Merge Anne's change: Oct 11, 2012, User/password are always safe as they require a preflight request for
authorJungkee Song <jungkee.song@samsung.com>
Mon, 19 Nov 2012 11:53:13 +0900
changeset 86 e9af69ec538e
parent 85 cff809cbf044
child 87 6635621fc9d9
Merge Anne's change: Oct 11, 2012, User/password are always safe as they require a preflight request for
Overview.html
Overview.src.html
--- a/Overview.html	Mon Nov 12 18:46:01 2012 +0900
+++ b/Overview.html	Mon Nov 19 11:53:13 2012 +0900
@@ -48,7 +48,7 @@
 
    <h1 class="head" id="xmlhttprequest-ls">XMLHttpRequest</h1>
 
-   <h2 class="no-num no-toc" id="w3c-doctype">Editor's Draft 12 November 2012</h2>
+   <h2 class="no-num no-toc" id="w3c-doctype">Editor's Draft 19 November 2012</h2>
 
    <dl>
     <dt>This Version:</dt>
@@ -118,7 +118,7 @@
   found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a>
   at http://www.w3.org/TR/.</em></p>
 
-  <p>This is the 12 November 2012 W3C Editor's Draft of XMLHttpRequest.
+  <p>This is the 19 November 2012 W3C Editor's Draft of XMLHttpRequest.
   Please send comments to
   <a href="mailto:[email protected]?subject=[XHR]%20">[email protected]</a>
   (<a href="http://lists.w3.org/Archives/Public/public-webapps/">archived</a>)
@@ -454,7 +454,7 @@
   readonly attribute unsigned short <a href="#dom-xmlhttprequest-readystate" title="dom-XMLHttpRequest-readyState">readyState</a>;
 
   // <a href="#request">request</a>
-  void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+  void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
   void <a href="#dom-xmlhttprequest-setrequestheader" title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</a>(ByteString <var>header</var>, ByteString <var>value</var>);
            attribute unsigned long <a href="#dom-xmlhttprequest-timeout" title="dom-XMLHttpRequest-timeout">timeout</a>;
            attribute boolean <a href="#dom-xmlhttprequest-withcredentials" title="dom-XMLHttpRequest-withCredentials">withCredentials</a>;
@@ -780,23 +780,14 @@
     <code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
 
     <p>Throws an "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>"
-    exception if one of the following is true:</p>
-
-    <ul>
-     <li>Either <var title="">user</var> or <var title="">password</var> is passed
-     as argument and the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of
-     <var title="">url</var> does not match the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>.
-     <li>There is an associated
-     <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
-     <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
-     zero, the
-     <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
-     attribute is true, or the
-     <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
-     attribute is not the empty string.
-    </ul>
-   </dd>
+    exception if there is an associated
+    <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
+    <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
+    zero, the
+    <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
+    attribute is true, or the
+    <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
+    attribute is not the empty string.
   </dl>
 
   <p>The
@@ -910,46 +901,12 @@
    "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
    terminate these steps.
 
-   <li>
-    <p>If the <var title="">user</var> argument was not omitted follow these
-    substeps:</p>
-
-    <ol>
-     <li><p>If <var title="">user</var> is not null and the
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
-     <a class="external" href="http://dev.w3.org/2006/webapi/DOM4Core/#concept-throw" title="concept-throw">throw</a> an
-     "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
-     terminate the overall set of steps.
-
-     <li><p>Let <var>temp user</var> be <var>user</var>.</li>
-    </ol>
-
-    <p class="note">These steps override anything that may have been set by
-    the <var title="">url</var> argument.</p>
-   </li>
-
-   <li>
-    <p>If the <var title="">password</var> argument was not omitted follow
-    these substeps:</p>
-
-    <ol>
-     <li><p>If <var title="">password</var> is not null and the
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
-     <a class="external" href="http://dev.w3.org/2006/webapi/DOM4Core/#concept-throw" title="concept-throw">throw</a> an
-     "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
-     terminate the overall set of steps.</li>
-
-     <li><p>Let <var>temp password</var> be <var>password</var>.</li>
-    </ol>
-
-    <p class="note">These steps override anything that may have been set by
-    the <var title="">url</var> argument.</p>
-   </li>
-
+   <li><p>If the <var title="">user</var> argument is not null, set
+   <var>temp user</var> to <var>user</var>.
+
+   <li><p>If the <var title="">password</var> argument is not null, set
+   <var>temp password</var> to <var>password</var>.
+   
    <li><p><a href="#terminate-abort()" title="terminate abort()">Terminate the <code>abort()</code> algorithm</a>.</li>
 
    <li><p><a href="#terminate-send()" title="terminate send()">Terminate the <code>send()</code> algorithm</a>.</li>
@@ -1555,15 +1512,6 @@
        <dd>Set if the <a href="#upload-events-flag">upload events flag</a> is set.
       </dl>
 
-      <p class="note"><a href="#request-username">Request username</a> and
-      <a href="#request-password">request password</a> are always ignored as part of a
-      <a class="external" href="http://fetch.spec.whatwg.org/#cross-origin-request">cross-origin request</a>; including
-      them would allow a site to perform a distributed password search.
-      However, user agents will include <a href="#user-credentials">user credentials</a> in the
-      request (if the user has any and if
-      <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
-      is true).</p>
-
       <dl class="switch">
        <dt>If the <a href="#synchronous-flag">synchronous flag</a> is set</dt>
        <dd>
--- a/Overview.src.html	Mon Nov 12 18:46:01 2012 +0900
+++ b/Overview.src.html	Mon Nov 19 11:53:13 2012 +0900
@@ -418,7 +418,7 @@
   readonly attribute unsigned short <span title="dom-XMLHttpRequest-readyState">readyState</span>;
 
   // <a href="#request">request</a>
-  void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+  void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
   void <span title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</span>(ByteString <var>header</var>, ByteString <var>value</var>);
            attribute unsigned long <span title="dom-XMLHttpRequest-timeout">timeout</span>;
            attribute boolean <span title="dom-XMLHttpRequest-withCredentials">withCredentials</span>;
@@ -744,23 +744,14 @@
     <code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
 
     <p>Throws an "<code data-anolis-spec=dom>InvalidAccessError</code>"
-    exception if one of the following is true:</p>
-
-    <ul>
-     <li>Either <var title>user</var> or <var title>password</var> is passed
-     as argument and the <span data-anolis-spec=html>origin</span> of
-     <var title>url</var> does not match the
-     <span><code>XMLHttpRequest</code> origin</span>.
-     <li>There is an associated
-     <span><code>XMLHttpRequest</code> document</span> and either the
-     <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
-     zero, the
-     <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
-     attribute is true, or the
-     <code title=dom-XMLHttpRequest-responseType>responseType</code>
-     attribute is not the empty string.
-    </ul>
-   </dd>
+    exception if there is an associated
+    <span><code>XMLHttpRequest</code> document</span> and either the
+    <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
+    zero, the
+    <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
+    attribute is true, or the
+    <code title=dom-XMLHttpRequest-responseType>responseType</code>
+    attribute is not the empty string.
   </dl>
 
   <p>The
@@ -874,46 +865,12 @@
    "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
    terminate these steps.
 
-   <li>
-    <p>If the <var title>user</var> argument was not omitted follow these
-    substeps:</p>
-
-    <ol>
-     <li><p>If <var title>user</var> is not null and the
-     <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
-     <span data-anolis-spec=html>same origin</span> with the
-     <span><code>XMLHttpRequest</code> origin</span>,
-     <span data-anolis-spec=dom title=concept-throw>throw</span> an
-     "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
-     terminate the overall set of steps.
-
-     <li><p>Let <var>temp user</var> be <var>user</var>.</p></li>
-    </ol>
-
-    <p class=note>These steps override anything that may have been set by
-    the <var title>url</var> argument.</p>
-   </li>
-
-   <li>
-    <p>If the <var title>password</var> argument was not omitted follow
-    these substeps:</p>
-
-    <ol>
-     <li><p>If <var title>password</var> is not null and the
-     <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
-     <span data-anolis-spec=html>same origin</span> with the
-     <span><code>XMLHttpRequest</code> origin</span>,
-     <span data-anolis-spec=dom title=concept-throw>throw</span> an
-     "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
-     terminate the overall set of steps.</p></li>
-
-     <li><p>Let <var>temp password</var> be <var>password</var>.</p></li>
-    </ol>
-
-    <p class=note>These steps override anything that may have been set by
-    the <var title>url</var> argument.</p>
-   </li>
-
+   <li><p>If the <var title>user</var> argument is not null, set
+   <var>temp user</var> to <var>user</var>.
+
+   <li><p>If the <var title>password</var> argument is not null, set
+   <var>temp password</var> to <var>password</var>.
+   
    <li><p><span title="terminate abort()">Terminate the <code>abort()</code> algorithm</span>.</p></li>
 
    <li><p><span title="terminate send()">Terminate the <code>send()</code> algorithm</span>.</p></li>
@@ -1519,15 +1476,6 @@
        <dd>Set if the <span>upload events flag</span> is set.
       </dl>
 
-      <p class=note><span>Request username</span> and
-      <span>request password</span> are always ignored as part of a
-      <span data-anolis-spec=cors>cross-origin request</span>; including
-      them would allow a site to perform a distributed password search.
-      However, user agents will include <span>user credentials</span> in the
-      request (if the user has any and if
-      <code title="dom-XMLHttpRequest-withCredentials">withCredentials</code>
-      is true).</p>
-
       <dl class=switch>
        <dt>If the <span>synchronous flag</span> is set</dt>
        <dd>