-x="data protocol"><code data-x="">data:</code> URLs</span>.
- For example, you can't load a script from a <span data-x="javascript protocol"><code
- data-x="">javascript:</code> URL</span>, and an <code>https:</code> page couldn't start workers
+ For example, and an <code>https:</code> page couldn't start workers
using scripts with <code>http:</code> URLs.</p>
</li>
@@ -112915,11 +112925,6 @@
<dt id="refsJSON">[JSON]</dt>
<dd><cite><a href="http://tools.ietf.org/html/rfc4627">The application/json Media Type for JavaScript Object Notation (JSON)</a></cite>, D. Crockford. IETF.</dd>
- <dt id="refsJSURL">[JSURL]</dt>
- <dd><cite><a href="http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme">The 'javascript' resource identifier scheme</a></cite>, B. Höhrmann. IETF.
- <!-- Sadly this reference has been dead for a while. Unfortunately it's the closest thing we current have to a spec. -->
- </dd>
-
<dt id="refsMAILTO">[MAILTO]</dt>
<dd>(Non-normative) <cite><a href="http://tools.ietf.org/html/rfc6068">The 'mailto' URI scheme</a></cite>, M. Duerst, L. Masinter, J. Zawinski. IETF.</dd>
More information about the Commit-Watchers
mailing list