# HG changeset patch # User Simon Pieters # Date 1370609027 -7200 # Node ID b3a214e224d71d31336a69d36e71c03bb7d2cd70 # Parent ca20cc4147448a0970482c2391bd9cf5a162d28a [cssom] Disallow reading and modifying of cross-origin sheets. Integrate with URL and Fetch specs for xml-stylesheet and Link:. Only expose pre-redirect URL of a sheet. diff -r ca20cc414744 -r b3a214e224d7 cssom/Overview.html --- a/cssom/Overview.html Fri Jun 07 10:32:38 2013 +0200 +++ b/cssom/Overview.html Fri Jun 07 14:43:47 2013 +0200 @@ -265,14 +265,14 @@ DOM, HTML, URL, - +Fetch, Associating Style Sheets with XML documents and XML. [DOM] [HTML] [URL] - +[FETCH] [XMLSS] [XML] @@ -864,7 +864,7 @@

The literal string "text/css".

location
-

The URL of the +

The absolute URL of the first request of the CSS style sheet or null if the CSS style sheet was embedded.

@@ -939,6 +939,9 @@
CSS rules

The CSS rules associated with the CSS style sheet.

+ +
origin-clean flag +

Either set or clear. If it is set, the API allows reading and modifying of the CSS rules.

When you are to create a CSS style sheet the above properties, @@ -1020,19 +1023,35 @@

The ownerRule attribute must return the owner CSS rule or null if none. If a value other than null is ever returned, than that same value must always be returned on each get access.

-

The cssRules attribute must return a read-only, live CSSRuleList object representing -the CSS rules. The same object must be returned on each get access.

-

Even though the returned CSSRuleList object is read-only (from the perspective of -client-authored script), it can nevertheless change over time due to its liveness status. For example, invoking -the insertRule() or deleteRule() methods can result in mutations -reflected in the returned object.

- -

The insertRule(rule, index) method must insert a CSS -rule rule in the CSS rule list returned by cssRules at index, and return -index. - -

The deleteRule(index) method must remove a CSS rule in the CSS rule -list returned by cssRules at index. +

The cssRules attribute must follow these steps: + +

    +

  1. If the origin-clean flag is clear, + throw a SecurityError exception. +

  2. Return a read-only, live CSSRuleList object representing + the CSS rules. The same object must be returned on each get access.

    +

    Even though the returned CSSRuleList object is read-only (from the perspective of + client-authored script), it can nevertheless change over time due to its liveness status. For example, invoking + the insertRule() or deleteRule() methods can result in + mutations reflected in the returned object.

    +
+ +

The insertRule(rule, index) method must run the following steps: + +

    +

  1. If the origin-clean flag is clear, + throw a SecurityError exception. +

  2. Return the result of invoking insert a CSS rule rule in the CSS rules + at index. +

+ +

The deleteRule(index) method must run the following steps: + +

    +

  1. If the origin-clean flag is clear, + throw a SecurityError exception. +

  2. Remove a CSS rule in the CSS rules at index. +

6.2 CSS Style Sheet Collections

@@ -1543,22 +1562,38 @@ value is not a supported styling language the user agent may terminate these steps. -

  • Resolve - the URL specified by the - href pseudo-attribute and then - fetch it.

    • - -
  • -

    When the resource is available, the document is in - quirks mode - and the - Content-Type metadata of - the resource is not a supported styling language change the - Content-Type metadata of the resource - to text/css.

    -
    • - -

  • If the resource is not in a +

  • Let input URL be the value specified by the + href pseudo-attribute. + +

  • Let base URL be the processing instruction's node document's + document base URL. + +

  • Let origin be the processing instruction's node document's + origin. + +

  • Let parsed URL be the return value of invoking the URL parser with the + string input URL and the base URL base URL. + +

  • If parsed URL is failure, terminate these steps. + +

  • Let request be a new request, with the + url parsed URL, + origin origin and + referrer base URL. + +

  • Let response be the result of fetching request.

    • + +

  • Wait until response is available. + +

  • If response is a network error, terminate these steps. + +

  • If the processing instruction's node document is + in quirks mode, response is + CORS-same-origin and the Content-Type metadata of response is not a + supported styling language change the Content-Type metadata of response to + text/css. + +

  • If response is not in a supported styling language terminate these steps.

  • @@ -1566,29 +1601,31 @@
    location
    -

    The absolute URL of the - resource.

    +

    The result of invoking the URL serializer with parsed URL.

    parent
    -

    null

    +

    null.

    owner node
    -

    The node.

    +

    The processing instruction.

    owner CSS rule
    -

    null

    +

    null.

    media

    The value of the media pseudo-attribute if any, or the empty string otherwise.

    title
    -

    title

    +

    title.

    alternate flag

    Set if the alternate pseudo-attribute value is a case-sensitive match for "yes", or clear otherwise. + +

    origin-clean flag +

    Set if response is CORS-same-origin, or clear otherwise.

    • @@ -1619,18 +1656,36 @@ "alternate" and title is the empty string terminate these steps. -

  • Resolve - the specified URL and - fetch it.

    • - -

  • When the resource is available, the document is in - quirks mode - and the Content-Type metadata of - the resource is not a supported styling language change the - Content-Type metadata of the resource - to text/css.

    • - -

  • If the resource is not in a +

  • Let input URL be the value specified. Be more specific + +

  • Let base URL be the document's document base URL. Is there a document at this + point? + +

  • Let origin be the document's origin. + +

  • Let parsed URL be the return value of invoking the URL parser with the + string input URL and the base URL base URL. + +

  • If parsed URL is failure, terminate these steps. + +

  • Let request be a new request, with the + url parsed URL, + origin origin and + referrer base URL. + +

  • Let response be the result of fetching request.

    • + +

  • Wait until response is available. + +

  • If response is a network error, terminate these steps. + +

  • If the processing instruction's node document is + in quirks mode, response is + CORS-same-origin and the Content-Type metadata of response is not a + supported styling language change the Content-Type metadata of response to + text/css. + +

  • If response is not in a supported styling language terminate these steps.

  • @@ -1638,30 +1693,32 @@
    location
    -

    The absolute URL of the - resource.

    +

    The result of invoking the URL serializer with parsed URL.

    owner node
    -

    null

    +

    null.

    parent
    -

    null

    +

    null.

    owner CSS rule
    -

    null

    +

    null.

    media

    The value of the first media parameter.

    title
    -

    title

    +

    title.

    alternate flag

    Set if one of the specified link relation type for this HTTP Link header is an ASCII case-insensitive match for "alternate", or false otherwise. + +

    origin-clean flag +

    Set if response is CORS-same-origin, or clear otherwise.

    • @@ -1693,6 +1750,9 @@

    An optional reference to an associated CSS style sheet. This item is initialized to reference an associated style sheet when the rule is created. Subsequent to initialization, this item is reset to null if the rule becomes disassociated from its initial style sheet. Once reset to null, it must never change.

    + +
    child CSS rules +

    A list of child CSS rules.

    In addition to the above state, each CSS rule may be associated @@ -1786,6 +1846,7 @@ @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception.

  • Insert new rule into list at the zero-indexed position index.

    • +

  • Return index.

    DOM-2 CSS specifies that a NO_MODIFICATION_ALLOWED_ERR exception is thrown if the style sheet is read-only. Are there any read-only style sheets?

    @@ -1964,7 +2025,7 @@ attribute of the associated CSS style sheet.

    The styleSheet attribute must return the associated CSS style sheet.

    -

    If loading of the style sheet fails its cssRules +

    If loading of the style sheet fails its CSS rules list is simply empty, i.e., an @import at-rule always has an associated CSS style sheet.

    @@ -1982,15 +2043,15 @@

    The media attribute must return a MediaList object for the list of media queries specified with the @media at-rule.

    -

    The cssRules attribute must return a CSSRuleList object for the list of CSS rules -specified with the @media at-rule.

    - -

    The insertRule(rule, index) method must insert a CSS -rule rule into the CSS rule list returned by cssRules at index, and -return index.

    - -

    The deleteRule(index) method must remove a CSS rule from the CSS rule -list returned by cssRules at index.

    +

    The cssRules attribute must return a CSSRuleList object for the +child CSS rules specified with the @media at-rule.

    + +

    The insertRule(rule, index) method must return the result of +invoking insert a CSS rule rule into the child CSS rules at +index.

    + +

    The deleteRule(index) method must remove a CSS rule from the +child CSS rules at index.

    6.4.7 The CSSFontFaceRule Interface

    @@ -2045,9 +2106,9 @@

    On setting, the namespaceURI attribute must run the following steps:

      -

    1. Let CSS style sheet be the value returned by parentStyleSheet. -

    2. Let list be the value returned by cssRules of CSS style sheet, or - null if CSS style sheet is null. +

    3. Let parent be the parent CSS style sheet. +

    4. Let list be the CSS rules of parent, or + null if parent is null.

    5. If list is not null and contains anything other than @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception. @@ -2060,9 +2121,9 @@

      On setting, the prefix attribute must run the following steps:

        -

      1. Let CSS style sheet be the value returned by parentStyleSheet. -

      2. Let list be the value returned by cssRules of CSS style sheet, or - null if CSS style sheet is null. +

      3. Let parent be the parent CSS style sheet. +

      4. Let list be the CSS rules of parent, or + null if parent is null.

      5. If list is not null and contains anything other than @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception. @@ -2920,6 +2981,9 @@

        [DOM2STYLE]
        (Non-normative) Document Object Model (DOM) Level 2 Style Specification, Chris Wilson, Philippe Le Hégaret and Vidur Apparao. W3C. +
        [FETCH] +
        Fetch, Anne van Kesteren. WHATWG. +
        [HTML]
        HTML, Ian Hickson. WHATWG. diff -r ca20cc414744 -r b3a214e224d7 cssom/Overview.src.html --- a/cssom/Overview.src.html Fri Jun 07 10:32:38 2013 +0200 +++ b/cssom/Overview.src.html Fri Jun 07 14:43:47 2013 +0200 @@ -196,14 +196,14 @@ DOM, HTML, URL, - +Fetch, Associating Style Sheets with XML documents and XML. DOM HTML URL - +FETCH XMLSS XML @@ -795,7 +795,7 @@

        The literal string "text/css".

        location
        -

        The URL of the +

        The absolute URL of the first request of the CSS style sheet or null if the CSS style sheet was embedded.

        @@ -870,6 +870,9 @@
        CSS rules

        The CSS rules associated with the CSS style sheet.

        + +
        origin-clean flag +

        Either set or clear. If it is set, the API allows reading and modifying of the CSS rules.

        When you are to create a CSS style sheet the above properties, @@ -951,19 +954,35 @@

        The ownerRule attribute must return the owner CSS rule or null if none. If a value other than null is ever returned, than that same value must always be returned on each get access.

        -

        The cssRules attribute must return a read-only, live CSSRuleList object representing -the CSS rules. The same object must be returned on each get access.

        -

        Even though the returned CSSRuleList object is read-only (from the perspective of -client-authored script), it can nevertheless change over time due to its liveness status. For example, invoking -the insertRule() or deleteRule() methods can result in mutations -reflected in the returned object.

        - -

        The insertRule(rule, index) method must insert a CSS -rule rule in the CSS rule list returned by cssRules at index, and return -index. - -

        The deleteRule(index) method must remove a CSS rule in the CSS rule -list returned by cssRules at index. +

        The cssRules attribute must follow these steps: + +

          +

        1. If the origin-clean flag is clear, + throw a SecurityError exception. +

        2. Return a read-only, live CSSRuleList object representing + the CSS rules. The same object must be returned on each get access.

          +

          Even though the returned CSSRuleList object is read-only (from the perspective of + client-authored script), it can nevertheless change over time due to its liveness status. For example, invoking + the insertRule() or deleteRule() methods can result in + mutations reflected in the returned object.

          +
        + +

        The insertRule(rule, index) method must run the following steps: + +

          +

        1. If the origin-clean flag is clear, + throw a SecurityError exception. +

        2. Return the result of invoking insert a CSS rule rule in the CSS rules + at index. +

        + +

        The deleteRule(index) method must run the following steps: + +

          +

        1. If the origin-clean flag is clear, + throw a SecurityError exception. +

        2. Remove a CSS rule in the CSS rules at index. +

        CSS Style Sheet Collections

        @@ -1474,22 +1493,38 @@ value is not a supported styling language the user agent may terminate these steps.

        6. -

      6. Resolve - the URL specified by the - href pseudo-attribute and then - fetch it.

        7. - -
      7. -

        When the resource is available, the document is in - quirks mode - and the - Content-Type metadata of - the resource is not a supported styling language change the - Content-Type metadata of the resource - to text/css.

        -
        8. - -

      8. If the resource is not in a +

      9. Let input URL be the value specified by the + href pseudo-attribute. + +

      10. Let base URL be the processing instruction's node document's + document base URL. + +

      11. Let origin be the processing instruction's node document's + origin. + +

      12. Let parsed URL be the return value of invoking the URL parser with the + string input URL and the base URL base URL. + +

      13. If parsed URL is failure, terminate these steps. + +

      14. Let request be a new request, with the + url parsed URL, + origin origin and + referrer base URL. + +

      15. Let response be the result of fetching request.

        16. + +

      16. Wait until response is available. + +

      17. If response is a network error, terminate these steps. + +

      18. If the processing instruction's node document is + in quirks mode, response is + CORS-same-origin and the Content-Type metadata of response is not a + supported styling language change the Content-Type metadata of response to + text/css. + +

      19. If response is not in a supported styling language terminate these steps.

      20. @@ -1497,29 +1532,31 @@
        location
        -

        The absolute URL of the - resource.

        +

        The result of invoking the URL serializer with parsed URL.

        parent
        -

        null

        +

        null.

        owner node
        -

        The node.

        +

        The processing instruction.

        owner CSS rule
        -

        null

        +

        null.

        media

        The value of the media pseudo-attribute if any, or the empty string otherwise.

        title
        -

        title

        +

        title.

        alternate flag

        Set if the alternate pseudo-attribute value is a case-sensitive match for "yes", or clear otherwise. + +

        origin-clean flag +

        Set if response is CORS-same-origin, or clear otherwise.

      @@ -1550,18 +1587,36 @@ "alternate" and title is the empty string terminate these steps.

      6. -

    6. Resolve - the specified URL and - fetch it.

      7. - -

    7. When the resource is available, the document is in - quirks mode - and the Content-Type metadata of - the resource is not a supported styling language change the - Content-Type metadata of the resource - to text/css.

      8. - -

    8. If the resource is not in a +

    9. Let input URL be the value specified. Be more specific + +

    10. Let base URL be the document's document base URL. Is there a document at this + point? + +

    11. Let origin be the document's origin. + +

    12. Let parsed URL be the return value of invoking the URL parser with the + string input URL and the base URL base URL. + +

    13. If parsed URL is failure, terminate these steps. + +

    14. Let request be a new request, with the + url parsed URL, + origin origin and + referrer base URL. + +

    15. Let response be the result of fetching request.

      16. + +

    16. Wait until response is available. + +

    17. If response is a network error, terminate these steps. + +

    18. If the processing instruction's node document is + in quirks mode, response is + CORS-same-origin and the Content-Type metadata of response is not a + supported styling language change the Content-Type metadata of response to + text/css. + +

    19. If response is not in a supported styling language terminate these steps.

    20. @@ -1569,30 +1624,32 @@
      location
      -

      The absolute URL of the - resource.

      +

      The result of invoking the URL serializer with parsed URL.

      owner node
      -

      null

      +

      null.

      parent
      -

      null

      +

      null.

      owner CSS rule
      -

      null

      +

      null.

      media

      The value of the first media parameter.

      title
      -

      title

      +

      title.

      alternate flag

      Set if one of the specified link relation type for this HTTP Link header is an ASCII case-insensitive match for "alternate", or false otherwise. + +

      origin-clean flag +

      Set if response is CORS-same-origin, or clear otherwise.

    @@ -1624,6 +1681,9 @@

    An optional reference to an associated CSS style sheet. This item is initialized to reference an associated style sheet when the rule is created. Subsequent to initialization, this item is reset to null if the rule becomes disassociated from its initial style sheet. Once reset to null, it must never change.

    + +
    child CSS rules +

    A list of child CSS rules.

    In addition to the above state, each CSS rule may be associated @@ -1717,6 +1777,7 @@ @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception.

  • Insert new rule into list at the zero-indexed position index.

    • +

  • Return index.

    DOM-2 CSS specifies that a NO_MODIFICATION_ALLOWED_ERR exception is thrown if the style sheet is read-only. Are there any read-only style sheets?

    @@ -1895,7 +1956,7 @@ attribute of the associated CSS style sheet.

    The styleSheet attribute must return the associated CSS style sheet.

    -

    If loading of the style sheet fails its cssRules +

    If loading of the style sheet fails its CSS rules list is simply empty, i.e., an @import at-rule always has an associated CSS style sheet.

    @@ -1913,15 +1974,15 @@

    The media attribute must return a MediaList object for the list of media queries specified with the @media at-rule.

    -

    The cssRules attribute must return a CSSRuleList object for the list of CSS rules -specified with the @media at-rule.

    - -

    The insertRule(rule, index) method must insert a CSS -rule rule into the CSS rule list returned by cssRules at index, and -return index.

    - -

    The deleteRule(index) method must remove a CSS rule from the CSS rule -list returned by cssRules at index.

    +

    The cssRules attribute must return a CSSRuleList object for the +child CSS rules specified with the @media at-rule.

    + +

    The insertRule(rule, index) method must return the result of +invoking insert a CSS rule rule into the child CSS rules at +index.

    + +

    The deleteRule(index) method must remove a CSS rule from the +child CSS rules at index.

    The CSSFontFaceRule Interface

    @@ -1976,9 +2037,9 @@

    On setting, the namespaceURI attribute must run the following steps:

      -

    1. Let CSS style sheet be the value returned by parentStyleSheet. -

    2. Let list be the value returned by cssRules of CSS style sheet, or - null if CSS style sheet is null. +

    3. Let parent be the parent CSS style sheet. +

    4. Let list be the CSS rules of parent, or + null if parent is null.

    5. If list is not null and contains anything other than @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception. @@ -1991,9 +2052,9 @@

      On setting, the prefix attribute must run the following steps:

        -

      1. Let CSS style sheet be the value returned by parentStyleSheet. -

      2. Let list be the value returned by cssRules of CSS style sheet, or - null if CSS style sheet is null. +

      3. Let parent be the parent CSS style sheet. +

      4. Let list be the CSS rules of parent, or + null if parent is null.

      5. If list is not null and contains anything other than @charset at-rules, @import at-rules, and @namespace at-rules, throw an InvalidStateError exception.