From 8f44aea4836236380ac2d4207415a119f98850f0 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Wed, 5 May 2021 19:19:17 -0400 Subject: [PATCH 1/3] Remove image/media origins and check origin-cleanness directly That is, check the type of response directly, instead of synthesizing an opaque origin for opaque responses and then comparing that to the entry settings object's origin. This helps with #1431 by removing various uses of the entry concept, and closes #2761 by removing the origin concept for image and media elements entirely, since it is now unused. --- source | 71 +++++++++------------------------------------------------- 1 file changed, 11 insertions(+), 60 deletions(-) diff --git a/source b/source index 82d29604dcc..db463b7bddd 100644 --- a/source +++ b/source @@ -28376,7 +28376,7 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ...The resource obtained in this fashion, if any, is image request's image data. It can be either CORS-same-origin or - CORS-cross-origin; this affects the origin of the image itself (e.g. + CORS-cross-origin; this affects the image's interaction with other APIs (e.g. when used on a canvas).

@@ -29123,8 +29123,8 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ...

Otherwise, response's unsafe response is image request's image data. It can be either - CORS-same-origin or CORS-cross-origin; this affects the - origin of the image itself (e.g., when used on a canvas).

+ CORS-same-origin or CORS-cross-origin; this affects the image's + interaction with other APIs (e.g. when used on a canvas).

@@ -63118,16 +63118,18 @@ try { object's bitmap image data must be used as the source image.

An object image is not - origin-clean if, switching on image:

+ origin-clean if, switching on image's type:

HTMLOrSVGImageElement +

image's current request's image + data is CORS-cross-origin.

+
HTMLVideoElement -

image's origin is not same origin with entry - settings object's origin.

+

image's media data is CORS-cross-origin.

HTMLCanvasElement -
ImageBitMap +
ImageBitmap

image's bitmap's origin-clean flag is false.

@@ -81138,53 +81140,6 @@ interface BarProp {
-

Various specification objects are defined to have an origin. These origins are determined as follows:

- -
-
For images of img elements
- -
-
- -
If the image data is CORS-cross-origin
- -

A unique opaque origin assigned when the - image is created.

- - -
If the image data is CORS-same-origin
- -

The img element's node document's origin.

-
-
- - -
For audio and video elements
- -
-
- -
If the media data is CORS-cross-origin
- -

A unique opaque origin assigned when the - media data is fetched.

- - -
If the media data is CORS-same-origin
- -

The media element's node document's origin.

-
-
-
- -

Other specifications can override the above definitions by themselves specifying the origin of - a particular image or media element.

- -
-

The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin:

@@ -96022,9 +95977,7 @@ dictionary ImageBitmapOptions { is not supported or is disabled), or, if there is no such image, the first frame of the animation.

-

  • If the origin of image's image is not same origin - with entry settings object's origin, then set the

    If image is not origin-clean, then set the origin-clean flag of imageBitmap's bitmap to false.

    • @@ -96053,9 +96006,7 @@ dictionary ImageBitmapOptions { after any aspect-ratio correction has been applied), cropped to the source rectangle with formatting.

    -

  • If the origin of image's video is not same origin - with entry settings object's origin, then set the

    If image is not origin-clean, then set the origin-clean flag of imageBitmap's bitmap to false.

    • From 87fb63f282a7a8fd36a94198fe49c5eb7ccf3c9d Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Wed, 5 May 2021 19:25:59 -0400 Subject: [PATCH 2/3] Tweak dev edition a bit --- source | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/source b/source index db463b7bddd..6cbc4a04464 100644 --- a/source +++ b/source @@ -81125,6 +81125,8 @@ interface BarProp { data-x="concept-origin-tuple">tuple origin can be changed, and only through the document.domain API.

    +
    +

    The effective domain of an origin origin is computed as follows:

    @@ -81138,8 +81140,6 @@ interface BarProp {

  • Return origin's host.

    • -
    -

    The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin:

    @@ -81164,10 +81164,14 @@ interface BarProp {

  • Return result.

    • +
    +

    The serialization of ("https", "xn--maraa-rta.example", null, null) is "https://xn--maraa-rta.example".

    +
    +

    There used to also be a Unicode serialization of an origin. However, it was never widely adopted.

    @@ -81212,6 +81216,8 @@ interface BarProp {

  • Return false.

    • +
    +
    @@ -81261,6 +81267,8 @@ interface BarProp {

    A site is an opaque origin or a scheme-and-host.

    +
    +

    To obtain a site, given an origin origin, run these steps:

      @@ -81316,6 +81324,8 @@ interface BarProp { scheme

      +
    +

    Unlike the same origin and same origin-domain concepts, for schemelessly same site and same site, the port and domain @@ -81383,8 +81393,6 @@ interface BarProp { data-x="concept-origin-domain">domain components since they are not considered.)

    - -

    Relaxing the same-origin restriction

    From 3a061d29b139a5ac22c8b16d701b1ed835bdd40a Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Thu, 6 May 2021 11:55:13 -0400 Subject: [PATCH 3/3] Commas after e.g. --- source | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source b/source index 6cbc4a04464..064ece0a338 100644 --- a/source +++ b/source @@ -28376,7 +28376,7 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ...The resource obtained in this fashion, if any, is image request's image data. It can be either CORS-same-origin or - CORS-cross-origin; this affects the image's interaction with other APIs (e.g. + CORS-cross-origin; this affects the image's interaction with other APIs (e.g., when used on a canvas).

    @@ -29124,7 +29124,7 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ...

    Otherwise, response's unsafe response is image request's image data. It can be either CORS-same-origin or CORS-cross-origin; this affects the image's - interaction with other APIs (e.g. when used on a canvas).

    + interaction with other APIs (e.g., when used on a canvas).