discovery-api/Overview.html
changeset 480 f3ea6558ffe1
parent 453 07345c55f11f
child 483 140b6c8d4c18
     1.1 --- a/discovery-api/Overview.html	Sat Sep 28 11:13:44 2013 -0400
     1.2 +++ b/discovery-api/Overview.html	Mon Oct 07 14:07:57 2013 +1100
     1.3 @@ -205,6 +205,7 @@
     1.4            href="https://www.w3.org/StyleSheets/TR/W3C-ED">
     1.5    </head>
     1.6    <body class="h-entry"
     1.7 +        style=""
     1.8          role="document"
     1.9          id="respecDocument">
    1.10      <div class="head"
    1.11 @@ -223,10 +224,10 @@
    1.12        </h1>
    1.13        <h2 property="dcterms:issued"
    1.14            datatype="xsd:dateTime"
    1.15 -          content="2013-09-05T11:58:47.000Z"
    1.16 -          id="w3c-editor-s-draft-05-september-2013">
    1.17 +          content="2013-10-06T16:06:07.000Z"
    1.18 +          id="w3c-editor-s-draft-07-october-2013">
    1.19          <abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published"
    1.20 -            datetime="2013-09-05">05 September 2013</time>
    1.21 +            datetime="2013-10-07">07 October 2013</time>
    1.22        </h2>
    1.23        <dl>
    1.24          <dt>
    1.25 @@ -294,6 +295,55 @@
    1.26          within the current network.
    1.27        </p>
    1.28      </section>
    1.29 +    <section id="sotd"
    1.30 +             class="introductory"
    1.31 +             typeof="bibo:Chapter"
    1.32 +             resource="#sotd"
    1.33 +             rel="bibo:chapter">
    1.34 +      <h2 aria-level="1"
    1.35 +          role="heading"
    1.36 +          id="h2_sotd">
    1.37 +        Status of This Document
    1.38 +      </h2>
    1.39 +      <p>
    1.40 +        <em>This section describes the status of this document at the time of its publication. Other documents may
    1.41 +        supersede this document. A list of current <abbr title="World Wide Web Consortium">W3C</abbr> publications and
    1.42 +        the latest revision of this technical report can be found in the <a href="http://www.w3.org/TR/"><abbr title=
    1.43 +        "World Wide Web Consortium">W3C</abbr> technical reports index</a> at http://www.w3.org/TR/.</em>
    1.44 +      </p>
    1.45 +      <p>
    1.46 +        This document represents the early consensus of the group on the scope and features of the proposed
    1.47 +        <abbr title="Application Programming Interface">API</abbr>.
    1.48 +      </p>
    1.49 +      <p>
    1.50 +        This document was published by the <a href="http://www.w3.org/2009/dap/">Device APIs Working Group</a> as an
    1.51 +        Editor's Draft. If you wish to make comments regarding this document, please send them to <a href=
    1.52 +        "mailto:public-device-apis@w3.org">public-device-apis@w3.org</a> (<a href=
    1.53 +        "mailto:public-device-apis-request@w3.org?subject=subscribe">subscribe</a>, <a href=
    1.54 +        "http://lists.w3.org/Archives/Public/public-device-apis/">archives</a>). All comments are welcome.
    1.55 +      </p>
    1.56 +      <p>
    1.57 +        Publication as an Editor's Draft does not imply endorsement by the <abbr title=
    1.58 +        "World Wide Web Consortium">W3C</abbr> Membership. This is a draft document and may be updated, replaced or
    1.59 +        obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in
    1.60 +        progress.
    1.61 +      </p>
    1.62 +      <p>
    1.63 +        This document was produced by a group operating under the <a id="sotd_patent"
    1.64 +           about=""
    1.65 +           rel="w3p:patentRules"
    1.66 +           href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 <abbr title=
    1.67 +           "World Wide Web Consortium">W3C</abbr> Patent Policy</a>. <abbr title="World Wide Web Consortium">W3C</abbr>
    1.68 +           maintains a <a href="http://www.w3.org/2004/01/pp-impl/43696/status"
    1.69 +           rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the
    1.70 +           group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge
    1.71 +           of a patent which the individual believes contains <a href=
    1.72 +           "http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose
    1.73 +           the information in accordance with <a href=
    1.74 +           "http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the <abbr title=
    1.75 +           "World Wide Web Consortium">W3C</abbr> Patent Policy</a>.
    1.76 +      </p>
    1.77 +    </section>
    1.78      <section id="toc">
    1.79        <h2 class="introductory"
    1.80            aria-level="1"
    1.81 @@ -327,13 +377,18 @@
    1.82                class="tocxref"><span class="secno">4.</span> Security and privacy considerations</a>
    1.83            <ul class="toc">
    1.84              <li class="tocline">
    1.85 +              <a href="#security-considerations-for-api-implementations"
    1.86 +                  class="tocxref"><span class="secno">4.1</span> Security considerations for <abbr title=
    1.87 +                  "Application Programming Interface">API</abbr> implementations</a>
    1.88 +            </li>
    1.89 +            <li class="tocline">
    1.90                <a href="#privacy-considerations-for-api-implementations"
    1.91 -                  class="tocxref"><span class="secno">4.1</span> Privacy considerations for <abbr title=
    1.92 +                  class="tocxref"><span class="secno">4.2</span> Privacy considerations for <abbr title=
    1.93                    "Application Programming Interface">API</abbr> implementations</a>
    1.94              </li>
    1.95              <li class="tocline">
    1.96                <a href="#additional-api-implementation-considerations"
    1.97 -                  class="tocxref"><span class="secno">4.2</span> Additional <abbr title=
    1.98 +                  class="tocxref"><span class="secno">4.3</span> Additional <abbr title=
    1.99                    "Application Programming Interface">API</abbr> implementation considerations</a>
   1.100              </li>
   1.101            </ul>
   1.102 @@ -484,7 +539,11 @@
   1.103          The user agent, having captured all advertised services on the network from the <a href=
   1.104          "#dfn-service-discovery-mechanisms"
   1.105             class="internalDFN">service discovery mechanisms</a> included in this recommendation, attempts to match the
   1.106 -           requested service type to a discovered service according to the processing described herein.
   1.107 +           requested service type to a discovered service according to the processing described herein. Only
   1.108 +           Local-networked Services that pass a <a href="#dfn-cors-preflight-check"
   1.109 +           class="internalDFN">CORS preflight check</a> should be made available to web pages by a user agent. A user
   1.110 +           agent may provide a way for users to white-list non-CORS enabled Local-networked Services but implementation
   1.111 +           of such a feature is left to the discretion of the implementer.
   1.112        </p>
   1.113        <p>
   1.114          If a service connectivity request is successful then the Web page is provided with a promise-based success
   1.115 @@ -728,7 +787,7 @@
   1.116        </p>
   1.117        <p>
   1.118          A <dfn id="dfn-user-agent-generated-callback-url">user-agent generated callback url</dfn> is a Local-network
   1.119 -        accessible <abbr title="Uniform Resource Locator">URL</abbr> endpoint that a <a href="#dfn-user-agent"
   1.120 +        accessible URL endpoint that a <a href="#dfn-user-agent"
   1.121             class="internalDFN">user agent</a> generates and maintains for receiving <abbr title=
   1.122             "Hypertext Transfer Protocol">HTTP</abbr> NOTIFY requests from UPnP Event sources. It is only required when
   1.123             the user agent implements UPnP Service Discovery as defined in this specification.
   1.124 @@ -753,6 +812,19 @@
   1.125                class="internalDFN">list of active service managers</a>.
   1.126          </li>
   1.127        </ul>
   1.128 +      <p>
   1.129 +        A <dfn id="dfn-network-services-whitelist">network services whitelist</dfn> is a list of zero or more <a href=
   1.130 +        "#dfn-valid-service-type"
   1.131 +           class="internalDFN">valid service type</a> tokens that, when matched to a service type discovered in the
   1.132 +           local network, enables that service to be shared with a web page even if that Local-networked Service does
   1.133 +           not itself allow Cross-Origin Resource Sharing [<cite><a class="bibref"
   1.134 +           href="#bib-CORS">CORS</a></cite>]. A <a href="#dfn-user-agent"
   1.135 +           class="internalDFN">user agent</a> <em class="rfc2119"
   1.136 +           title="MUST">MUST</em> simulate CORS support for all service interaction in this case. Implementation of
   1.137 +           this feature is at implementer's discretion. When a <a href="#dfn-user-agent"
   1.138 +           class="internalDFN">user agent</a> does not implement a <a href="#dfn-network-services-whitelist"
   1.139 +           class="internalDFN">network services whitelist</a> then it is to treat this as always being an empty list.
   1.140 +      </p>
   1.141      </section>
   1.142      <section id="security-and-privacy-considerations">
   1.143        <h2 aria-level="1"
   1.144 @@ -772,11 +844,49 @@
   1.145             title="MUST">MUST</em> ensure that no networked service information is retrievable without the user's
   1.146             express permission.
   1.147        </p>
   1.148 +      <section id="security-considerations-for-api-implementations">
   1.149 +        <h3 aria-level="2"
   1.150 +            role="heading"
   1.151 +            id="h3_security-considerations-for-api-implementations">
   1.152 +          <span class="secno">4.1</span> Security considerations for <abbr title=
   1.153 +          "Application Programming Interface">API</abbr> implementations
   1.154 +        </h3>
   1.155 +        <p>
   1.156 +          A <a href="#dfn-user-agent"
   1.157 +             class="internalDFN">user agent</a> <em class="rfc2119"
   1.158 +             title="MUST">MUST</em> allow web pages to connect only with Local-networked Services that have passed a
   1.159 +             <a href="#dfn-cors-preflight-check"
   1.160 +             class="internalDFN">CORS preflight check</a> indicating they support Cross-Origin Resource Sharing
   1.161 +             [<cite><a class="bibref"
   1.162 +             href="#bib-CORS">CORS</a></cite>] during the <a href="#dfn-service-discovery-mechanisms"
   1.163 +             class="internalDFN">service discovery mechanisms</a> provided in this specification. In this way, a
   1.164 +             <a href="#dfn-user-agent"
   1.165 +             class="internalDFN">user agent</a> <em class="rfc2119"
   1.166 +             title="MUST NOT">MUST NOT</em> allow web pages to access other arbitrary networked services on the current
   1.167 +             local network.
   1.168 +        </p>
   1.169 +        <p>
   1.170 +          A <a href="#dfn-user-agent"
   1.171 +             class="internalDFN">user agent</a> <em class="rfc2119"
   1.172 +             title="MAY">MAY</em> provide a way for users to enable access to non-CORS enabled Local-networked Services
   1.173 +             from web pages (i.e. operate a <a href="#dfn-network-services-whitelist"
   1.174 +             class="internalDFN">network services whitelist</a>). Implementation of such a <a href=
   1.175 +             "#dfn-network-services-whitelist"
   1.176 +             class="internalDFN">network services whitelist</a>, if any, is left to an implementer's discretion. Such a
   1.177 +             whitelist may be configurable by each user at runtime or may be managed by the implementation itself on
   1.178 +             behalf of its users. In the case that a <a href="#dfn-user-agent"
   1.179 +             class="internalDFN">user agent</a> provides a <a href="#dfn-network-services-whitelist"
   1.180 +             class="internalDFN">network services whitelist</a>, it <em class="rfc2119"
   1.181 +             title="MUST">MUST</em> act as if all URLs for the Local-networked Service corresponding to any previously
   1.182 +             whitelisted service type had Cross-Origin Resource Sharing [<cite><a class="bibref"
   1.183 +             href="#bib-CORS">CORS</a></cite>] enabled indefinitely.
   1.184 +        </p>
   1.185 +      </section>
   1.186        <section id="privacy-considerations-for-api-implementations">
   1.187          <h3 aria-level="2"
   1.188              role="heading"
   1.189              id="h3_privacy-considerations-for-api-implementations">
   1.190 -          <span class="secno">4.1</span> Privacy considerations for <abbr title=
   1.191 +          <span class="secno">4.2</span> Privacy considerations for <abbr title=
   1.192            "Application Programming Interface">API</abbr> implementations
   1.193          </h3>
   1.194          <p>
   1.195 @@ -786,10 +896,9 @@
   1.196               permission of the user. A user agent <em class="rfc2119"
   1.197               title="MUST">MUST</em> acquire permission through a user interface, unless they have prearranged trust
   1.198               relationships with users, as described below. The user interface <em class="rfc2119"
   1.199 -             title="MUST">MUST</em> include the document base <abbr title="Uniform Resource Locator">URL</abbr>. Those
   1.200 -             permissions that are acquired through the user interface and that are preserved beyond the current
   1.201 -             browsing session (i.e. beyond the time when the browsing context is navigated to another <abbr title=
   1.202 -             "Uniform Resource Locator">URL</abbr>) <em class="rfc2119"
   1.203 +             title="MUST">MUST</em> include the document base URL. Those permissions that are acquired through the user
   1.204 +             interface and that are preserved beyond the current browsing session (i.e. beyond the time when the
   1.205 +             browsing context is navigated to another URL) <em class="rfc2119"
   1.206               title="MUST">MUST</em> be revocable and a user agent <em class="rfc2119"
   1.207               title="MUST">MUST</em> respect revoked permissions.
   1.208          </p>
   1.209 @@ -817,20 +926,19 @@
   1.210          <h3 aria-level="2"
   1.211              role="heading"
   1.212              id="h3_additional-api-implementation-considerations">
   1.213 -          <span class="secno">4.2</span> Additional <abbr title="Application Programming Interface">API</abbr>
   1.214 +          <span class="secno">4.3</span> Additional <abbr title="Application Programming Interface">API</abbr>
   1.215            implementation considerations
   1.216          </h3>
   1.217          <p>
   1.218            <em>This section is non-normative.</em>
   1.219          </p>
   1.220          <p>
   1.221 -          Further to the requirements listed in the previous section, implementors of the Network Service Discovery
   1.222 +          Further to the requirements listed in the previous section, implementers of the Network Service Discovery
   1.223            <abbr title="Application Programming Interface">API</abbr> are also advised to consider the following aspects
   1.224            that can negatively affect the privacy of their users: in certain cases, users can inadvertently grant
   1.225            permission to the user agent to disclose networked services to Web sites. In other cases, the content hosted
   1.226 -          at a certain <abbr title="Uniform Resource Locator">URL</abbr> changes in such a way that previously granted
   1.227 -          networked service permissions no longer apply as far as the user is concerned. Or the users might simply
   1.228 -          change their minds.
   1.229 +          at a certain URL changes in such a way that previously granted networked service permissions no longer apply
   1.230 +          as far as the user is concerned. Or the users might simply change their minds.
   1.231          </p>
   1.232          <p>
   1.233            Predicting or preventing these situations is inherently difficult. Mitigation and in-depth defensive measures
   1.234 @@ -1035,21 +1143,8 @@
   1.235              permission above - known as the current objects <dfn id="dfn-user-authorized">user-authorized</dfn>
   1.236              services.
   1.237              </li>
   1.238 -            <li>Remove all previously whitelisted urls from the <a href="#dfn-entry-script-origin-s-url-whitelist"
   1.239 -                  class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
   1.240 -                  whitelist</a> granted in the current <a href=
   1.241 -                  "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
   1.242 -                  class="externalDFN">entry script</a>'s <a href=
   1.243 -                  "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
   1.244 -                  class="externalDFN">origin</a>.
   1.245 -            </li>
   1.246              <li>For each Object <var>service</var> in <var>services</var>, if any, run the following sub-steps:
   1.247                <ol class="rule">
   1.248 -                <li>Add the <var>service</var>'s <code>url</code> parameter to the <a href=
   1.249 -                "#dfn-entry-script-origin-s-url-whitelist"
   1.250 -                      class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
   1.251 -                      whitelist</a>.
   1.252 -                </li>
   1.253                  <li>If <var>service</var>'s <code>type</code> parameter begins with the DOMString "<code>upnp:</code>"
   1.254                  and the <var>service</var>'s <code>eventsUrl</code> parameter is not empty then <a href=
   1.255                  "#dfn-setup-a-upnp-events-subscription"
   1.256 @@ -1096,34 +1191,6 @@
   1.257                 class="externalDFN">user interaction task source</a>.
   1.258            </p>
   1.259            <p>
   1.260 -            When a <a href="#networkservice"><code>NetworkService</code></a> object is provided to a Web page, the
   1.261 -            <a href="#dfn-user-agent"
   1.262 -               class="internalDFN">user agent</a> <em class="rfc2119"
   1.263 -               title="MUST">MUST</em> add its <a href="#dom-networkservice-url"><code>url</code></a> to the <dfn id=
   1.264 -               "dfn-entry-script-origin-s-url-whitelist">entry script origin's <abbr title=
   1.265 -               "Uniform Resource Locator">URL</abbr> whitelist</dfn>. This list enables the Web page to override and
   1.266 -               initiate cross-site resource requests towards these URLs, and any sub-resources of these URLs, within
   1.267 -               the current <a href=
   1.268 -               "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
   1.269 -               class="externalDFN">entry script</a>'s <a href=
   1.270 -               "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
   1.271 -               class="externalDFN">origin</a> via various existing mechanisms (e.g. Web Sockets, Server-Sent Events,
   1.272 -               Web Messaging, XMLHttpRequest).
   1.273 -          </p>
   1.274 -          <p>
   1.275 -            If the user navigates away from the <a href=
   1.276 -            "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
   1.277 -               class="externalDFN">entry script</a>'s <a href=
   1.278 -               "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
   1.279 -               class="externalDFN">origin</a> or permission to access a given networked service is revoked at any time
   1.280 -               by the platform or user then the <a href="#dfn-user-agent"
   1.281 -               class="internalDFN">user agent</a> <em class="ct"><em class="rfc2119"
   1.282 -                title="MUST">MUST</em></em> remove its previously whitelisted urls from the <a href=
   1.283 -                "#dfn-entry-script-origin-s-url-whitelist"
   1.284 -               class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
   1.285 -               whitelist</a>.
   1.286 -          </p>
   1.287 -          <p>
   1.288              There is no implied persistence to networked service sharing provided to a web page. It <em class="rfc2119"
   1.289                 title="MUST NOT">MUST NOT</em> be possible to access a previously white-listed networked service without
   1.290                 user authorization in all of the following cases:
   1.291 @@ -1479,11 +1546,7 @@
   1.292            </dt>
   1.293            <dd>
   1.294              <p>
   1.295 -              The control <abbr title="Uniform Resource Locator">URL</abbr> endpoint (including any required port
   1.296 -              information) of the user-selected control service that has been added to the <a href=
   1.297 -              "#dfn-entry-script-origin-s-url-whitelist"
   1.298 -                 class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr>
   1.299 -                 whitelist</a>.
   1.300 +              The control URL endpoint (including any required port information) of the user-selected control service.
   1.301              </p>
   1.302            </dd>
   1.303            <dt>
   1.304 @@ -1513,12 +1576,10 @@
   1.305          <p>
   1.306            The <dfn id="dom-networkservice-url"><code>url</code></dfn> attribute is an <a href=
   1.307            "http://url.spec.whatwg.org/#concept-absolute-url"
   1.308 -             class="externalDFN">absolute <abbr title="Uniform Resource Locator">URL</abbr></a> pointing to the root
   1.309 -             <abbr title="Hypertext Transfer Protocol">HTTP</abbr> endpoint for the service that has been added to the
   1.310 -             <a href="#dfn-entry-script-origin-s-url-whitelist"
   1.311 -             class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr> whitelist</a>.
   1.312 -             Web pages can subsequently use this value for implicit cross-document messaging via various existing
   1.313 -             mechanisms (e.g. Web Sockets, Server-Sent Events, Web Messaging, XMLHttpRequest).
   1.314 +             class="externalDFN">absolute URL</a> pointing to the root <abbr title=
   1.315 +             "Hypertext Transfer Protocol">HTTP</abbr> endpoint for the service. Web pages can subsequently use this
   1.316 +             value for implicit cross-document messaging via various existing mechanisms (e.g. Web Sockets, Server-Sent
   1.317 +             Events, Web Messaging, XMLHttpRequest).
   1.318          </p>
   1.319          <p>
   1.320            The <dfn id="dom-networkservice-config"><code>config</code></dfn> attribute provides the raw configuration
   1.321 @@ -1836,6 +1897,49 @@
   1.322             class="internalDFN">removing an available service</a>, passing in the expired service record's
   1.323             <code>id</code> attribute as the only argument.
   1.324        </p>
   1.325 +      <p>
   1.326 +        The <dfn id="dfn-cors-preflight-check">CORS preflight check</dfn> algorithm determines whether a
   1.327 +        Local-networked Service supports Cross-Origin Resource Sharing [<cite><a class="bibref"
   1.328 +           href="#bib-CORS">CORS</a></cite>] prior to that service being proposed for sharing to users and prior to
   1.329 +           active sharing with web pages. This algorithm takes one argument, <var>control endpoint URL</var>, and
   1.330 +           consists of running the following steps:
   1.331 +      </p>
   1.332 +      <ol class="rule">
   1.333 +        <li>Let <var>cross-origin request status</var> be set to the resulting value of <a href=
   1.334 +        "http://www.w3.org/TR/cors/#cross-origin-request-status"
   1.335 +              class="externalDFN">cross-origin request status</a> [<cite><a class="bibref"
   1.336 +             href="#bib-CORS">CORS</a></cite>] after performing a <a href=
   1.337 +             "http://www.w3.org/TR/cors/#cross-origin-request-with-preflight"
   1.338 +              class="externalDFN">cross-origin request with preflight</a> [<cite><a class="bibref"
   1.339 +             href="#bib-CORS">CORS</a></cite>] towards the <var>control endpoint URL</var> with the <a href=
   1.340 +             "http://www.w3.org/TR/cors/#source-origin"
   1.341 +              class="externalDFN">source origin</a> [<cite><a class="bibref"
   1.342 +             href="#bib-CORS">CORS</a></cite>] set to the public IP address of the current machine, terminating this
   1.343 +             algorithm at Step 2 (when <a href="http://www.w3.org/TR/cors/#cross-origin-request-status"
   1.344 +              class="externalDFN">cross-origin request status</a> has been set to <var>preflight complete</var> or a
   1.345 +              prior error has occurred in the algorithm).
   1.346 +        </li>
   1.347 +        <li>If <var>cross-origin request status</var> is set to <var>preflight complete</var> then return
   1.348 +        <code>pass</code>. Otherwise, return <code>fail</code>.
   1.349 +        </li>
   1.350 +      </ol>
   1.351 +      <p>
   1.352 +        User agents <em class="rfc2119"
   1.353 +           title="SHOULD">SHOULD</em> re-run the <a href="#dfn-cors-preflight-check"
   1.354 +           class="internalDFN">CORS preflight check</a> algorithm against service endpoint URLs when their <a href=
   1.355 +           "http://www.w3.org/TR/cors/#cache-max-age"
   1.356 +           class="externalDFN">max-age</a> [<cite><a class="bibref"
   1.357 +           href="#bib-CORS">CORS</a></cite>] entry in the <a href="http://www.w3.org/TR/cors/#preflight-result-cache"
   1.358 +           class="externalDFN">preflight result cache</a> [<cite><a class="bibref"
   1.359 +           href="#bib-CORS">CORS</a></cite>] exceeds the current time. If this subsequent execution of the <a href=
   1.360 +           "#dfn-cors-preflight-check"
   1.361 +           class="internalDFN">CORS preflight check</a> algorithm returns <code>fail</code> then the <a href=
   1.362 +           "#dfn-user-agent"
   1.363 +           class="internalDFN">user agent</a> <em class="rfc2119"
   1.364 +           title="MUST">MUST</em> run the general rule for <a href="#dfn-removing-an-available-service"
   1.365 +           class="internalDFN">removing an available service</a> passing in the associated <var>network service
   1.366 +           record</var>'s <code>id</code> attribute as the only argument.
   1.367 +      </p>
   1.368        <section id="zeroconf-mdns-dns-sd">
   1.369          <h3 aria-level="2"
   1.370              role="heading"
   1.371 @@ -1879,9 +1983,9 @@
   1.372                Instance Name's <var>Service</var> component [<cite><a class="bibref"
   1.373                     href="#bib-MDNS">MDNS</a></cite>].
   1.374                </li>
   1.375 -              <li>Set <var>network service record</var>'s <code>url</code> property to the resolvable Service
   1.376 -              <abbr title="Uniform Resource Locator">URL</abbr> obtained from performing an <abbr title=
   1.377 -              "Domain Name System">DNS</abbr>-<abbr title="Service Discovery">SD</abbr> Lookup [<cite><a class="bibref"
   1.378 +              <li>Set <var>network service record</var>'s <code>url</code> property to the resolvable Service URL
   1.379 +              obtained from performing an <abbr title="Domain Name System">DNS</abbr>-<abbr title=
   1.380 +              "Service Discovery">SD</abbr> Lookup [<cite><a class="bibref"
   1.381                     href="#bib-DNS-SD">DNS-SD</a></cite>] of the current service from the <abbr title=
   1.382                     "DNS Pointer Record">PTR</abbr> record provided [<cite><a class="bibref"
   1.383                     href="#bib-MDNS">MDNS</a></cite>].
   1.384 @@ -1895,9 +1999,16 @@
   1.385                <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
   1.386                current date, in UTC timestamp format, plus a value of <code>120</code> seconds.
   1.387                </li>
   1.388 -              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
   1.389 +              <li>If the result of running the <a href="#dfn-cors-preflight-check"
   1.390 +                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
   1.391 +                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
   1.392 +                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
   1.393 +                    "#dfn-network-services-whitelist"
   1.394 +                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
   1.395 +                    "#dfn-adding-an-available-service"
   1.396                      class="internalDFN">adding an available service</a>, passing in the current <var>network service
   1.397 -                    record</var> as the only argument.
   1.398 +                    record</var> as the only argument. Otherwise, discard the current <var>network service
   1.399 +                    record</var>.
   1.400                </li>
   1.401              </ol>
   1.402            </li>
   1.403 @@ -1997,11 +2108,10 @@
   1.404            <li>The user agent <em class="rfc2119"
   1.405                  title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
   1.406                  class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
   1.407 -                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor <abbr title=
   1.408 -                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
   1.409 -                <var>ssdp device</var> as the <var>device identifier</var> argument and the first occurrence of
   1.410 -                <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the leading string of
   1.411 -                <code>max-age=</code>) as the <var>device expiry</var> argument.
   1.412 +                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor URL</var> argument and
   1.413 +                the first occurrence of <var>USN</var> from <var>ssdp device</var> as the <var>device identifier</var>
   1.414 +                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the
   1.415 +                leading string of <code>max-age=</code>) as the <var>device expiry</var> argument.
   1.416            </li>
   1.417          </ol>
   1.418          <p>
   1.419 @@ -2042,11 +2152,10 @@
   1.420            <em class="rfc2119"
   1.421                  title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
   1.422                  class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
   1.423 -                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor <abbr title=
   1.424 -                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
   1.425 -                <var>ssdp device</var> as the <var>device identifier</var> argument and the first occurrence of
   1.426 -                <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the leading string of
   1.427 -                <code>max-age=</code>) as the <var>device expiry</var>.<br>
   1.428 +                <var>LOCATION</var> from <var>ssdp device</var> as the <var>device descriptor URL</var> argument and
   1.429 +                the first occurrence of <var>USN</var> from <var>ssdp device</var> as the <var>device identifier</var>
   1.430 +                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>ssdp device</var> (minus the
   1.431 +                leading string of <code>max-age=</code>) as the <var>device expiry</var>.<br>
   1.432              <br>
   1.433              Otherwise, if <var>ssdp device</var>'s <var>NTS</var> entry is equal to <code>ssdp:byebye</code> then the
   1.434              user agent <em class="rfc2119"
   1.435 @@ -2060,23 +2169,20 @@
   1.436            The rule for <dfn id="dfn-obtaining-a-upnp-device-description-file">obtaining a UPnP Device Description
   1.437            File</dfn> is the process of obtaining the contents of a standard UPnP Device Description [<cite><a class=
   1.438            "bibref"
   1.439 -             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a <abbr title=
   1.440 -             "Uniform Resource Locator">URL</abbr>-based resource. This rule takes three arguments - <var>device
   1.441 -             descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>, <var>device identifier</var> and
   1.442 -             <var>device expiry</var> - and when called the user agent <em class="rfc2119"
   1.443 +             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a URL-based resource. This rule takes
   1.444 +             three arguments - <var>device descriptor URL</var>, <var>device identifier</var> and <var>device
   1.445 +             expiry</var> - and when called the user agent <em class="rfc2119"
   1.446               title="MUST">MUST</em> run the following steps:
   1.447          </p>
   1.448          <ol class="rule">
   1.449 -          <li>Let <var>device descriptor file</var> contain the contents of the file located at the <abbr title=
   1.450 -          "Uniform Resource Locator">URL</abbr> provided in <var>device descriptor <abbr title=
   1.451 -          "Uniform Resource Locator">URL</abbr></var> obtained according to the rules defined in 'Section 2.11:
   1.452 -          Retrieving a description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class=
   1.453 -          "bibref"
   1.454 +          <li>Let <var>device descriptor file</var> contain the contents of the file located at the URL provided in
   1.455 +          <var>device descriptor URL</var> obtained according to the rules defined in 'Section 2.11: Retrieving a
   1.456 +          description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class="bibref"
   1.457                 href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>].
   1.458            </li>
   1.459 -          <li>If the value provided in <var>device descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>
   1.460 -          cannot be resolved as a reachable <abbr title="Uniform Resource Locator">URL</abbr> on the current network or
   1.461 -          the <var>device descriptor file</var> remains empty then it is invalid and the <a href="#dfn-user-agent"
   1.462 +          <li>If the value provided in <var>device descriptor URL</var> cannot be resolved as a reachable URL on the
   1.463 +          current network or the <var>device descriptor file</var> remains empty then it is invalid and the <a href=
   1.464 +          "#dfn-user-agent"
   1.465                  class="internalDFN">user agent</a> <em class="rfc2119"
   1.466                  title="MUST">MUST</em> abort any remaining steps and return.
   1.467            </li>
   1.468 @@ -2142,9 +2248,16 @@
   1.469                <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
   1.470                current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
   1.471                </li>
   1.472 -              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
   1.473 +              <li>If the result of running the <a href="#dfn-cors-preflight-check"
   1.474 +                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
   1.475 +                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
   1.476 +                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
   1.477 +                    "#dfn-network-services-whitelist"
   1.478 +                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
   1.479 +                    "#dfn-adding-an-available-service"
   1.480                      class="internalDFN">adding an available service</a>, passing in the current <var>network service
   1.481 -                    record</var> as the only argument.
   1.482 +                    record</var> as the only argument. Otherwise, discard the current <var>network service
   1.483 +                    record</var>.
   1.484                </li>
   1.485              </ol>
   1.486            </li>
   1.487 @@ -2195,16 +2308,15 @@
   1.488                  class="internalDFN">user agent</a> <em class="rfc2119"
   1.489                  title="MUST">MUST</em> abort these steps.
   1.490            </li>
   1.491 -          <li>Let <var>callback <abbr title="Uniform Resource Locator">URL</abbr></var> be the value of creating a new
   1.492 -          <a href="#dfn-user-agent-generated-callback-url"
   1.493 +          <li>Let <var>callback URL</var> be the value of creating a new <a href=
   1.494 +          "#dfn-user-agent-generated-callback-url"
   1.495                  class="internalDFN">user-agent generated callback url</a>.
   1.496            </li>
   1.497            <li>Send a <abbr title="Hypertext Transfer Protocol">HTTP</abbr> SUBSCRIBE request with a <em>NT</em> header
   1.498            with a string value of <code>upnp:event</code>, a <em>TIMEOUT</em> header with a user-agent defined timeout
   1.499            value (in the form <code>Second-XX</code> where <code>XX</code> is the user-agent defined timeout value in
   1.500 -          seconds) and a <em>CALLBACK</em> header with a string value of <var>callback <abbr title=
   1.501 -          "Uniform Resource Locator">URL</abbr></var> towards the <var>network service record</var>'s
   1.502 -          <code>eventsUrl</code> property.
   1.503 +          seconds) and a <em>CALLBACK</em> header with a string value of <var>callback URL</var> towards the
   1.504 +          <var>network service record</var>'s <code>eventsUrl</code> property.
   1.505            </li>
   1.506            <li>If a non-200 OK response is received from the <abbr title="Hypertext Transfer Protocol">HTTP</abbr>
   1.507            SUBSCRIBE request then the <a href="#dfn-user-agent"
   1.508 @@ -2252,8 +2364,7 @@
   1.509                </li>
   1.510                <li>
   1.511                  <em>Listen</em>: For each <abbr title="Hypertext Transfer Protocol">HTTP</abbr> NOTIFY request received
   1.512 -                at the <var>callback <abbr title="Uniform Resource Locator">URL</abbr></var> the <a href=
   1.513 -                "#dfn-user-agent"
   1.514 +                at the <var>callback URL</var> the <a href="#dfn-user-agent"
   1.515                      class="internalDFN">user agent</a> is to run the following steps:
   1.516                  <ol class="rule">
   1.517                    <li>Let <var>content clone</var> be the result of obtaining the message body of the <abbr title=
   1.518 @@ -2384,41 +2495,35 @@
   1.519            <li>The user agent <em class="rfc2119"
   1.520                  title="MUST">MUST</em> run the rule for <a href="#dfn-obtaining-a-upnp-device-description-file"
   1.521                  class="internalDFN">obtaining a UPnP Device Description File</a> passing in the first occurrence of
   1.522 -                <var>LOCATION</var> from <var>dial device</var> as the <var>device descriptor <abbr title=
   1.523 -                "Uniform Resource Locator">URL</abbr></var> argument and the first occurrence of <var>USN</var> from
   1.524 -                <var>dial device</var> as the <var>device identifier</var> argument and the first occurrence of
   1.525 -                <var>CACHE-CONTROL</var> from <var>dial device</var> (minus the leading string of
   1.526 -                <code>max-age=</code>) as the <var>device expiry</var> argument.
   1.527 +                <var>LOCATION</var> from <var>dial device</var> as the <var>device descriptor URL</var> argument and
   1.528 +                the first occurrence of <var>USN</var> from <var>dial device</var> as the <var>device identifier</var>
   1.529 +                argument and the first occurrence of <var>CACHE-CONTROL</var> from <var>dial device</var> (minus the
   1.530 +                leading string of <code>max-age=</code>) as the <var>device expiry</var> argument.
   1.531            </li>
   1.532          </ol>
   1.533          <p>
   1.534            The rule for <dfn id="dfn-obtaining-a-dial-device-description-file">obtaining a <abbr title=
   1.535            "Discovery and Launch Protocol">DIAL</abbr> Device Description File</dfn> is the process of obtaining the
   1.536            contents of a standard UPnP Device Description [<cite><a class="bibref"
   1.537 -             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a <abbr title=
   1.538 -             "Uniform Resource Locator">URL</abbr>-based resource. This rule takes three arguments - <var>device
   1.539 -             descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>, <var>device identifier</var> and
   1.540 -             <var>device expiry</var> - and when called the user agent <em class="rfc2119"
   1.541 +             href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>] from a URL-based resource. This rule takes
   1.542 +             three arguments - <var>device descriptor URL</var>, <var>device identifier</var> and <var>device
   1.543 +             expiry</var> - and when called the user agent <em class="rfc2119"
   1.544               title="MUST">MUST</em> run the following steps:
   1.545          </p>
   1.546          <ol class="rule">
   1.547 -          <li>Let <var>device descriptor file</var> contain the contents of the file located at the <abbr title=
   1.548 -          "Uniform Resource Locator">URL</abbr> provided in <var>device descriptor <abbr title=
   1.549 -          "Uniform Resource Locator">URL</abbr></var> obtained according to the rules defined in 'Section 2.11:
   1.550 -          Retrieving a description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class=
   1.551 -          "bibref"
   1.552 +          <li>Let <var>device descriptor file</var> contain the contents of the file located at the URL provided in
   1.553 +          <var>device descriptor URL</var> obtained according to the rules defined in 'Section 2.11: Retrieving a
   1.554 +          description using <abbr title="Hypertext Transfer Protocol">HTTP</abbr>' in [<cite><a class="bibref"
   1.555                 href="#bib-UPNP-DEVICEARCH11">UPNP-DEVICEARCH11</a></cite>].
   1.556            </li>
   1.557 -          <li>Let <var>application url</var> be the value of the first occurrence of the
   1.558 -            <code>Application-<abbr title="Uniform Resource Locator">URL</abbr></code> response header field obtained
   1.559 -            according to the rules defined in 'Section 5.4: Device Description Response' in [<a href=
   1.560 -            "https://sites.google.com/a/dial-multiscreen.org/dial/dial-protocol-specification"><abbr title=
   1.561 -            "Discovery and Launch Protocol">DIAL</abbr></a>]
   1.562 +          <li>Let <var>application url</var> be the value of the first occurrence of the <code>Application-URL</code>
   1.563 +          response header field obtained according to the rules defined in 'Section 5.4: Device Description Response'
   1.564 +          in [<a href="https://sites.google.com/a/dial-multiscreen.org/dial/dial-protocol-specification"><abbr title=
   1.565 +          "Discovery and Launch Protocol">DIAL</abbr></a>]
   1.566            </li>
   1.567 -          <li>If the value provided in <var>device descriptor <abbr title="Uniform Resource Locator">URL</abbr></var>
   1.568 -          cannot be resolved as a reachable <abbr title="Uniform Resource Locator">URL</abbr> on the current network or
   1.569 -          the <var>device descriptor file</var> remains empty or <var>application url</var> is undefined then it is
   1.570 -          invalid and the <a href="#dfn-user-agent"
   1.571 +          <li>If the value provided in <var>device descriptor URL</var> cannot be resolved as a reachable URL on the
   1.572 +          current network or the <var>device descriptor file</var> remains empty or <var>application url</var> is
   1.573 +          undefined then it is invalid and the <a href="#dfn-user-agent"
   1.574                  class="internalDFN">user agent</a> <em class="rfc2119"
   1.575                  title="MUST">MUST</em> abort any remaining steps and return.
   1.576            </li>
   1.577 @@ -2447,9 +2552,16 @@
   1.578                <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
   1.579                current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
   1.580                </li>
   1.581 -              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
   1.582 +              <li>If the result of running the <a href="#dfn-cors-preflight-check"
   1.583 +                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
   1.584 +                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
   1.585 +                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
   1.586 +                    "#dfn-network-services-whitelist"
   1.587 +                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
   1.588 +                    "#dfn-adding-an-available-service"
   1.589                      class="internalDFN">adding an available service</a>, passing in the current <var>network service
   1.590 -                    record</var> as the only argument.
   1.591 +                    record</var> as the only argument. Otherwise, discard the current <var>network service
   1.592 +                    record</var>.
   1.593                </li>
   1.594              </ol>
   1.595            </li>
   1.596 @@ -2621,10 +2733,7 @@
   1.597             class="externalDFN"><code>Document</code></a> object goes away), the <a href="#dfn-user-agent"
   1.598             class="internalDFN">user agent</a> <em class="rfc2119"
   1.599             title="MUST">MUST</em> remove this object from the <a href="#dfn-list-of-active-service-managers"
   1.600 -           class="internalDFN">list of active service managers</a> and remove the <a href=
   1.601 -           "#dom-networkservice-url"><code>url</code></a> of each of its <a href="#dfn-indexed-properties-1"
   1.602 -           class="internalDFN">indexed properties</a> from the <a href="#dfn-entry-script-origin-s-url-whitelist"
   1.603 -           class="internalDFN">entry script origin's <abbr title="Uniform Resource Locator">URL</abbr> whitelist</a>.
   1.604 +           class="internalDFN">list of active service managers</a>.
   1.605        </p>
   1.606      </section>
   1.607      <section id="use-cases-and-requirements">
   1.608 @@ -2801,11 +2910,9 @@
   1.609  "str">"POST"</span><span class="pun">,</span><span class="pln"> services</span><span class="pun">[</span><span class=
   1.610  "lit">0</span><span class="pun">].</span><span class="pln">url </span><span class="pun">+</span><span class=
   1.611  "pln"> </span><span class="str">"/getAlbums"</span><span class="pun">);</span><span class="pln"> </span><span class=
   1.612 -"com">// services[0].url and its sub-resources have been</span><span class="pln">
   1.613 +"com">// services[0].url and its sub-resources are</span><span class="pln">
   1.614                                                          </span><span class=
   1.615 -"com">// whitelisted for cross-site XHR use in this</span><span class="pln">
   1.616 -                                                        </span><span class=
   1.617 -"com">// current browsing context.</span><span class="pln">
   1.618 +"com">// available for cross-site XHR use.</span><span class="pln">
   1.619  
   1.620     svcXhr</span><span class="pun">.</span><span class="pln">setRequestHeader</span><span class=
   1.621  "pun">(</span><span class="str">'Content-Type'</span><span class="pun">,</span><span class="pln"> </span><span class=
   1.622 @@ -3067,12 +3174,9 @@
   1.623      svcXhr</span><span class="pun">.</span><span class="pln">open</span><span class="pun">(</span><span class=
   1.624  "str">"POST"</span><span class="pun">,</span><span class="pln"> services</span><span class="pun">[</span><span class=
   1.625  "lit">0</span><span class="pun">].</span><span class="pln">url</span><span class="pun">);</span><span class=
   1.626 -"pln"> </span><span class="com">// services[0].url and its</span><span class="pln">
   1.627 +"pln"> </span><span class="com">// services[0].url and its sub-resources are</span><span class="pln">
   1.628                                            </span><span class=
   1.629 -"com">// sub-resources have been whitelisted for</span><span class="pln">
   1.630 -                                          </span><span class=
   1.631 -"com">// cross-site XHR use in this current</span><span class="pln">
   1.632 -                                          </span><span class="com">// browsing context.</span><span class="pln">
   1.633 +"com">// available for cross-site XHR use.</span><span class="pln">
   1.634  
   1.635      svcXhr</span><span class="pun">.</span><span class="pln">setRequestHeader</span><span class=
   1.636  "pun">(</span><span class="str">'SOAPAction'</span><span class="pun">,</span><span class="pln"> </span><span class=
   1.637 @@ -3197,6 +3301,14 @@
   1.638          </h3>
   1.639          <dl class="bibliography"
   1.640              about="">
   1.641 +          <dt id="bib-CORS">
   1.642 +            [CORS]
   1.643 +          </dt>
   1.644 +          <dd rel="dcterms:requires">
   1.645 +            Anne van Kesteren. <a href="http://www.w3.org/TR/cors/"><cite>Cross-Origin Resource Sharing</cite></a>. 29
   1.646 +            January 2013. W3C Candidate Recommendation. URL: <a href=
   1.647 +            "http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>
   1.648 +          </dd>
   1.649            <dt id="bib-DNS-SD">
   1.650              [DNS-SD]
   1.651            </dt>