From cb3316db45e369ba31d97c5ee2dcd9c353a3cb5d Mon Sep 17 00:00:00 2001
From: Anjana <anjanav@coli.uni-saarland.de>
Date: Thu, 22 Oct 2015 15:26:39 -0400
Subject: [PATCH] Fixes #265: Change whitelist/blacklist to safelist/blocklist

Closes #281.
---
 source | 121 +++++++++++++++++++++++++++++----------------------------
 1 file changed, 61 insertions(+), 60 deletions(-)

diff --git a/source b/source
index 65073c047ce..ac801ffa740 100644
--- a/source
+++ b/source
@@ -1213,7 +1213,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
     attack in the process, to the catastrophic, such as deleting all data in the server.</p>
 
     <p>When writing filters to validate user input, it is imperative that filters always be
-    whitelist-based, allowing known-safe constructs and disallowing all other input. Blacklist-based
+    safelist-based, allowing known-safe constructs and disallowing all other input. Blocklist-based
     filters that disallow known-bad inputs and allow everything else are not secure, as not
     everything that is bad is yet known (for example, because it might be invented in the
     future).</p>
@@ -1244,17 +1244,17 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
     </div>
 
     <p>There are many constructs that can be used to try to trick a site into executing code. Here
-    are some that authors are encouraged to consider when writing whitelist filters:</p>
+    are some that authors are encouraged to consider when writing safelist filters:</p>
 
     <ul>
 
-     <li>When allowing harmless-seeming elements like <code>img</code>, it is important to whitelist
+     <li>When allowing harmless-seeming elements like <code>img</code>, it is important to safelist
      any provided attributes as well. If one allowed all attributes then an attacker could, for
      instance, use the <code data-x="handler-onload">onload</code> attribute to run arbitrary
      script.</li>
 
      <li>When allowing URLs to be provided (e.g. for links), the scheme of each URL also needs to be
-     explicitly whitelisted, as there are many schemes that can be abused. The most prominent
+     explicitly safelisted, as there are many schemes that can be abused. The most prominent
      example is "<code data-x="javascript protocol">javascript:</code>", but user agents can
      implement (and indeed, have historically implemented) others.</li> <!-- IE had vbscript:,
      Netscape had livescript:, etc. -->
@@ -75047,7 +75047,7 @@ interface <dfn>ElementContentEditable</dfn> {
 
        Ack: Ben Laurie (@g)
 
-     * Interop with native apps. In particular, we probably want to whitelist the list of types that
+     * Interop with native apps. In particular, we probably want to safelist the list of types that
        a Web page can see, since otherwise we'll end up exposing things like the username (if a user
        drags a file from their desktop, the path is exposed on some OSes).
 
@@ -77575,7 +77575,7 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
   hostile documents without the user's consent.</p>
 
   <p>User agents should filter potentially active (scripted) content (e.g. HTML) when it is dragged
-  and when it is dropped, using a whitelist of known-safe features. Similarly, <span data-x="relative
+  and when it is dropped, using a safelist of known-safe features. Similarly, <span data-x="relative
   URL">relative URLs</span> should be turned into absolute URLs to avoid references changing in
   unexpected ways. This specification does not specify how this is performed.</p>
 
@@ -81933,8 +81933,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
     its URL <span data-x="concept-appcache-matches-fallback">matches the fallback namespace</span>
     of one or more <span data-x="relevant application cache">relevant application caches</span>, and
     the <span data-x="concept-appcache-selection">most appropriate application cache</span> of those
-    that match does not have an entry in its <span data-x="concept-appcache-onlinewhitelist">online
-    whitelist</span> that has the <span>same origin</span> as the resource's URL and that is a
+    that match does not have an entry in its <span data-x="concept-appcache-onlinesafelist">online
+    safelist</span> that has the <span>same origin</span> as the resource's URL and that is a
     <span>prefix match</span> for the resource's URL, and the user didn't cancel the navigation
     attempt during the earlier step, and the navigation attempt failed (e.g. the server returned a
     4xx or 5xx status, or there was a DNS error), then:</p> <!-- note that a redirect can never
@@ -83664,8 +83664,8 @@ NETWORK:
 
    <li>
 
-    <p>Zero or more URLs that form the <dfn data-x="concept-appcache-onlinewhitelist">online
-    whitelist namespaces</dfn>.</p>
+    <p>Zero or more URLs that form the <dfn data-x="concept-appcache-onlinesafelist">online
+    safelist namespaces</dfn>.</p>
 
     <p class="note">These are used as prefix match patterns, and declare URLs for which the user
     agent will ignore the application cache, instead fetching them normally (i.e. from the network
@@ -83675,12 +83675,12 @@ NETWORK:
 
    <li>
 
-    <p>An <dfn data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard
+    <p>An <dfn data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard
     flag</dfn>, which is either <i>open</i> or <i>blocking</i>.</p>
 
     <p class="note">The <i>open</i> state indicates that any URL not listed as cached is to
-    be implicitly treated as being in the <span data-x="concept-appcache-onlinewhitelist">online
-    whitelist namespaces</span>; the <i>blocking</i> state indicates that URLs not listed
+    be implicitly treated as being in the <span data-x="concept-appcache-onlinesafelist">online
+    safelist namespaces</span>; the <i>blocking</i> state indicates that URLs not listed
     explicitly in the manifest are to be treated as unavailable.</p>
 
    </li>
@@ -83807,7 +83807,7 @@ NETWORK:
 
   <div class="example">
 
-   <p>This example manifest requires two images and a style sheet to be cached and whitelists a CGI
+   <p>This example manifest requires two images and a style sheet to be cached and safelists a CGI
    script.</p>
 
    <pre>CACHE MANIFEST
@@ -83828,7 +83828,7 @@ images/sound-icon.png
 images/background.png
 # note that each file has to be put on its own line
 
-# here is a file for the online whitelist -- it isn't cached, and
+# here is a file for the online safelist -- it isn't cached, and
 # references to this file will bypass the cache, always hitting the
 # network (or trying to, if the user is offline).
 NETWORK:
@@ -83870,7 +83870,7 @@ http://img.example.com/cross.png</pre>
 
    <p>The following manifest defines a catch-all error page that is displayed for any page on the
    site while the user is offline. It also specifies that the <span
-   data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard flag</span> is <i>open</i>, meaning that accesses to resources on other sites will not be blocked.
+   data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard flag</span> is <i>open</i>, meaning that accesses to resources on other sites will not be blocked.
    (Resources on the same site are already not blocked because of the catch-all fallback
    namespace.)</p>
 
@@ -83945,7 +83945,7 @@ NETWORK:
      <dd>Switches to the <dfn data-x="concept-appcache-manifest-fallback">fallback section</dfn>.
 
      <dt><code data-x="">NETWORK:</code>
-     <dd>Switches to the <dfn data-x="concept-appcache-manifest-network">online whitelist section</dfn>.
+     <dd>Switches to the <dfn data-x="concept-appcache-manifest-network">online safelist section</dfn>.
 
      <dt><code data-x="">SETTINGS:</code>
      <dd>Switches to the <dfn data-x="concept-appcache-manifest-settings">settings section</dfn>.
@@ -83979,9 +83979,9 @@ NETWORK:
     zero or more U+0020 SPACE and U+0009 CHARACTER TABULATION (tab) characters.</p>
 
     <p>When the current section is the <span data-x="concept-appcache-manifest-network">online
-    whitelist section</span>, data lines must consist of zero or more U+0020 SPACE and U+0009
+    safelist section</span>, data lines must consist of zero or more U+0020 SPACE and U+0009
     CHARACTER TABULATION (tab) characters, either a single U+002A ASTERISK character (*) <!--
-    concept-appcache-onlinewhitelist-wildcard --> or a <span>valid URL</span> identifying a resource
+    concept-appcache-onlinesafelist-wildcard --> or a <span>valid URL</span> identifying a resource
     other than the manifest itself, and then zero or more U+0020 SPACE and U+0009 CHARACTER
     TABULATION (tab) characters.</p>
 
@@ -84034,15 +84034,15 @@ NETWORK:
   than once.</p>
 
   <p>Namespaces that the user agent is to put into the <span
-  data-x="concept-appcache-onlinewhitelist">online whitelist</span> must all be specified in <span
-  data-x="concept-appcache-manifest-network">online whitelist sections</span>. (This is needed for
+  data-x="concept-appcache-onlinesafelist">online safelist</span> must all be specified in <span
+  data-x="concept-appcache-manifest-network">online safelist sections</span>. (This is needed for
   any URL that the page is intending to use to communicate back to the server.) To specify that all
-  URLs are automatically whitelisted in this way, a U+002A ASTERISK character (*) may be specified
-  as one of the URLs. <!-- concept-appcache-onlinewhitelist-wildcard --></p>
+  URLs are automatically safelisted in this way, a U+002A ASTERISK character (*) may be specified
+  as one of the URLs. <!-- concept-appcache-onlinesafelist-wildcard --></p>
 
   <p>Authors should not include namespaces in the <span
-  data-x="concept-appcache-onlinewhitelist">online whitelist</span> for which another namespace in
-  the <span data-x="concept-appcache-onlinewhitelist">online whitelist</span> is a <span>prefix
+  data-x="concept-appcache-onlinesafelist">online safelist</span> for which another namespace in
+  the <span data-x="concept-appcache-onlinesafelist">online safelist</span> is a <span>prefix
   match</span>.</p>
 
   <p><span data-x="relative URL">Relative URLs</span> must be given relative to the manifest's own
@@ -84054,7 +84054,7 @@ NETWORK:
   isn't allowed in URLs in manifests).</p>
 
   <p><span data-x="concept-appcache-fallback-ns">Fallback namespaces</span> and namespaces in the
-  <span data-x="concept-appcache-onlinewhitelist">online whitelist</span> are matched by <span>prefix
+  <span data-x="concept-appcache-onlinesafelist">online safelist</span> are matched by <span>prefix
   match</span>.</p>
 
 
@@ -84102,12 +84102,12 @@ NETWORK:
    URL">absolute URLs</span> for <span data-x="concept-appcache-fallback">fallback
    entries</span>.</p></li>
 
-   <li><p>Let <var>online whitelist namespaces</var> be an initially empty list of <span
+   <li><p>Let <var>online safelist namespaces</var> be an initially empty list of <span
    data-x="absolute URL">absolute URLs</span> for an <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist</span>.</p></li>
+   data-x="concept-appcache-onlinesafelist">online safelist</span>.</p></li>
 
-   <li><p>Let <var>online whitelist wildcard flag</var> be <i>blocking</i>. <!--
-   concept-appcache-onlinewhitelist-wildcard --></p></li>
+   <li><p>Let <var>online safelist wildcard flag</var> be <i>blocking</i>. <!--
+   concept-appcache-onlinesafelist-wildcard --></p></li>
 
    <li><p>Let <var>cache mode flag</var> be <i>fast</i>. <!--
    concept-appcache-mode-fast --></p></li>
@@ -84162,7 +84162,7 @@ NETWORK:
    labeled <i>start of line</i>.</p></li>
 
    <li><p>If <var>line</var> equals "NETWORK:" (the word "NETWORK" followed by a U+003A
-   COLON character (:)), then set <var>mode</var> to "online whitelist" and jump back to
+   COLON character (:)), then set <var>mode</var> to "online safelist" and jump back to
    the step labeled <i>start of line</i>.</p></li>
 
    <li><p>If <var>line</var> equals "SETTINGS:" (the word "SETTINGS" followed by a U+003A
@@ -84271,12 +84271,12 @@ NETWORK:
 
      </dd>
 
-     <dt>If <var>mode</var> is "online whitelist"</dt>
+     <dt>If <var>mode</var> is "online safelist"</dt>
 
      <dd>
 
       <p>If the first item in <var>tokens</var> is a U+002A ASTERISK character (*), then
-      set <var>online whitelist wildcard flag</var> to <i>open</i> and jump back
+      set <var>online safelist wildcard flag</var> to <i>open</i> and jump back
       to the step labeled <i>start of line</i>.</p>
 
       <p>Otherwise, <span data-x="resolve a url">resolve</span> the first item in <var>tokens</var>, relative to <var>base URL</var>, with the URL character
@@ -84292,7 +84292,7 @@ NETWORK:
       data-x="concept-url-serialiser">URL serialiser</span> algorithm to the resulting <span>parsed
       URL</span>, with the <i>exclude fragment flag</i> set.</p>
 
-      <p>Add <var>new URL</var> to the <var>online whitelist namespaces</var>.</p>
+      <p>Add <var>new URL</var> to the <var>online safelist namespaces</var>.</p>
 
      </dd>
 
@@ -84325,7 +84325,7 @@ NETWORK:
    step when the end of the file is reached.)</p></li>
 
    <li><p>Return the <var>explicit URLs</var> list, the <var>fallback URLs</var>
-   mapping, the <var>online whitelist namespaces</var>, the <var>online whitelist
+   mapping, the <var>online safelist namespaces</var>, the <var>online safelist
    wildcard flag</var>, and the <var>cache mode flag</var>.</p></li>
 
   </ol>
@@ -84335,22 +84335,22 @@ NETWORK:
    <p>The resource that declares the manifest (with the <code
    data-x="attr-html-manifest">manifest</code> attribute) will always get taken from the cache,
    whether it is listed in the cache or not, even if it is listed in an <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist namespace</span>.</p>
+   data-x="concept-appcache-onlinesafelist">online safelist namespace</span>.</p>
 
    <p>If a resource is listed in the <span data-x="concept-appcache-manifest-explicit">explicit
    section</span> or as a <span data-x="concept-appcache-fallback">fallback entry</span> in the <span
    data-x="concept-appcache-manifest-fallback">fallback section</span>, the resource will always be
    taken from the cache, regardless of any other matching entries in the <span
    data-x="concept-appcache-fallback-ns">fallback namespaces</span> or <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist namespaces</span>.</p>
+   data-x="concept-appcache-onlinesafelist">online safelist namespaces</span>.</p>
 
    <p>When a <span data-x="concept-appcache-fallback-ns">fallback namespace</span> and an <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist namespace</span> overlap, the <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist namespace</span> has priority.</p>
+   data-x="concept-appcache-onlinesafelist">online safelist namespace</span> overlap, the <span
+   data-x="concept-appcache-onlinesafelist">online safelist namespace</span> has priority.</p>
 
-   <p>The <span data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard
+   <p>The <span data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard
    flag</span> is applied last, only for URLs that match neither the <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist namespace</span> nor the <span
+   data-x="concept-appcache-onlinesafelist">online safelist namespace</span> nor the <span
    data-x="concept-appcache-fallback-ns">fallback namespace</span> and that are not listed in the
    <span data-x="concept-appcache-manifest-explicit">explicit section</span>.</p>
 
@@ -84515,8 +84515,8 @@ NETWORK:
     <span data-x="concept-appcache-explicit">explicit entries</span>, <span
     data-x="concept-appcache-fallback">fallback entries</span> and the <span
     data-x="concept-appcache-fallback-ns">fallback namespaces</span> that map to them, entries for
-    the <span data-x="concept-appcache-onlinewhitelist">online whitelist</span>, and values for the
-    <span data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard flag</span>
+    the <span data-x="concept-appcache-onlinesafelist">online safelist</span>, and values for the
+    <span data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard flag</span>
     and the <span data-x="concept-appcache-mode">cache mode flag</span>.</p>
 
     <p class="note">The <span>MIME type</span> of the resource is ignored &mdash; it is assumed to
@@ -84864,11 +84864,11 @@ NETWORK:
    and the URLs of the <span data-x="concept-appcache-fallback">fallback entries</span> that they map
    to, in <var>new cache</var>.</p></li>
 
-   <li><p>Store the URLs that form the new <span data-x="concept-appcache-onlinewhitelist">online
-   whitelist</span> in <var>new cache</var>.</p></li>
+   <li><p>Store the URLs that form the new <span data-x="concept-appcache-onlinesafelist">online
+   safelist</span> in <var>new cache</var>.</p></li>
 
-   <li><p>Store the value of the new <span data-x="concept-appcache-onlinewhitelist-wildcard">online
-   whitelist wildcard flag</span> in <var>new cache</var>.</p></li>
+   <li><p>Store the value of the new <span data-x="concept-appcache-onlinesafelist-wildcard">online
+   safelist wildcard flag</span> in <var>new cache</var>.</p></li>
 
    <li><p>Store the value of the new <span data-x="concept-appcache-mode">cache mode flag</span> in
    <var>new cache</var>.</p></li>
@@ -85238,7 +85238,7 @@ NETWORK:
    then get the resource from the cache (instead of fetching it), and abort these steps.</p></li>
 
    <li><p>If there is an entry in the <span>application cache</span>'s <span
-   data-x="concept-appcache-onlinewhitelist">online whitelist</span> that has the <span>same
+   data-x="concept-appcache-onlinesafelist">online safelist</span> that has the <span>same
    origin</span> as the resource's URL and that is a <span>prefix match</span> for the resource's
    URL, then fetch the resource normally and abort these steps.</p></li>
 
@@ -85259,7 +85259,7 @@ NETWORK:
    </li>
 
    <li><p>If the <span>application cache</span>'s <span
-   data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard flag</span> is
+   data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard flag</span> is
    <i>open</i>, then fetch the resource normally and abort these steps.</p></li>
 
    <li><p>Fail the resource load as if there had been a generic network error.</p></li>
@@ -85267,7 +85267,7 @@ NETWORK:
   </ol>
 
   <p class="note">The above algorithm ensures that so long as the <span
-  data-x="concept-appcache-onlinewhitelist-wildcard">online whitelist wildcard flag</span> is
+  data-x="concept-appcache-onlinesafelist-wildcard">online safelist wildcard flag</span> is
   <i>blocking</i>, resources that are not present in the <span
   data-x="concept-appcache-manifest">manifest</span> will always fail to load (at least, after the
   <span>application cache</span> has been primed the first time), making the testing of offline
@@ -85313,7 +85313,7 @@ NETWORK:
   <p class="note">How quotas are presented to the user is not defined by this specification. User
   agents are encouraged to provide features such as allowing a user to indicate that certain sites
   are trusted to use more than the default quota, e.g. by presenting a non-modal user interface
-  while a cache is being updated, or by having an explicit whitelist in the user agent's
+  while a cache is being updated, or by having an explicit safelist in the user agent's
   configuration interface.</p>
 
   </div>
@@ -89091,7 +89091,7 @@ scheduleWork(); // queues a task to do lots of work</pre>
 
     <p class="note">User agents are expected to disable this method in certain cases to avoid user
     annoyance (e.g. as part of their popup blocker feature). For instance, a user agent could
-    require that a site be white-listed before enabling this method, or the user agent could be
+    require that a site be safelisted before enabling this method, or the user agent could be
     configured to only allow one modal dialog at a time.</p>
 
    </li>
@@ -89723,13 +89723,13 @@ interface <dfn>NavigatorContentUtils</dfn> {
     will never match anything, since schemes don't contain colons.</p>
 
     <p>If the <code data-x="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
-    method is invoked with a scheme that is neither a <span>whitelisted scheme</span> nor a scheme
+    method is invoked with a scheme that is neither a <span>safelisted scheme</span> nor a scheme
     whose value starts with the substring "<code data-x="">web+</code>" and otherwise contains only
     <span>lowercase ASCII letters</span>, and whose length is at least five characters (including
     the "<code data-x="">web+</code>" prefix), the user agent must throw a <code>SecurityError</code>
     exception.</p>
 
-    <p>The following schemes are the <dfn data-x="whitelisted scheme">whitelisted schemes</dfn>:</p>
+    <p>The following schemes are the <dfn data-x="safelisted scheme">safelisted schemes</dfn>:</p>
 
     <ul class="brief">
      <li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
@@ -89785,12 +89785,12 @@ interface <dfn>NavigatorContentUtils</dfn> {
     <em>after</em> the sniffing algorithms have been applied.</p>
 
     <p>If the <code data-x="dom-navigator-registerContentHandler">registerContentHandler()</code>
-    method is invoked with a <span>MIME type</span> that is in the <span>type blacklist</span> or
+    method is invoked with a <span>MIME type</span> that is in the <span>type blocklist</span> or
     that the user agent has deemed a privileged type, the user agent must throw a
     <code>SecurityError</code> exception.</p>
 
     <p>The following <span data-x="MIME type">MIME types</span> are in the <dfn>type
-    blacklist</dfn>:</p>
+    blocklist</dfn>:</p>
 
     <ul class="brief">
 
@@ -96734,7 +96734,7 @@ dictionary <dfn>StorageEventInit</dfn> : <span>EventInit</span> {
 
    </dd>
 
-   <dt>Site-specific white-listing of access to local storage areas</dt> <dd>
+   <dt>Site-specific safelisting of access to local storage areas</dt> <dd>
 
     <p>User agents may allow sites to access session storage areas in
     an unrestricted manner, but require the user to authorise access
@@ -96750,15 +96750,15 @@ dictionary <dfn>StorageEventInit</dfn> : <span>EventInit</span> {
 
     <p>If this information is then used to present the view of data currently in persistent storage,
     it would allow the user to make informed decisions about which parts of the persistent storage
-    to prune. Combined with a blacklist ("delete this data and prevent this domain from ever storing
+    to prune. Combined with a blocklist ("delete this data and prevent this domain from ever storing
     data again"), the user can restrict the use of persistent storage to sites that he trusts.</p>
 
    </dd>
 
-   <dt>Shared blacklists</dt>
+   <dt>Shared blocklists</dt>
    <dd>
 
-    <p>User agents may allow users to share their persistent storage domain blacklists.</p>
+    <p>User agents may allow users to share their persistent storage domain blocklists.</p>
 
     <p>This would allow communities to act together to protect their privacy.</p>
 
@@ -118000,6 +118000,7 @@ INSERT INTERFACES HERE
   Andy Earnshaw,
   Andy Heydon,
   Andy Palay,
+  Anjana Vakil,
   Anthony Boyd,
   Anthony Bryan,
   Anthony Hickson,