discovery-api/Overview.html
changeset 480 f3ea6558ffe1
parent 453 07345c55f11f
child 483 140b6c8d4c18
--- a/discovery-api/Overview.html	Sat Sep 28 11:13:44 2013 -0400
+++ b/discovery-api/Overview.html	Mon Oct 07 14:07:57 2013 +1100
@@ -205,6 +205,7 @@
           href="https://www.w3.org/StyleSheets/TR/W3C-ED">
   </head>
   <body class="h-entry"
+        style=""
         role="document"
         id="respecDocument">
     <div class="head"
@@ -223,10 +224,10 @@
       </h1>
       <h2 property="dcterms:issued"
           datatype="xsd:dateTime"
-          content="2013-09-05T11:58:47.000Z"
-          id="w3c-editor-s-draft-05-september-2013">
+          content="2013-10-06T16:06:07.000Z"
+          id="w3c-editor-s-draft-07-october-2013">
         <abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published"
-            datetime="2013-09-05">05 September 2013</time>
+            datetime="2013-10-07">07 October 2013</time>
       </h2>
       <dl>
         <dt>
@@ -294,6 +295,55 @@
         within the current network.
       </p>
     </section>
+    <section id="sotd"
+             class="introductory"
+             typeof="bibo:Chapter"
+             resource="#sotd"
+             rel="bibo:chapter">
+      <h2 aria-level="1"
+          role="heading"
+          id="h2_sotd">
+        Status of This Document
+      </h2>
+      <p>
+        <em>This section describes the status of this document at the time of its publication. Other documents may
+        supersede this document. A list of current <abbr title="World Wide Web Consortium">W3C</abbr> publications and
+        the latest revision of this technical report can be found in the <a href="http://www.w3.org/TR/"><abbr title=
+        "World Wide Web Consortium">W3C</abbr> technical reports index</a> at http://www.w3.org/TR/.</em>
+      </p>
+      <p>
+        This document represents the early consensus of the group on the scope and features of the proposed
+        <abbr title="Application Programming Interface">API</abbr>.
+      </p>
+      <p>
+        This document was published by the <a href="http://www.w3.org/2009/dap/">Device APIs Working Group</a> as an
+        Editor's Draft. If you wish to make comments regarding this document, please send them to <a href=
+        "mailto:public-device-apis@w3.org">public-device-apis@w3.org</a> (<a href=
+        "mailto:public-device-apis-request@w3.org?subject=subscribe">subscribe</a>, <a href=
+        "http://lists.w3.org/Archives/Public/public-device-apis/">archives</a>). All comments are welcome.
+      </p>
+      <p>
+        Publication as an Editor's Draft does not imply endorsement by the <abbr title=
+        "World Wide Web Consortium">W3C</abbr> Membership. This is a draft document and may be updated, replaced or
+        obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in
+        progress.
+      </p>
+      <p>
+        This document was produced by a group operating under the <a id="sotd_patent"
+           about=""
+           rel="w3p:patentRules"
+           href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 <abbr title=
+           "World Wide Web Consortium">W3C</abbr> Patent Policy</a>. <abbr title="World Wide Web Consortium">W3C</abbr>
+           maintains a <a href="http://www.w3.org/2004/01/pp-impl/43696/status"
+           rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the
+           group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge
+           of a patent which the individual believes contains <a href=
+           "http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose
+           the information in accordance with <a href=
+           "http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the <abbr title=
+           "World Wide Web Consortium">W3C</abbr> Patent Policy</a>.
+      </p>
+    </section>
     <section id="toc">
       <h2 class="introductory"
           aria-level="1"
@@ -327,13 +377,18 @@
               class="tocxref"><span class="secno">4.</span> Security and privacy considerations</a>
           <ul class="toc">
             <li class="tocline">
+              <a href="#security-considerations-for-api-implementations"
+                  class="tocxref"><span class="secno">4.1</span> Security considerations for <abbr title=
+                  "Application Programming Interface">API</abbr> implementations</a>
+            </li>
+            <li class="tocline">
               <a href="#privacy-considerations-for-api-implementations"
-                  class="tocxref"><span class="secno">4.1</span> Privacy considerations for <abbr title=
+                  class="tocxref"><span class="secno">4.2</span> Privacy considerations for <abbr title=
                   "Application Programming Interface">API</abbr> implementations</a>
             </li>
             <li class="tocline">
               <a href="#additional-api-implementation-considerations"
-                  class="tocxref"><span class="secno">4.2</span> Additional <abbr title=
+                  class="tocxref"><span class="secno">4.3</span> Additional <abbr title=
                   "Application Programming Interface">API</abbr> implementation considerations</a>
             </li>
           </ul>
@@ -484,7 +539,11 @@
         The user agent, having captured all advertised services on the network from the <a href=
         "#dfn-service-discovery-mechanisms"
            class="internalDFN">service discovery mechanisms</a> included in this recommendation, attempts to match the
-           requested service type to a discovered service according to the processing described herein.
+           requested service type to a discovered service according to the processing described herein. Only
+           Local-networked Services that pass a <a href="#dfn-cors-preflight-check"
+           class="internalDFN">CORS preflight check</a> should be made available to web pages by a user agent. A user
+           agent may provide a way for users to white-list non-CORS enabled Local-networked Services but implementation
+           of such a feature is left to the discretion of the implementer.
       </p>
       <p>
         If a service connectivity request is successful then the Web page is provided with a promise-based success
@@ -728,7 +787,7 @@
       </p>
       <p>
         A <dfn id="dfn-user-agent-generated-callback-url">user-agent generated callback url</dfn> is a Local-network
-        accessible <abbr title="Uniform Resource Locator">URL</abbr> endpoint that a <a href="#dfn-user-agent"
+        accessible URL endpoint that a <a href="#dfn-user-agent"
            class="internalDFN">user agent</a> generates and maintains for receiving <abbr title=
            "Hypertext Transfer Protocol">HTTP</abbr> NOTIFY requests from UPnP Event sources. It is only required when
            the user agent implements UPnP Service Discovery as defined in this specification.
@@ -753,6 +812,19 @@
               class="internalDFN">list of active service managers</a>.
         </li>
       </ul>
+      <p>
+        A <dfn id="dfn-network-services-whitelist">network services whitelist</dfn> is a list of zero or more <a href=
+        "#dfn-valid-service-type"
+           class="internalDFN">valid service type</a> tokens that, when matched to a service type discovered in the
+           local network, enables that service to be shared with a web page even if that Local-networked Service does
+           not itself allow Cross-Origin Resource Sharing [<cite><a class="bibref"
+           href="#bib-CORS">CORS</a></cite>]. A <a href="#dfn-user-agent"
+           class="internalDFN">user agent</a> <em class="rfc2119"
+           title="MUST">MUST</em> simulate CORS support for all service interaction in this case. Implementation of
+           this feature is at implementer's discretion. When a <a href="#dfn-user-agent"
+           class="internalDFN">user agent</a> does not implement a <a href="#dfn-network-services-whitelist"
+           class="internalDFN">network services whitelist</a> then it is to treat this as always being an empty list.
+      </p>
     </section>
     <section id="security-and-privacy-considerations">
       <h2 aria-level="1"
@@ -772,11 +844,49 @@
            title="MUST">MUST</em> ensure that no networked service information is retrievable without the user's
            express permission.
       </p>
+      <section id="security-considerations-for-api-implementations">
+        <h3 aria-level="2"
+            role="heading"
+            id="h3_security-considerations-for-api-implementations">
+          <span class="secno">4.1</span> Security considerations for <abbr title=
+          "Application Programming Interface">API</abbr> implementations
+        </h3>
+        <p>
+          A <a href="#dfn-user-agent"
+             class="internalDFN">user agent</a> <em class="rfc2119"
+             title="MUST">MUST</em> allow web pages to connect only with Local-networked Services that have passed a
+             <a href="#dfn-cors-preflight-check"
+             class="internalDFN">CORS preflight check</a> indicating they support Cross-Origin Resource Sharing
+             [<cite><a class="bibref"
+             href="#bib-CORS">CORS</a></cite>] during the <a href="#dfn-service-discovery-mechanisms"
+             class="internalDFN">service discovery mechanisms</a> provided in this specification. In this way, a
+             <a href="#dfn-user-agent"
+             class="internalDFN">user agent</a> <em class="rfc2119"
+             title="MUST NOT">MUST NOT</em> allow web pages to access other arbitrary networked services on the current
+             local network.
+        </p>
+        <p>
+          A <a href="#dfn-user-agent"
+             class="internalDFN">user agent</a> <em class="rfc2119"
+             title="MAY">MAY</em> provide a way for users to enable access to non-CORS enabled Local-networked Services
+             from web pages (i.e. operate a <a href="#dfn-network-services-whitelist"
+             class="internalDFN">network services whitelist</a>). Implementation of such a <a href=
+             "#dfn-network-services-whitelist"
+             class="internalDFN">network services whitelist</a>, if any, is left to an implementer's discretion. Such a
+             whitelist may be configurable by each user at runtime or may be managed by the implementation itself on
+             behalf of its users. In the case that a <a href="#dfn-user-agent"
+             class="internalDFN">user agent</a> provides a <a href="#dfn-network-services-whitelist"
+             class="internalDFN">network services whitelist</a>, it <em class="rfc2119"
+             title="MUST">MUST</em> act as if all URLs for the Local-networked Service corresponding to any previously
+             whitelisted service type had Cross-Origin Resource Sharing [<cite><a class="bibref"
+             href="#bib-CORS">CORS</a></cite>] enabled indefinitely.
+        </p>
+      </section>
       <section id="privacy-considerations-for-api-implementations">
         <h3 aria-level="2"
             role="heading"
             id="h3_privacy-considerations-for-api-implementations">
-          <span class="secno">4.1</span> Privacy considerations for <abbr title=
+          <span class="secno">4.2</span> Privacy considerations for <abbr title=
           "Application Programming Interface">API</abbr> implementations
         </h3>
         <p>
@@ -786,10 +896,9 @@
              permission of the user. A user agent <em class="rfc2119"
              title="MUST">MUST</em> acquire permission through a user interface, unless they have prearranged trust
              relationships with users, as described below. The user interface <em class="rfc2119"
-             title="MUST">MUST</em> include the document base <abbr title="Uniform Resource Locator">URL</abbr>. Those
-             permissions that are acquired through the user interface and that are preserved beyond the current
-             browsing session (i.e. beyond the time when the browsing context is navigated to another <abbr title=
-             "Uniform Resource Locator">URL</abbr>) <em class="rfc2119"
+             title="MUST">MUST</em> include the document base URL. Those permissions that are acquired through the user
+             interface and that are preserved beyond the current browsing session (i.e. beyond the time when the
+             browsing context is navigated to another URL) <em class="rfc2119"
              title="MUST">MUST</em> be revocable and a user agent <em class="rfc2119"
              title="MUST">MUST</em> respect revoked permissions.
         </p>
@@ -817,20 +926,19 @@
         <h3 aria-level="2"
             role="heading"
             id="h3_additional-api-implementation-considerations">
-          <span class="secno">4.2</span> Additional <abbr title="Application Programming Interface">API</abbr>
+          <span class="secno">4.3</span> Additional <abbr title="Application Programming Interface">API</abbr>
           implementation considerations
         </h3>
         <p>
           <em>This section is non-normative.</em>
         </p>
         <p>
-          Further to the requirements listed in the previous section, implementors of the Network Service Discovery
+          Further to the requirements listed in the previous section, implementers of the Network Service Discovery
           <abbr title="Application Programming Interface">API</abbr> are also advised to consider the following aspects
           that can negatively affect the privacy of their users: in certain cases, users can inadvertently grant
           permission to the user agent to disclose networked services to Web sites. In other cases, the content hosted
-          at a certain <abbr title="Uniform Resource Locator">URL</abbr> changes in such a way that previously granted
-          networked service permissions no longer apply as far as the user is concerned. Or the users might simply
-          change their minds.
+          at a certain URL changes in such a way that previously granted networked service permissions no longer apply
+          as far as the user is concerned. Or the users might simply change their minds.
         </p>
         <p>
           Predicting or preventing these situations is inherently difficult. Mitigation and in-depth defensive measures
@@ -1035,21 +1143,8 @@
             permission above - known as the current objects <dfn id="dfn-user-authorized">user-authorized</dfn>
             services.
             </li>
-            <li>Remove all previously whitelisted urls from the <a href="#dfn-entry-script-origin-s-url-whitelist"
-                  class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
-                  whitelist</a> granted in the current <a href=
-                  "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
-                  class="externalDFN">entry script</a>'s <a href=
-                  "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
-                  class="externalDFN">origin</a>.
-            </li>
             <li>For each Object <var>service</var> in <var>services</var>, if any, run the following sub-steps:
               <ol class="rule">
-                <li>Add the <var>service</var>'s <code>url</code> parameter to the <a href=
-                "#dfn-entry-script-origin-s-url-whitelist"
-                      class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
-                      whitelist</a>.
-                </li>
                 <li>If <var>service</var>'s <code>type</code> parameter begins with the DOMString "<code>upnp:</code>"
                 and the <var>service</var>'s <code>eventsUrl</code> parameter is not empty then <a href=
                 "#dfn-setup-a-upnp-events-subscription"
@@ -1096,34 +1191,6 @@
                class="externalDFN">user interaction task source</a>.
           </p>
           <p>
-            When a <a href="#networkservice"><code>NetworkService</code></a> object is provided to a Web page, the
-            <a href="#dfn-user-agent"
-               class="internalDFN">user agent</a> <em class="rfc2119"
-               title="MUST">MUST</em> add its <a href="#dom-networkservice-url"><code>url</code></a> to the <dfn id=
-               "dfn-entry-script-origin-s-url-whitelist">entry script origin's <abbr title=
-               "Uniform Resource Locator">URL</abbr> whitelist</dfn>. This list enables the Web page to override and
-               initiate cross-site resource requests towards these URLs, and any sub-resources of these URLs, within
-               the current <a href=
-               "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
-               class="externalDFN">entry script</a>'s <a href=
-               "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
-               class="externalDFN">origin</a> via various existing mechanisms (e.g. Web Sockets, Server-Sent Events,
-               Web Messaging, XMLHttpRequest).
-          </p>
-          <p>
-            If the user navigates away from the <a href=
-            "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
-               class="externalDFN">entry script</a>'s <a href=
-               "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
-               class="externalDFN">origin</a> or permission to access a given networked service is revoked at any time
-               by the platform or user then the <a href="#dfn-user-agent"
-               class="internalDFN">user agent</a> <em class="ct"><em class="rfc2119"
-                title="MUST">MUST</em></em> remove its previously whitelisted urls from the <a href=
-                "#dfn-entry-script-origin-s-url-whitelist"
-               class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
-               whitelist</a>.
-          </p>
-          <p>
             There is no implied persistence to networked service sharing provided to a web page. It <em class="rfc2119"
                title="MUST NOT">MUST NOT</em> be possible to access a previously white-listed networked service without
                user authorization in all of the following cases:
@@ -1479,11 +1546,7 @@
           </dt>
           <dd>
             <p>
-              The control <abbr title="Uniform Resource Locator">URL</abbr> endpoint (including any required port
-              information) of the user-selected control service that has been added to the <a href=
-              "#dfn-entry-script-origin-s-url-whitelist"
-                 class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
-                 whitelist</a>.
+              The control URL endpoint (including any required port information) of the user-selected control service.
             </p>
           </dd>
           <dt>
@@ -1513,12 +1576,10 @@
         <p>
           The <dfn id="dom-networkservice-url"><code>url</code></dfn> attribute is an <a href=
           "http://url.spec.whatwg.org/#concept-absolute-url"
-             class="externalDFN">absolute <abbr title="Uniform Resource Locator">URL</abbr></a> pointing to the root
-             <abbr title="Hypertext Transfer Protocol">HTTP</abbr> endpoint for the service that has been added to the
-             <a href="#dfn-entry-script-origin-s-url-whitelist"
-             class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr> whitelist</a>.
-             Web pages can subsequently use this value for implicit cross-document messaging via various existing
-             mechanisms (e.g. Web Sockets, Server-Sent Events, Web Messaging, XMLHttpRequest).
+             class="externalDFN">absolute URL</a> pointing to the root <abbr title=
+             "Hypertext Transfer Protocol">HTTP</abbr> endpoint for the service. Web pages can subsequently use this
+             value for implicit cross-document messaging via various existing mechanisms (e.g. Web Sockets, Server-Sent
+             Events, Web Messaging, XMLHttpRequest).
         </p>
         <p>
           The <dfn id="dom-networkservice-config"><code>config</code></dfn> attribute provides the raw configuration
@@ -1836,6 +1897,49 @@
            class="internalDFN">removing an available service</a>, passing in the expired service record's
            <code>id</code> attribute as the only argument.
       </p>
+      <p>
+        The <dfn id="dfn-cors-preflight-check">CORS preflight check</dfn> algorithm determines whether a
+        Local-networked Service supports Cross-Origin Resource Sharing [<cite><a class="bibref"
+           href="#bib-CORS">CORS</a></cite>] prior to that service being proposed for sharing to users and prior to
+           active sharing with web pages. This algorithm takes one argument, <var>control endpoint URL</var>, and
+           consists of running the following steps:
+      </p>
+      <ol class="rule">
+        <li>Let <var>cross-origin request status</var> be set to the resulting value of <a href=
+        "http://www.w3.org/TR/cors/#cross-origin-request-status"
+              class="externalDFN">cross-origin request status</a> [<cite><a class="bibref"
+             href="#bib-CORS">CORS</a></cite>] after performing a <a href=
+             "http://www.w3.org/TR/cors/#cross-origin-request-with-preflight"
+              class="externalDFN">cross-origin request with preflight</a> [<cite><a class="bibref"
+             href="#bib-CORS">CORS</a></cite>] towards the <var>control endpoint URL</var> with the <a href=
+             "http://www.w3.org/TR/cors/#source-origin"
+              class="externalDFN">source origin</a> [<cite><a class="bibref"
+             href="#bib-CORS">CORS</a></cite>] set to the public IP address of the current machine, terminating this
+             algorithm at Step 2 (when <a href="http://www.w3.org/TR/cors/#cross-origin-request-status"
+              class="externalDFN">cross-origin request status</a> has been set to <var>preflight complete</var> or a
+              prior error has occurred in the algorithm).
+        </li>
+        <li>If <var>cross-origin request status</var> is set to <var>preflight complete</var> then return
+        <code>pass</code>. Otherwise, return <code>fail</code>.
+        </li>
+      </ol>
+      <p>
+        User agents <em class="rfc2119"
+           title="SHOULD">SHOULD</em> re-run the <a href="#dfn-cors-preflight-check"
+           class="internalDFN">CORS preflight check</a> algorithm against service endpoint URLs when their <a href=
+           "http://www.w3.org/TR/cors/#cache-max-age"
+           class="externalDFN">max-age</a> [<cite><a class="bibref"
+           href="#bib-CORS">CORS</a></cite>] entry in the <a href="http://www.w3.org/TR/cors/#preflight-result-cache"
+           class="externalDFN">preflight result cache</a> [<cite><a class="bibref"
+           href="#bib-CORS">CORS</a></cite>] exceeds the current time. If this subsequent execution of the <a href=
+           "#dfn-cors-preflight-check"
+           class="internalDFN">CORS preflight check</a> algorithm returns <code>fail</code> then the <a href=
+           "#dfn-user-agent"
+           class="internalDFN">user agent</a> <em class="rfc2119"
+           title="MUST">MUST</em> run the general rule for <a href="#dfn-removing-an-available-service"
+           class="internalDFN">removing an available service</a> passing in the associated <var>network service
+           record</var>'s <code>id</code> attribute as the only argument.
+      </p>
       <section id="zeroconf-mdns-dns-sd">
         <h3 aria-level="2"
             role="heading"
@@ -1879,9 +1983,9 @@
               Instance Name's <var>Service</var> component [<cite><a class="bibref"
                    href="#bib-MDNS">MDNS</a></cite>].
               </li>
-              <li>Set <var>network service record</var>'s <code>url</code> property to the resolvable Service
-              <abbr title="Uniform Resource Locator">URL</abbr> obtained from performing an <abbr title=
-              "Domain Name System">DNS</abbr>-<abbr title="Service Discovery">SD</abbr> Lookup [<cite><a class="bibref"
+              <li>Set <var>network service record</var>'s <code>url</code> property to the resolvable Service URL
+              obtained from performing an <abbr title="Domain Name System">DNS</abbr>-<abbr title=
+              "Service Discovery">SD</abbr> Lookup [<cite><a class="bibref"
                    href="#bib-DNS-SD">DNS-SD</a></cite>] of the current service from the <abbr title=
                    "DNS Pointer Record">PTR</abbr> record provided [<cite><a class="bibref"
                    href="#bib-MDNS">MDNS</a></cite>].
@@ -1895,9 +1999,16 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus a value of <code>120</code> seconds.
               </li>
-              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
+              <li>If the result of running the <a href="#dfn-cors-preflight-check"
+                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
+                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
+                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
+                    "#dfn-network-services-whitelist"
+                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
+                    "#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument.
+                    record</var> as the only argument. Otherwise, discard the current <var>network service
+                    record</var>.
               </li>
             </ol>
           </li>
@@ -1997,11 +2108,10 @@
           <li>The user agent <em class="rfc2119"
                 title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
                 class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
-                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor <abbr title=
-                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
-                <var>ssdp device</var> as the <var>device identifier</var> argument and the first occurrence of
-                <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the leading string of
-                <code>max-age=</code>) as the <var>device expiry</var> argument.
+                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor URL</var> argument and
+                the first occurrence of <var>USN</var> from <var>ssdp device</var> as the <var>device identifier</var>
+                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the
+                leading string of <code>max-age=</code>) as the <var>device expiry</var> argument.
           </li>
         </ol>
         <p>
@@ -2042,11 +2152,10 @@
           <em class="rfc2119"
                 title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
                 class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
-                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor <abbr title=
-                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
-                <var>ssdp device</var> as the <var>device identifier</var> argument and the first occurrence of
-                <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the leading string of
-                <code>max-age=</code>) as the <var>device expiry</var>.<br>
+                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor URL</var> argument and
+                the first occurrence of <var>USN</var> from <var>ssdp device</var> as the <var>device identifier</var>
+                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the
+                leading string of <code>max-age=</code>) as the <var>device expiry</var>.<br>
             <br>
             Otherwise, if <var>ssdp device</var>'s <var>NTS</var> entry is equal to <code>ssdp:byebye</code> then the
             user agent <em class="rfc2119"
@@ -2060,23 +2169,20 @@
           The rule for <dfn id="dfn-obtaining-a-upnp-device-description-file">obtaining a UPnP Device Description
           File</dfn> is the process of obtaining the contents of a standard UPnP Device Description [<cite><a class=
           "bibref"
-             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a <abbr title=
-             "Uniform Resource Locator">URL</abbr>-based resource. This rule takes three arguments - <var>device
-             descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>, <var>device identifier</var> and
-             <var>device expiry</var> - and when called the user agent <em class="rfc2119"
+             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a URL-based resource. This rule takes
+             three arguments - <var>device descriptor URL</var>, <var>device identifier</var> and <var>device
+             expiry</var> - and when called the user agent <em class="rfc2119"
              title="MUST">MUST</em> run the following steps:
         </p>
         <ol class="rule">
-          <li>Let <var>device descriptor file</var> contain the contents of the file located at the <abbr title=
-          "Uniform Resource Locator">URL</abbr> provided in <var>device descriptor <abbr title=
-          "Uniform Resource Locator">URL</abbr></var> obtained according to the rules defined in 'Section 2.11:
-          Retrieving a description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class=
-          "bibref"
+          <li>Let <var>device descriptor file</var> contain the contents of the file located at the URL provided in
+          <var>device descriptor URL</var> obtained according to the rules defined in 'Section 2.11: Retrieving a
+          description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class="bibref"
                href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>].
           </li>
-          <li>If the value provided in <var>device descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>
-          cannot be resolved as a reachable <abbr title="Uniform Resource Locator">URL</abbr> on the current network or
-          the <var>device descriptor file</var> remains empty then it is invalid and the <a href="#dfn-user-agent"
+          <li>If the value provided in <var>device descriptor URL</var> cannot be resolved as a reachable URL on the
+          current network or the <var>device descriptor file</var> remains empty then it is invalid and the <a href=
+          "#dfn-user-agent"
                 class="internalDFN">user agent</a> <em class="rfc2119"
                 title="MUST">MUST</em> abort any remaining steps and return.
           </li>
@@ -2142,9 +2248,16 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
+              <li>If the result of running the <a href="#dfn-cors-preflight-check"
+                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
+                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
+                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
+                    "#dfn-network-services-whitelist"
+                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
+                    "#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument.
+                    record</var> as the only argument. Otherwise, discard the current <var>network service
+                    record</var>.
               </li>
             </ol>
           </li>
@@ -2195,16 +2308,15 @@
                 class="internalDFN">user agent</a> <em class="rfc2119"
                 title="MUST">MUST</em> abort these steps.
           </li>
-          <li>Let <var>callback <abbr title="Uniform Resource Locator">URL</abbr></var> be the value of creating a new
-          <a href="#dfn-user-agent-generated-callback-url"
+          <li>Let <var>callback URL</var> be the value of creating a new <a href=
+          "#dfn-user-agent-generated-callback-url"
                 class="internalDFN">user-agent generated callback url</a>.
           </li>
           <li>Send a <abbr title="Hypertext Transfer Protocol">HTTP</abbr> SUBSCRIBE request with a <em>NT</em> header
           with a string value of <code>upnp:event</code>, a <em>TIMEOUT</em> header with a user-agent defined timeout
           value (in the form <code>Second-XX</code> where <code>XX</code> is the user-agent defined timeout value in
-          seconds) and a <em>CALLBACK</em> header with a string value of <var>callback <abbr title=
-          "Uniform Resource Locator">URL</abbr></var> towards the <var>network service record</var>'s
-          <code>eventsUrl</code> property.
+          seconds) and a <em>CALLBACK</em> header with a string value of <var>callback URL</var> towards the
+          <var>network service record</var>'s <code>eventsUrl</code> property.
           </li>
           <li>If a non-200 OK response is received from the <abbr title="Hypertext Transfer Protocol">HTTP</abbr>
           SUBSCRIBE request then the <a href="#dfn-user-agent"
@@ -2252,8 +2364,7 @@
               </li>
               <li>
                 <em>Listen</em>: For each <abbr title="Hypertext Transfer Protocol">HTTP</abbr> NOTIFY request received
-                at the <var>callback <abbr title="Uniform Resource Locator">URL</abbr></var> the <a href=
-                "#dfn-user-agent"
+                at the <var>callback URL</var> the <a href="#dfn-user-agent"
                     class="internalDFN">user agent</a> is to run the following steps:
                 <ol class="rule">
                   <li>Let <var>content clone</var> be the result of obtaining the message body of the <abbr title=
@@ -2384,41 +2495,35 @@
           <li>The user agent <em class="rfc2119"
                 title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
                 class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
-                <var>LOCATION</var> from <var>dial device</var> as the <var>device descriptor <abbr title=
-                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
-                <var>dial device</var> as the <var>device identifier</var> argument and the first occurrence of
-                <var>CACHE-CONTROL</var> from <var>dial device</var> (minus the leading string of
-                <code>max-age=</code>) as the <var>device expiry</var> argument.
+                <var>LOCATION</var> from <var>dial device</var> as the <var>device descriptor URL</var> argument and
+                the first occurrence of <var>USN</var> from <var>dial device</var> as the <var>device identifier</var>
+                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>dial device</var> (minus the
+                leading string of <code>max-age=</code>) as the <var>device expiry</var> argument.
           </li>
         </ol>
         <p>
           The rule for <dfn id="dfn-obtaining-a-dial-device-description-file">obtaining a <abbr title=
           "Discovery and Launch Protocol">DIAL</abbr> Device Description File</dfn> is the process of obtaining the
           contents of a standard UPnP Device Description [<cite><a class="bibref"
-             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a <abbr title=
-             "Uniform Resource Locator">URL</abbr>-based resource. This rule takes three arguments - <var>device
-             descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>, <var>device identifier</var> and
-             <var>device expiry</var> - and when called the user agent <em class="rfc2119"
+             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a URL-based resource. This rule takes
+             three arguments - <var>device descriptor URL</var>, <var>device identifier</var> and <var>device
+             expiry</var> - and when called the user agent <em class="rfc2119"
              title="MUST">MUST</em> run the following steps:
         </p>
         <ol class="rule">
-          <li>Let <var>device descriptor file</var> contain the contents of the file located at the <abbr title=
-          "Uniform Resource Locator">URL</abbr> provided in <var>device descriptor <abbr title=
-          "Uniform Resource Locator">URL</abbr></var> obtained according to the rules defined in 'Section 2.11:
-          Retrieving a description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class=
-          "bibref"
+          <li>Let <var>device descriptor file</var> contain the contents of the file located at the URL provided in
+          <var>device descriptor URL</var> obtained according to the rules defined in 'Section 2.11: Retrieving a
+          description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class="bibref"
                href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>].
           </li>
-          <li>Let <var>application url</var> be the value of the first occurrence of the
-            <code>Application-<abbr title="Uniform Resource Locator">URL</abbr></code> response header field obtained
-            according to the rules defined in 'Section 5.4: Device Description Response' in [<a href=
-            "https://sites.google.com/a/dial-multiscreen.org/dial/dial-protocol-specification"><abbr title=
-            "Discovery and Launch Protocol">DIAL</abbr></a>]
+          <li>Let <var>application url</var> be the value of the first occurrence of the <code>Application-URL</code>
+          response header field obtained according to the rules defined in 'Section 5.4: Device Description Response'
+          in [<a href="https://sites.google.com/a/dial-multiscreen.org/dial/dial-protocol-specification"><abbr title=
+          "Discovery and Launch Protocol">DIAL</abbr></a>]
           </li>
-          <li>If the value provided in <var>device descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>
-          cannot be resolved as a reachable <abbr title="Uniform Resource Locator">URL</abbr> on the current network or
-          the <var>device descriptor file</var> remains empty or <var>application url</var> is undefined then it is
-          invalid and the <a href="#dfn-user-agent"
+          <li>If the value provided in <var>device descriptor URL</var> cannot be resolved as a reachable URL on the
+          current network or the <var>device descriptor file</var> remains empty or <var>application url</var> is
+          undefined then it is invalid and the <a href="#dfn-user-agent"
                 class="internalDFN">user agent</a> <em class="rfc2119"
                 title="MUST">MUST</em> abort any remaining steps and return.
           </li>
@@ -2447,9 +2552,16 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
+              <li>If the result of running the <a href="#dfn-cors-preflight-check"
+                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
+                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
+                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
+                    "#dfn-network-services-whitelist"
+                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
+                    "#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument.
+                    record</var> as the only argument. Otherwise, discard the current <var>network service
+                    record</var>.
               </li>
             </ol>
           </li>
@@ -2621,10 +2733,7 @@
            class="externalDFN"><code>Document</code></a> object goes away), the <a href="#dfn-user-agent"
            class="internalDFN">user agent</a> <em class="rfc2119"
            title="MUST">MUST</em> remove this object from the <a href="#dfn-list-of-active-service-managers"
-           class="internalDFN">list of active service managers</a> and remove the <a href=
-           "#dom-networkservice-url"><code>url</code></a> of each of its <a href="#dfn-indexed-properties-1"
-           class="internalDFN">indexed properties</a> from the <a href="#dfn-entry-script-origin-s-url-whitelist"
-           class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr> whitelist</a>.
+           class="internalDFN">list of active service managers</a>.
       </p>
     </section>
     <section id="use-cases-and-requirements">
@@ -2801,11 +2910,9 @@
 "str">"POST"</span><span class="pun">,</span><span class="pln"> services</span><span class="pun">[</span><span class=
 "lit">0</span><span class="pun">].</span><span class="pln">url </span><span class="pun">+</span><span class=
 "pln"> </span><span class="str">"/getAlbums"</span><span class="pun">);</span><span class="pln"> </span><span class=
-"com">// services[0].url and its sub-resources have been</span><span class="pln">
+"com">// services[0].url and its sub-resources are</span><span class="pln">
                                                         </span><span class=
-"com">// whitelisted for cross-site XHR use in this</span><span class="pln">
-                                                        </span><span class=
-"com">// current browsing context.</span><span class="pln">
+"com">// available for cross-site XHR use.</span><span class="pln">
 
    svcXhr</span><span class="pun">.</span><span class="pln">setRequestHeader</span><span class=
 "pun">(</span><span class="str">'Content-Type'</span><span class="pun">,</span><span class="pln"> </span><span class=
@@ -3067,12 +3174,9 @@
     svcXhr</span><span class="pun">.</span><span class="pln">open</span><span class="pun">(</span><span class=
 "str">"POST"</span><span class="pun">,</span><span class="pln"> services</span><span class="pun">[</span><span class=
 "lit">0</span><span class="pun">].</span><span class="pln">url</span><span class="pun">);</span><span class=
-"pln"> </span><span class="com">// services[0].url and its</span><span class="pln">
+"pln"> </span><span class="com">// services[0].url and its sub-resources are</span><span class="pln">
                                           </span><span class=
-"com">// sub-resources have been whitelisted for</span><span class="pln">
-                                          </span><span class=
-"com">// cross-site XHR use in this current</span><span class="pln">
-                                          </span><span class="com">// browsing context.</span><span class="pln">
+"com">// available for cross-site XHR use.</span><span class="pln">
 
     svcXhr</span><span class="pun">.</span><span class="pln">setRequestHeader</span><span class=
 "pun">(</span><span class="str">'SOAPAction'</span><span class="pun">,</span><span class="pln"> </span><span class=
@@ -3197,6 +3301,14 @@
         </h3>
         <dl class="bibliography"
             about="">
+          <dt id="bib-CORS">
+            [CORS]
+          </dt>
+          <dd rel="dcterms:requires">
+            Anne van Kesteren. <a href="http://www.w3.org/TR/cors/"><cite>Cross-Origin Resource Sharing</cite></a>. 29
+            January 2013. W3C Candidate Recommendation. URL: <a href=
+            "http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>
+          </dd>
           <dt id="bib-DNS-SD">
             [DNS-SD]
           </dt>