From 58cc7b6d0a3c34bc0568a78ed5a4b35d046f074a Mon Sep 17 00:00:00 2001 From: Matt Giuca Date: Tue, 22 May 2018 17:29:43 +1000 Subject: [PATCH] Move same-origin-as-document check to steps for obtaining. Now the steps for processing a manifest do not take a document URL. This is necessary as manifests are often processed independent of a document, and the interpretation of a manifest should not depend upon the document it was included from. Normative change: If the start_url is not same-origin as the document URL, the entire manifest is rejected (as part of obtaining a manifest from a document, rather than processing a manifest), rather than getting a default start_url. Closes #668 --- index.html | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/index.html b/index.html index 45b5fb53d..0c506b454 100644 --- a/index.html +++ b/index.html @@ -1297,9 +1297,14 @@

"!FETCH#concept-request-body">body.
  • Let manifest be the result of running processing a - manifest given text, manifest URL, and the - URL that represents the address of the top-level browsing - context. + manifest given text, manifest URL. +
    • +
  • If + manifest["start_url"] is not same origin as + the URL that represents the address of the top-level browsing + context, issue a developer warning that the start_url + needs to be same-origin as Document of the + top-level browsing context, then abort these steps.
  • Return manifest and manifest URL.
    • @@ -1392,9 +1397,8 @@

    following algorithm. The algorithm takes a string text as an argument, which represents a manifest, and a URL manifest URL, which represents the - location of the manifest, and a URL document URL. - The output from inputting an JSON document into this algorithm is a - processed manifest. + location of the manifest. The output from inputting an JSON document + into this algorithm is a processed manifest.

    We need to catch throws associated with enumerations in IDL @@ -1436,8 +1440,7 @@

  • Set manifest["start_url"] to the result of running processing the start_url member given - manifest["start_url"], manifest URL, and - document URL. + manifest["start_url"], and manifest URL.
  • Set manifest["lang"] to the result of running processing the lang member given @@ -1941,9 +1944,8 @@

    The steps for processing the start_url member are given by the following algorithm. The algorithm takes a - USVString value, a URL manifest - URL, and a URL document URL. This algorithm - returns a URL. + USVString value, and a URL manifest + URL. This algorithm returns a URL.

    1. Let default be the result of parsing ".", using @@ -1965,18 +1967,6 @@

      2. -
    2. If start URL is not same origin as - document URL: -
        -
      1. - Issue a developer warning that the start_url - needs to be same-origin as Document of the - top-level browsing context. -
        2. -
      2. Return default. -
        3. -
      -
    3. Otherwise, return start URL.