Merge Anne's change: Oct 11, 2012, User/password are always safe as they require a preflight request for
--- a/Overview.html Mon Nov 12 18:46:01 2012 +0900
+++ b/Overview.html Mon Nov 19 11:53:13 2012 +0900
@@ -48,7 +48,7 @@
<h1 class="head" id="xmlhttprequest-ls">XMLHttpRequest</h1>
- <h2 class="no-num no-toc" id="w3c-doctype">Editor's Draft 12 November 2012</h2>
+ <h2 class="no-num no-toc" id="w3c-doctype">Editor's Draft 19 November 2012</h2>
<dl>
<dt>This Version:</dt>
@@ -118,7 +118,7 @@
found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a>
at http://www.w3.org/TR/.</em></p>
- <p>This is the 12 November 2012 W3C Editor's Draft of XMLHttpRequest.
+ <p>This is the 19 November 2012 W3C Editor's Draft of XMLHttpRequest.
Please send comments to
<a href="mailto:public-webapps@w3.org?subject=[XHR]%20">public-webapps@w3.org</a>
(<a href="http://lists.w3.org/Archives/Public/public-webapps/">archived</a>)
@@ -454,7 +454,7 @@
readonly attribute unsigned short <a href="#dom-xmlhttprequest-readystate" title="dom-XMLHttpRequest-readyState">readyState</a>;
// <a href="#request">request</a>
- void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+ void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
void <a href="#dom-xmlhttprequest-setrequestheader" title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</a>(ByteString <var>header</var>, ByteString <var>value</var>);
attribute unsigned long <a href="#dom-xmlhttprequest-timeout" title="dom-XMLHttpRequest-timeout">timeout</a>;
attribute boolean <a href="#dom-xmlhttprequest-withcredentials" title="dom-XMLHttpRequest-withCredentials">withCredentials</a>;
@@ -780,23 +780,14 @@
<code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
<p>Throws an "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>"
- exception if one of the following is true:</p>
-
- <ul>
- <li>Either <var title="">user</var> or <var title="">password</var> is passed
- as argument and the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of
- <var title="">url</var> does not match the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>.
- <li>There is an associated
- <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
- <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
- zero, the
- <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
- attribute is true, or the
- <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
- attribute is not the empty string.
- </ul>
- </dd>
+ exception if there is an associated
+ <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
+ <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
+ zero, the
+ <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
+ attribute is true, or the
+ <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
+ attribute is not the empty string.
</dl>
<p>The
@@ -910,46 +901,12 @@
"<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
terminate these steps.
- <li>
- <p>If the <var title="">user</var> argument was not omitted follow these
- substeps:</p>
-
- <ol>
- <li><p>If <var title="">user</var> is not null and the
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
- <a class="external" href="http://dev.w3.org/2006/webapi/DOM4Core/#concept-throw" title="concept-throw">throw</a> an
- "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
- terminate the overall set of steps.
-
- <li><p>Let <var>temp user</var> be <var>user</var>.</li>
- </ol>
-
- <p class="note">These steps override anything that may have been set by
- the <var title="">url</var> argument.</p>
- </li>
-
- <li>
- <p>If the <var title="">password</var> argument was not omitted follow
- these substeps:</p>
-
- <ol>
- <li><p>If <var title="">password</var> is not null and the
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
- <a class="external" href="http://dev.w3.org/2006/webapi/DOM4Core/#concept-throw" title="concept-throw">throw</a> an
- "<code class="external"><a href="http://dev.w3.org/2006/webapi/DOM4Core/#invalidaccesserror">InvalidAccessError</a></code>" exception and
- terminate the overall set of steps.</li>
-
- <li><p>Let <var>temp password</var> be <var>password</var>.</li>
- </ol>
-
- <p class="note">These steps override anything that may have been set by
- the <var title="">url</var> argument.</p>
- </li>
-
+ <li><p>If the <var title="">user</var> argument is not null, set
+ <var>temp user</var> to <var>user</var>.
+
+ <li><p>If the <var title="">password</var> argument is not null, set
+ <var>temp password</var> to <var>password</var>.
+
<li><p><a href="#terminate-abort()" title="terminate abort()">Terminate the <code>abort()</code> algorithm</a>.</li>
<li><p><a href="#terminate-send()" title="terminate send()">Terminate the <code>send()</code> algorithm</a>.</li>
@@ -1555,15 +1512,6 @@
<dd>Set if the <a href="#upload-events-flag">upload events flag</a> is set.
</dl>
- <p class="note"><a href="#request-username">Request username</a> and
- <a href="#request-password">request password</a> are always ignored as part of a
- <a class="external" href="http://fetch.spec.whatwg.org/#cross-origin-request">cross-origin request</a>; including
- them would allow a site to perform a distributed password search.
- However, user agents will include <a href="#user-credentials">user credentials</a> in the
- request (if the user has any and if
- <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
- is true).</p>
-
<dl class="switch">
<dt>If the <a href="#synchronous-flag">synchronous flag</a> is set</dt>
<dd>
--- a/Overview.src.html Mon Nov 12 18:46:01 2012 +0900
+++ b/Overview.src.html Mon Nov 19 11:53:13 2012 +0900
@@ -418,7 +418,7 @@
readonly attribute unsigned short <span title="dom-XMLHttpRequest-readyState">readyState</span>;
// <a href="#request">request</a>
- void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+ void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
void <span title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</span>(ByteString <var>header</var>, ByteString <var>value</var>);
attribute unsigned long <span title="dom-XMLHttpRequest-timeout">timeout</span>;
attribute boolean <span title="dom-XMLHttpRequest-withCredentials">withCredentials</span>;
@@ -744,23 +744,14 @@
<code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
<p>Throws an "<code data-anolis-spec=dom>InvalidAccessError</code>"
- exception if one of the following is true:</p>
-
- <ul>
- <li>Either <var title>user</var> or <var title>password</var> is passed
- as argument and the <span data-anolis-spec=html>origin</span> of
- <var title>url</var> does not match the
- <span><code>XMLHttpRequest</code> origin</span>.
- <li>There is an associated
- <span><code>XMLHttpRequest</code> document</span> and either the
- <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
- zero, the
- <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
- attribute is true, or the
- <code title=dom-XMLHttpRequest-responseType>responseType</code>
- attribute is not the empty string.
- </ul>
- </dd>
+ exception if there is an associated
+ <span><code>XMLHttpRequest</code> document</span> and either the
+ <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
+ zero, the
+ <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
+ attribute is true, or the
+ <code title=dom-XMLHttpRequest-responseType>responseType</code>
+ attribute is not the empty string.
</dl>
<p>The
@@ -874,46 +865,12 @@
"<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
terminate these steps.
- <li>
- <p>If the <var title>user</var> argument was not omitted follow these
- substeps:</p>
-
- <ol>
- <li><p>If <var title>user</var> is not null and the
- <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
- <span data-anolis-spec=html>same origin</span> with the
- <span><code>XMLHttpRequest</code> origin</span>,
- <span data-anolis-spec=dom title=concept-throw>throw</span> an
- "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
- terminate the overall set of steps.
-
- <li><p>Let <var>temp user</var> be <var>user</var>.</p></li>
- </ol>
-
- <p class=note>These steps override anything that may have been set by
- the <var title>url</var> argument.</p>
- </li>
-
- <li>
- <p>If the <var title>password</var> argument was not omitted follow
- these substeps:</p>
-
- <ol>
- <li><p>If <var title>password</var> is not null and the
- <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
- <span data-anolis-spec=html>same origin</span> with the
- <span><code>XMLHttpRequest</code> origin</span>,
- <span data-anolis-spec=dom title=concept-throw>throw</span> an
- "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
- terminate the overall set of steps.</p></li>
-
- <li><p>Let <var>temp password</var> be <var>password</var>.</p></li>
- </ol>
-
- <p class=note>These steps override anything that may have been set by
- the <var title>url</var> argument.</p>
- </li>
-
+ <li><p>If the <var title>user</var> argument is not null, set
+ <var>temp user</var> to <var>user</var>.
+
+ <li><p>If the <var title>password</var> argument is not null, set
+ <var>temp password</var> to <var>password</var>.
+
<li><p><span title="terminate abort()">Terminate the <code>abort()</code> algorithm</span>.</p></li>
<li><p><span title="terminate send()">Terminate the <code>send()</code> algorithm</span>.</p></li>
@@ -1519,15 +1476,6 @@
<dd>Set if the <span>upload events flag</span> is set.
</dl>
- <p class=note><span>Request username</span> and
- <span>request password</span> are always ignored as part of a
- <span data-anolis-spec=cors>cross-origin request</span>; including
- them would allow a site to perform a distributed password search.
- However, user agents will include <span>user credentials</span> in the
- request (if the user has any and if
- <code title="dom-XMLHttpRequest-withCredentials">withCredentials</code>
- is true).</p>
-
<dl class=switch>
<dt>If the <span>synchronous flag</span> is set</dt>
<dd>