From dbbc9dfe2068c3683c0519f1c0870b481caf2ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Fri, 18 Sep 2020 21:21:47 +1000 Subject: [PATCH 01/22] Add canShare() method --- index.html | 75 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/index.html b/index.html index bfa443f..bd656f8 100644 --- a/index.html +++ b/index.html @@ -103,6 +103,7 @@ 

           partial interface Navigator {
+            boolean canShare(optional ShareData data = {});
             [SecureContext] Promise<undefined> share(optional ShareData data = {});
           };
@@ -136,6 +137,23 @@

+
+

+ canShare() method +

+

+ When the {{Navigator/canShare()}} method is called with argument + |data:ShareData|, run the following steps: +

+
    +
  1. Let |base| be [=this=]'s [=relevant settings object=]'s + [=environment settings object/API base URL=]. +
    2. +
  2. Return the result of [=validate share data=] with |data| and + |base|. +
    3. +
+

share() method @@ -161,29 +179,21 @@

  • If {{[[sharePromise]]}} is not `null`, return a promise rejected with {{InvalidStateError}}.
    • -
  • If none of |data|'s members {{ShareData/title}}, - {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/file}} are - present, return a promise rejected with a {{TypeError}}. +
  • , return a promise rejected with a {{TypeError}}.
    • -
  • If |data|'s {{ShareData/files}} member is present: -
      -
    1. If |data|'s {{ShareData/files}} member is empty, or if the - implementation does not support file sharing, return a - promise rejected with a {{TypeError}}, and abort these - steps. -
      2. -
    +
  • Let |base:URL| be the [=this=] value's relevant settings + object's [=environment settings object/api base URL=]. +
    • +
  • If running the steps to [=validate share data=] with |data| and + |base| return false, then return a promise rejected with a + {{TypeError}}.
  • If |data|'s {{ShareData/url}} member is present:
      -
    1. Let |base:URL| be the [=this=] value's relevant settings - object's [=environment settings object/api base URL=]. -
    2. Let |url:URL| be the result of running the URL parser on |data|'s {{ShareData/url}} with |base|.
      3. -
    3. If |url| is failure, return a promise rejected with - {{TypeError}}. +
    4. Assert: |url| is {{URL}}.
    5. If |url|'s [=URL/scheme=] is not "http" or "https", return a promise rejected with {{TypeError}}. @@ -269,6 +279,39 @@

      or bypassing the UI if there is only a single share target.

    • +
    +

    + Validate share data +

    +

    + To validate share data with |data:ShareData| and + |base:URL|, run the following steps: +

    +
      +
    1. If none of |data|'s members {{ShareData/title}}, + {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are + present, return false. +
      2. +
    2. If |data|'s {{ShareData/files}} member is present: +
        +
      1. If |data|'s {{ShareData/files}} member is empty, or if the + implementation does not support file sharing, return false. +
        2. +
      +
      3. +
    3. If |data|'s url member is present: +
        +
      1. Let |url:URL| be the result of running the [=URL parser]= + on |data|'s url, with |base|, and no encoding override. +
        2. +
      2. If |url| is failure, return false. +
        3. +
      +
      4. +
    4. Return true. +
      5. +
    +

    From a3a43191aac350964005cf29ac9314acb448b4e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 21 Sep 2020 17:59:40 +1000 Subject: [PATCH 02/22] add SecureContext and allowed to use check --- index.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index bd656f8..f8981da 100644 --- a/index.html +++ b/index.html @@ -103,7 +103,7 @@ 

               partial interface Navigator {
-            boolean canShare(optional ShareData data = {});
+            [SecureContext] boolean canShare(optional ShareData data = {});
             [SecureContext] Promise<undefined> share(optional ShareData data = {});
           };
    @@ -146,6 +146,10 @@

    |data:ShareData|, run the following steps:

      +
    1. If the current settings object's responsible document is not + allowed to use the "[=web-share-feature|web-share=]" + permission, return false. +
    2. Let |base| be [=this=]'s [=relevant settings object=]'s [=environment settings object/API base URL=].
      3. @@ -179,8 +183,6 @@

    3. If {{[[sharePromise]]}} is not `null`, return a promise rejected with {{InvalidStateError}}.
      4. -
    4. , return a promise rejected with a {{TypeError}}. -
    5. Let |base:URL| be the [=this=] value's relevant settings object's [=environment settings object/api base URL=].
      6. From 99cccb77ae17abd10d4ea4a887632f30f3056e77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 21 Sep 2020 19:34:18 +1000 Subject: [PATCH 03/22] Add http+https checks to validation --- index.html | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/index.html b/index.html index f8981da..68a76d3 100644 --- a/index.html +++ b/index.html @@ -197,9 +197,6 @@

    6. Assert: |url| is {{URL}}.
      7. -
    7. If |url|'s [=URL/scheme=] is not "http" or "https", return - a promise rejected with {{TypeError}}. -
    8. Set |data| to a copy of |data|, with its {{ShareData/url}} member set to the result of running the URL serializer on |url|. @@ -308,6 +305,9 @@

    9. If |url| is failure, return false.
      10. +
    10. If |url|'s [=URL/scheme=] is not "http" or "https", return + return false. +

  • Return true. @@ -553,8 +553,7 @@

    when information should be confidential, so forwarding any content presents a risk. In particular, the {{ShareData/title}} might be used by an attacker to trick a user into misinterpreting the nature - of the content. - From c60193bc082624e9dad64aef013d5a5ccee7e61b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Wed, 23 Sep 2020 16:07:59 +1000 Subject: [PATCH 04/22] Handle empty files sequence --- index.html | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/index.html b/index.html index 68a76d3..e46008e 100644 --- a/index.html +++ b/index.html @@ -47,7 +47,7 @@ }; - +

    This specification defines an API for sharing text, links and other @@ -291,10 +291,23 @@

    {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are present, return false.

    • +
  • Let |titleTextOrUrl:boolean| be true if any of + {{ShareData/title}}, or {{ShareData/text}}, or {{ShareData/url}} is + present. +
  • If |data|'s {{ShareData/files}} member is present:
      -
    1. If |data|'s {{ShareData/files}} member is empty, or if the - implementation does not support file sharing, return false. +
    2. If |titleTextOrUrl| is false, and if |data|'s + {{ShareData/files}} member is empty, or return false. +

      + This causes a `{ files: [] }` dictionary to be treated as + an empty dictionary. However, passing a dictionary like + `{text: "text" files: []}` is fine, as `files` is just + ignored. +

      +
      3. +
    3. If the implementation does not support file sharing, return + false.
    • @@ -504,8 +517,12 @@

    native applications.
  • Due to the capabilities of the API surface, {{Navigator/share()}} - is available only in secure contexts (such as `https://` - schemes). + and {{Navigator/canShare()}} methods are restricted to [=secure + contexts=] (such as `https://` schemes). +
    • +
  • Third-party contexts require that they be [=allowed to use=] the + {{Navigator/share()}} and {{Navigator/canShare()}} methods via one of + the mechanisms described in [[[permissions-policy]]].
  • Use of {{Navigator/share()}} from a private browsing mode From a1a8a8bb2a5738753d038b8700efae5b4cabb877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Wed, 23 Sep 2020 17:58:40 +1000 Subject: [PATCH 05/22] Update index.html Co-authored-by: Kagami Sascha Rosylight --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index e46008e..8fc3425 100644 --- a/index.html +++ b/index.html @@ -319,7 +319,7 @@

  • If |url| is failure, return false.
  • If |url|'s [=URL/scheme=] is not "http" or "https", return - return false. + false.

    • From a42f0b7107fd867fbfaa401b81792a026e8aa5d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Wed, 23 Sep 2020 20:00:34 +1000 Subject: [PATCH 06/22] Add "validate share data" algorithm --- index.html | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/index.html b/index.html index 50a1ce2..6af0b41 100644 --- a/index.html +++ b/index.html @@ -103,7 +103,6 @@ 

               partial interface Navigator {
-            [SecureContext] boolean canShare(optional ShareData data = {});
             [SecureContext] Promise<undefined> share(optional ShareData data = {});
           };
    @@ -137,27 +136,6 @@

    -
    -

    - canShare() method -

    -

    - When the {{Navigator/canShare()}} method is called with argument - |data:ShareData|, run the following steps: -

    -
      -
    1. If the current settings object's responsible document is not - allowed to use the "[=web-share-feature|web-share=]" - permission, return false. -
      2. -
    2. Let |base| be [=this=]'s [=relevant settings object=]'s - [=environment settings object/API base URL=]. -
      3. -
    3. Return the result of [=validate share data=] with |data| and - |base|. -
      4. -
    -

    share() method @@ -316,7 +294,7 @@

  • If |data|'s url member is present:
      -
    1. Let |url:URL| be the result of running the [=URL parser]= +
    2. Let |url:URL| be the result of running the [=URL parser=] on |data|'s url, with |base|, and no encoding override.
    3. If |url| is failure, return false. @@ -520,12 +498,12 @@

      native applications.

    4. Due to the capabilities of the API surface, {{Navigator/share()}} - and {{Navigator/canShare()}} methods are restricted to [=secure - contexts=] (such as `https://` schemes). + method is restricted to [=secure contexts=] (such as `https://` + schemes).
    5. Third-party contexts require that they be [=allowed to use=] the - {{Navigator/share()}} and {{Navigator/canShare()}} methods via one of - the mechanisms described in [[[permissions-policy]]]. + {{Navigator/share()}} method is one of the mechanisms described in + [[[permissions-policy]]].
    6. Use of {{Navigator/share()}} from a private browsing mode From 84e8c3a6af2b7b4b1fb2fec68c069d509e2c1941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 28 Sep 2020 12:31:35 +1000 Subject: [PATCH 07/22] fixup --- index.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/index.html b/index.html index 6af0b41..909494f 100644 --- a/index.html +++ b/index.html @@ -147,7 +147,7 @@

      1. If the current settings object's responsible document is not allowed to use the "[=web-share-feature|web-share=]" - permission, return [=a promise rejected with=] with a + permission, return [=a promise rejected with=] a {{"NotAllowedError"}} {{DOMException}}.
      2. If {{[[sharePromise]]}} is not `null`, return a promise @@ -161,14 +161,14 @@

      3. [=Consume user activation=] of |window|.
        4. -
      4. If {{[[sharePromise]]}} is not `null`, return a promise - rejected with {{InvalidStateError}}. +
      5. If {{[[sharePromise]]}} is not `null`, return [=a promise + rejected with=] {{InvalidStateError}}.
      6. Let |base:URL| be the [=this=] value's relevant settings object's [=environment settings object/api base URL=].
      7. If running the steps to [=validate share data=] with |data| and - |base| return false, then return a promise rejected with a + |base| return false, then return [=a promise rejected with=] a {{TypeError}}.
      8. If |data|'s {{ShareData/url}} member is present: @@ -185,7 +185,7 @@

    7. If a file type is being blocked due to security considerations, - return a promise rejected with with a {{"NotAllowedError"}} + return [=a promise rejected with=] with a {{"NotAllowedError"}} {{DOMException}}.
    8. Set {{[[sharePromise]]}} to be a new promise. From bd53f07d2cded99e77120ccf22cae6c781d43d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 28 Sep 2020 12:33:23 +1000 Subject: [PATCH 08/22] Simplify call to validate share data --- index.html | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index 909494f..1982fe8 100644 --- a/index.html +++ b/index.html @@ -167,9 +167,8 @@

    9. Let |base:URL| be the [=this=] value's relevant settings object's [=environment settings object/api base URL=].
      10. -
    10. If running the steps to [=validate share data=] with |data| and - |base| return false, then return [=a promise rejected with=] a - {{TypeError}}. +
    11. If [=validate share data=] with |data| and |base| returns + false, then return [=a promise rejected with=] a {{TypeError}}.
    12. If |data|'s {{ShareData/url}} member is present:
        From e683d5605de727dd53a8c1d6b9a086f651dfec60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Wed, 14 Oct 2020 16:51:54 +1100 Subject: [PATCH 09/22] Apply suggestions from code review Co-authored-by: Martin Thomson --- index.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index 1982fe8..25ddfe6 100644 --- a/index.html +++ b/index.html @@ -277,12 +277,12 @@

      1. If |data|'s {{ShareData/files}} member is present:
          -
        1. If |titleTextOrUrl| is false, and if |data|'s - {{ShareData/files}} member is empty, or return false. +
        2. If |titleTextOrUrl| is false and |data|'s + {{ShareData/files}} member is empty, return false.

          This causes a `{ files: [] }` dictionary to be treated as an empty dictionary. However, passing a dictionary like - `{text: "text" files: []}` is fine, as `files` is just + `{text: "text", files: []}` is fine, as `files` is just ignored.

          3. From 6c0a9f5a90a4a35375f3211c385be380c73b5a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Wed, 28 Oct 2020 11:51:29 +1100 Subject: [PATCH 10/22] Add AU-specific type check, plus reject --- index.html | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/index.html b/index.html index f1d5b15..321aa35 100644 --- a/index.html +++ b/index.html @@ -289,6 +289,11 @@

        3. If the implementation does not support file sharing, return false.
          4. +
        4. If the user agent believes sharing any of the files in + `files` would result in a potentially hostile share, return + false. +
          +

      2. If |data|'s url member is present: From b4949465ef773f47a4813cd89bf44c526137260c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 9 Aug 2021 09:48:37 +1000 Subject: [PATCH 11/22] Fixup internal slot --- index.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 209e850..2cae1a8 100644 --- a/index.html +++ b/index.html @@ -161,8 +161,9 @@

      3. [=Consume user activation=] of |window|.
        4. -
      4. If {{[[sharePromise]]}} is not `null`, return [=a promise - rejected with=] {{InvalidStateError}}. +
      5. If {{Navigator/[[sharePromise]]}} is not `null`, return [=a + promise rejected with=] {{InvalidStateError}}. +
      6. If none of |data|'s members {{ShareData/title}}, {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are present, return a promise rejected with a {{TypeError}}. From 95d9909d6441f4e078acfdaa4ce71f51cba8afc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 11:41:21 +1000 Subject: [PATCH 12/22] Update index.html Co-authored-by: Kagami Sascha Rosylight --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 2cae1a8..d0cb7e7 100644 --- a/index.html +++ b/index.html @@ -188,7 +188,7 @@

    13. If a file type is being blocked due to security considerations, - return [=a promise rejected with=] with a {{"NotAllowedError"}} + return [=a promise rejected with=] a {{"NotAllowedError"}} {{DOMException}}.
    14. Set {{Navigator/[[sharePromise]]}} to be a new promise. From 40618ca2e2182afae0321d802c813d161bfec998 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 13:51:22 +1000 Subject: [PATCH 13/22] Remove note about allowed to use in priv sec section --- index.html | 4 ---- 1 file changed, 4 deletions(-) diff --git a/index.html b/index.html index d0cb7e7..c5112a1 100644 --- a/index.html +++ b/index.html @@ -510,10 +510,6 @@

      is only [=exposed=] in [=secure contexts=] (such as `https://` schemes).

      15. -
    15. Third-party contexts require that they be [=allowed to use=] the - {{Navigator/share()}} method is one of the mechanisms described in - [[[permissions-policy]]]. -
    16. Use of {{Navigator/share()}} from a private browsing mode might leak private data to a third-party application that does not From abd6bcdd2775655a19f932e3c6cde5aad9f9e21d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 14:04:23 +1000 Subject: [PATCH 14/22] Fixup + remove link to issue 127 --- index.html | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index 4838886..f0bfd38 100644 --- a/index.html +++ b/index.html @@ -167,8 +167,8 @@

      {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are present, return a promise rejected with a {{TypeError}}.

      17. -
    17. Let |base:URL| be the [=this=] value's relevant settings - object's [=environment settings object/api base URL=]. +
    18. Let |base:URL| be [=this=]'s relevant settings object's + [=environment settings object/api base URL=].
    19. If [=validate share data=] with |data| and |base| returns false, then return [=a promise rejected with=] a {{TypeError}}. @@ -297,7 +297,6 @@

    20. If the user agent believes sharing any of the files in `files` would result in a potentially hostile share, return false. -

    • From 28e5ad56774a16727fcb327046e3ddd7034d9d1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 14:14:58 +1000 Subject: [PATCH 15/22] fixup typo --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index f0bfd38..c3c0e24 100644 --- a/index.html +++ b/index.html @@ -168,7 +168,7 @@

    present, return a promise rejected with a {{TypeError}}.
  • Let |base:URL| be [=this=]'s relevant settings object's - [=environment settings object/api base URL=]. + [=environment settings object/API base URL=].
  • If [=validate share data=] with |data| and |base| returns false, then return [=a promise rejected with=] a {{TypeError}}. From d86d782b1be751d9fb30f64d7c38c8009a7468a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 14:16:40 +1000 Subject: [PATCH 16/22] another typo --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index c3c0e24..4289c90 100644 --- a/index.html +++ b/index.html @@ -161,7 +161,7 @@

  • [=Consume user activation=] of |window|.
  • If {{Navigator/[[sharePromise]]}} is not `null`, return [=a - promise rejected with=] {{InvalidStateError}}. + promise rejected with=] an {{InvalidStateError}}.
  • If none of |data|'s members {{ShareData/title}}, {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are From e72fe8894694eba7774e75f43b9775b2bea3adee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 14:30:16 +1000 Subject: [PATCH 17/22] Add missing {{DOMException}} in places --- index.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 4289c90..d7e9638 100644 --- a/index.html +++ b/index.html @@ -151,7 +151,7 @@

    {{"NotAllowedError"}} {{DOMException}}.

  • If {{Navigator/[[sharePromise]]}} is not `null`, return a - promise rejected with {{InvalidStateError}}. + promise rejected with {{"InvalidStateError"}} {{DOMException}}.
  • Let |window| be [=relevant global object=] of [=this=].
    • @@ -161,7 +161,8 @@

  • [=Consume user activation=] of |window|.
  • If {{Navigator/[[sharePromise]]}} is not `null`, return [=a - promise rejected with=] an {{InvalidStateError}}. + promise rejected with=] an {{"InvalidStateError"}} + {{DOMException}}.
  • If none of |data|'s members {{ShareData/title}}, {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are From 5b7071e20d3795c3a315ba2cdd1e6c929c44665c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 18:01:02 +1000 Subject: [PATCH 18/22] Remove null check, done elsewhere --- index.html | 4 ---- 1 file changed, 4 deletions(-) diff --git a/index.html b/index.html index d7e9638..2f504ff 100644 --- a/index.html +++ b/index.html @@ -160,10 +160,6 @@

  • [=Consume user activation=] of |window|.
    • -
  • If {{Navigator/[[sharePromise]]}} is not `null`, return [=a - promise rejected with=] an {{"InvalidStateError"}} - {{DOMException}}. -
  • If none of |data|'s members {{ShareData/title}}, {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are present, return a promise rejected with a {{TypeError}}. From c8c25254cb8a30759272cd6c67f83ca588ffafc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 18:04:20 +1000 Subject: [PATCH 19/22] Remove ref to secure-context --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 515a8eb..0399e5d 100644 --- a/index.html +++ b/index.html @@ -47,7 +47,7 @@ }; - +

    This specification defines an API for sharing text, links and other From b5635200cbe08e8989c910f4b2e5928f31364c80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Mon, 16 Aug 2021 18:40:41 +1000 Subject: [PATCH 20/22] Further fixup --- index.html | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/index.html b/index.html index 0399e5d..f030647 100644 --- a/index.html +++ b/index.html @@ -161,10 +161,6 @@

  • [=Consume user activation=] of |window|.
    • -
  • If none of |data|'s members {{ShareData/title}}, - {{ShareData/text}}, or {{ShareData/url}} or {{ShareData/files}} are - present, return a promise rejected with a {{TypeError}}. -
  • Let |base:URL| be [=this=]'s relevant settings object's [=environment settings object/API base URL=].
    • @@ -298,15 +294,16 @@

    • -
  • If |data|'s url member is present: +
  • If |data|'s {{ShareData/url}} member is present:
    1. Let |url:URL| be the result of running the [=URL parser=] - on |data|'s url, with |base|, and no encoding override. + on |data|'s {{ShareData/url}} member, with |base|, and no + encoding override.
    2. If |url| is failure, return false.
      3. -
    3. If |url|'s [=URL/scheme=] is not "http" or "https", return - false. +
    4. If |url|'s [=URL/scheme=] is not "http" or "https", or is a + URL the user agent deems potentially hostile, return false.
    • From 9d2f37b36b8b0ae7d63cf36c56ca566c40d5eac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Tue, 17 Aug 2021 12:03:42 +1000 Subject: [PATCH 21/22] Let UA decide what's a hostile URL --- index.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 334013a..6362001 100644 --- a/index.html +++ b/index.html @@ -302,8 +302,9 @@

  • If |url| is failure, return false.
    • -
  • If |url|'s [=URL/scheme=] is not "http" or "https", or is a - URL the user agent deems potentially hostile, return false. +
  • If |url| is a URL the user agent deems potentially hostile + (e.g., "file://" or other schemes that are not "http" or + "https"), return false.
    • From 892497fea81f5415373350ba380f81d680c40033 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Tue, 17 Aug 2021 15:51:12 +1000 Subject: [PATCH 22/22] Include issue 178 --- index.html | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index e9c78e0..822ded0 100644 --- a/index.html +++ b/index.html @@ -302,9 +302,13 @@

  • If |url| is failure, return false.
    • -
  • If |url| is a URL the user agent deems potentially hostile - (e.g., "file://" or other schemes that are not "http" or - "https"), return false. +
  • +

    + If |url| is a URL the user agent deems potentially hostile + (e.g., "file:") or wouldn't make sense to outside the scope + of the document (e.g., "blob:"), return false. +

    +