原文链接:https://www.w3.org/TR/2011/WD-html5-20110525/origin-0.html
这里只是做下记录:
5.3 Origin — HTML5
This is a work in progress! For the latest updates from the HTML WG, possibly including important bug fixes, please look at the editor's draft instead. There may also be a more up-to-date Working Draft with changes based on resolution of Last Call issues.
HTML5
5.3 Origin
The origin of a resource and the effective script origin of a resource are both either opaque identifiers or tuples consisting of a scheme component, a host component, a port component, and optionally extra data.
The extra data could include the certificate of the site when using encrypted connections, to ensure that if the site's secure certificate changes, the origin is considered to change as well.
These characteristics are defined as follows:
- For URLs
-
The origin and effective script origin of the URL is whatever is returned by the following algorithm:
-
Let url be the URL for which the origin is being determined.
-
Parse url.
-
If url identifies a resource that is its own trust domain (e.g. it identifies an e-mail on an IMAP server or a post on an NNTP server) then return a globally unique identifier specific to the resource identified by url, so that if this algorithm is invoked again for URLs that identify the same resource, the same identifier will be returned.
-
If url does not use a server-based naming authority, or if parsing url failed, or if url is not an absolute URL, then return a new globally unique identifier.
-
Let scheme be the <scheme> component of url, converted to ASCII lowercase.
-
If the UA doesn't support the protocol given by scheme, then return a new globally unique identifier.
-
If scheme is "
file
", then the user agent may return a UA-specific value. -
Let host be the <host> component of url.
-
Apply the IDNA ToASCII algorithm to host, with both the AllowUnassigned and UseSTD3ASCIIRules flags set. Let host be the result of the ToASCII algorithm.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return a new globally unique identifier. [RFC3490]
-
Let host be the result of converting host to ASCII lowercase.
-
If there is no <port> component, then let port be the default port for the protocol given by scheme. Otherwise, let port be the <port> component of url.
-
Return the tuple (scheme, host, port).
In addition, if the URL is in fact associated with a
Document
object that was created by parsing the resource obtained from fetching URL, and this was done over a secure connection, then the server's secure certificate may be added to the origin as additional data. -
- For scripts
-
The origin and effective script origin of a script are determined from another resource, called the owner:
- If a script is in a
script
element - The owner is the
Document
to which thescript
element belongs. - If a script is in an event handler content attribute
- The owner is the
Document
to which the attribute node belongs. - If a script is a function or other code reference created by another script
- The owner is the script that created it.
- If a script is a
javascript:
URL that was returned as the location of an HTTP redirect (or equivalent in other protocols) - The owner is the URL that redirected to the
javascript:
URL. - If a script is a
javascript:
URL in an attribute - The owner is the
Document
of the element on which the attribute is found. - If a script is a
javascript:
URL in a style sheet - The owner is the URL of the style sheet.
- If a script is a
javascript:
URL to which a browsing context is being navigated, the URL having been provided by the user (e.g. by using a bookmarklet) - The owner is the
Document
of the browsing context's active document. - If a script is a
javascript:
URL to which a browsing context is being navigated, the URL having been declared in markup - The owner is the
Document
of the element (e.g. ana
orarea
element) that declared the URL. - If a script is a
javascript:
URL to which a browsing context is being navigated, the URL having been provided by script - The owner is the script that provided the URL.
The origin of the script is then equal to the origin of the owner, and the effective script origin of the script is equal to the effective script origin of the owner.
- If a script is in a
- For
Document
objects and images - If a
Document
is in a browsing context whose sandboxed origin browsing context flag was set when theDocument
was created - If a
Document
was generated from a resource labeled astext/html-sandboxed
- The origin is a globally unique identifier assigned when the
Document
is created. - If a
Document
or image was generated from ajavascript:
URL - The origin is equal to the origin of the script of that
javascript:
URL. - If a
Document
or image was served over the network and has an address that uses a URL scheme with a server-based naming authority - The origin is the origin of the address of the
Document
or the URL of the image, as appropriate. - If a
Document
or image was generated from adata:
URL that was returned as the location of an HTTP redirect (or equivalent in other protocols) - The origin is the origin of the URL that redirected to the
data:
URL. - If a
Document
or image was generated from adata:
URL found in anotherDocument
or in a script - The origin is the origin of the
Document
or script that initiated the navigation to that URL. - If a
Document
has the address "about:blank
" - The origin of the
Document
is the origin it was assigned when its browsing context was created. - If a
Document
is aniframe
srcdoc
document - The origin of the
Document
is the origin of theDocument
's browsing context's browsing context container'sDocument
. - If a
Document
or image was obtained in some other manner (e.g. adata:
URL typed in by the user, aDocument
created using thecreateDocument()
API, etc) - The origin is a globally unique identifier assigned when the
Document
or image is created.
When a
Document
is created, its effective script origin is initialized to the origin of theDocument
. However, thedocument.domain
attribute can be used to change it.- If a
- For
audio
andvideo
elements -
If value of the media element's
currentSrc
attribute is the empty string, the origin is the same as the origin of the element'sDocument
's origin.Otherwise, the origin is equal to the origin of the absolute URL given by the media element's
currentSrc
attribute. - For fonts
-
The origin of a downloadable Web font is equal to the origin of the absolute URL used to obtain the font (after any redirects). [CSSFONTS]
The origin of a locally installed system font is equal to the origin of the
Document
in which that font is being used.
Other specifications can override the above definitions by themselves specifying the origin of a particular URL, script, Document
, or image.
The Unicode serialization of an origin is the string obtained by applying the following algorithm to the given origin:
-
If the origin in question is not a scheme/host/port tuple, then return the literal string "
null
" and abort these steps. -
Otherwise, let result be the scheme part of the origin tuple.
-
Append the string "
://
" to result. -
Apply the IDNA ToUnicode algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by U+002E FULL STOP characters (.) — to result. [RFC3490]
-
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
-
Return result.
The ASCII serialization of an origin is the string obtained by applying the following algorithm to the given origin:
-
If the origin in question is not a scheme/host/port tuple, then return the literal string "
null
" and abort these steps. -
Otherwise, let result be the scheme part of the origin tuple.
-
Append the string "
://
" to result. -
Apply the IDNA ToASCII algorithm the host part of the origin tuple, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and append the results result.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return the empty string and abort these steps. [RFC3490]
-
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
-
Return result.
Two origins are said to be the same origin if the following algorithm returns true:
-
Let A be the first origin being compared, and B be the second origin being compared.
-
If A and B are both opaque identifiers, and their value is equal, then return true.
-
Otherwise, if either A or B or both are opaque identifiers, return false.
-
If A and B have scheme components that are not identical, return false.
-
If A and B have host components that are not identical, return false.
-
If A and B have port components that are not identical, return false.
-
If either A or B have additional data, but that data is not identical for both, return false.
-
Return true.
5.3.1 Relaxing the same-origin restriction
- document .
domain
[ = domain ] -
Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the effective script origin to allow pages on other subdomains of the same domain (if they do the same thing) to access each other.
The domain
attribute on Document
objects must be initialized to the document's domain, if it has one, and the empty string otherwise. If the value is an IPv6 address, then the square brackets from the host portion of the <host> component must be omitted from the attribute's value.
On getting, the attribute must return its current value, unless the Document
has no browsing context, in which case it must return the empty string.
On setting, the user agent must run the following algorithm:
-
If the
Document
has no browsing context, throw aSECURITY_ERR
exception and abort these steps. -
If the new value is an IP address, let new value be the new value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and let new value be the result of the ToASCII algorithm.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then throw a
SECURITY_ERR
exception and abort these steps. [RFC3490] -
If new value is not exactly equal to the current value of the
document.domain
attribute, then run these substeps:-
If the current value is an IP address, throw a
SECURITY_ERR
exception and abort these steps. -
If new value, prefixed by a U+002E FULL STOP (.), does not exactly match the end of the current value, throw a
SECURITY_ERR
exception and abort these steps. -
If new value matches a suffix in the Public Suffix List, or, if new value, prefixed by a U+002E FULL STOP (.), matches the end of a suffix in the Public Suffix List, then throw a
SECURITY_ERR
exception and abort these steps. [PSL]Suffixes must be compared after applying the IDNA ToASCII algorithm to them, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, in an ASCII case-insensitive manner. [RFC3490]
-
-
Release the storage mutex.
-
Set the attribute's value to new value.
-
Set the host part of the effective script origin tuple of the
Document
to new value. -
Set the port part of the effective script origin tuple of the
Document
to "manual override" (a value that, for the purposes of comparing origins, is identical to "manual override" but not identical to any other value).
The domain of a Document
is the host part of the document's origin, if that is a scheme/host/port tuple. If it isn't, then the document does not have a domain.
The domain
attribute is used to enable pages on different hosts of a domain to access each others' DOMs.
Do not use the document.domain
attribute when using shared hosting. If an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain
attribute has been used.