Move same-origin-as-document check to steps for obtaining.

Now the steps for processing a manifest do not take a document URL. This
is necessary as manifests are often processed independent of a document,
and the interpretation of a manifest should not depend upon the document
it was included from.

Normative change: If the start_url is not same-origin as the document
URL, the entire manifest is rejected (as part of obtaining a manifest
from a document, rather than processing a manifest), rather than getting
a default start_url.

Closes w3c#668

index.html

@@ -1297,9 +1297,14 @@ <h3>
             "!FETCH#concept-request-body">body</a>.
           </li>
           <li>Let <var>manifest</var> be the result of running <a>processing a
-          manifest</a> given <var>text</var>, <var>manifest URL</var>, and the
-          URL that represents the address of the <a>top-level browsing
-          context</a>.
+          manifest</a> given <var>text</var>, <var>manifest URL</var>.
+          </li>
+          <li data-link-for="WebAppManifest">If
+          <var>manifest</var>["<a>start_url</a>"] is not <a>same origin</a> as
+          the URL that represents the address of the <a>top-level browsing
+          context</a>, issue a developer warning that the <a>start_url</a>
+          needs to be <a>same-origin</a> as <code>Document</code> of the
+          <a>top-level browsing context</a>, then abort these steps.
           </li>
           <li>Return <var>manifest</var> and <var>manifest URL</var>.
           </li>
@@ -1392,9 +1397,8 @@ <h3>
           following algorithm. The algorithm takes a <a>string</a>
           <var>text</var> as an argument, which represents a <a>manifest</a>,
           and a <a>URL</a> <var>manifest URL</var>, which represents the
-          location of the manifest, and a <a>URL</a> <var>document URL</var>.
-          The output from inputting an JSON document into this algorithm is a
-          <dfn>processed manifest</dfn>.
+          location of the manifest. The output from inputting an JSON document
+          into this algorithm is a <dfn>processed manifest</dfn>.
         </p>
         <p class="issue">
           We need to catch throws associated with enumerations in IDL
@@ -1436,8 +1440,7 @@ <h3>
           </li>
           <li>Set <var>manifest</var>["<a>start_url</a>"] to the result of
           running <a>processing the <code>start_url</code> member</a> given
-          <var>manifest</var>["<a>start_url</a>"], <var>manifest URL</var>, and
-          <var>document URL</var>.
+          <var>manifest</var>["<a>start_url</a>"], and <var>manifest URL</var>.
           </li>
           <li>Set <var>manifest</var>["<a>lang</a>"] to the result of running
           <a>processing the <code>lang</code> member</a> given
@@ -1941,9 +1944,8 @@ <h3>
         <p>
           The steps for <dfn>processing the <code>start_url</code> member</dfn>
           are given by the following algorithm. The algorithm takes a
-          <a>USVString</a> <var>value</var>, a <a>URL</a> <var>manifest
-          URL</var>, and a <a>URL</a> <var>document URL</var>. This algorithm
-          returns a <a>URL</a>.
+          <a>USVString</a> <var>value</var>, and a <a>URL</a> <var>manifest
+          URL</var>. This algorithm returns a <a>URL</a>.
         </p>
         <ol>
           <li>Let <var>default</var> be the result of <a>parsing</a> ".", using
@@ -1965,18 +1967,6 @@ <h3>
               </li>
             </ul>
           </li>
-          <li>If <var>start URL</var> is not <a>same origin</a> as
-          <var>document URL</var>:
-            <ol>
-              <li>
-                <a>Issue a developer warning</a> that the <a>start_url</a>
-                needs to be <a>same-origin</a> as <code>Document</code> of the
-                <a>top-level browsing context</a>.
-              </li>
-              <li>Return <var>default</var>.
-              </li>
-            </ol>
-          </li>
           <li>Otherwise, return <var>start URL</var>.
           </li>
         </ol>