1. 2.4 URL
      1. 2.4.1 用語
      2. 2.4.2 Parsing URLs
      3. 2.4.3 Dynamic changes to base URLs
    2. 2.5 Fetching resources
      1. 2.5.1 Terminology
      2. 2.5.2 Determining the type of a resource
      3. 2.5.3 Extracting character encodings from meta elements
      4. 2.5.4 CORS設定属性
      5. 2.5.5 リファラーポリシー属性

2.4 URL

2.4.1 用語

妥当なURL文字列だが空文字列でない場合、文字列は妥当な空でないURLである。

先頭と末尾のASCII空白文字を取り除いたあとに妥当なURL文字列である場合、文字列は潜在的にスペースで囲まれた妥当なURLである。

先頭と末尾のASCII空白文字を取り除いたあとに、妥当な空でないURLである場合、文字列は潜在的にスペースで囲まれた妥当な空でないURLである。

この仕様は、たとえ解決不可能でも、XMLツールの互換性のために必要な場合、HTML文書DOCTYPEで用いるためのabout: URL予約としてURL about:legacy-compatを定義する。[ABOUT]

この仕様は、たとえ解決不可能でも、メディアトラック類のための識別子として用いられるabout: URLを予約としてURL about:html-kindを定義する。[ABOUT]

この仕様は、たとえ解決不可能でも、iframe srcdoc文書URLとして用いられるabout: URLを予約としてURL about:srcdocを定義する。[ABOUT]

Documentオブジェクトdocumentフォールバック基底URLは、次の手順を実行して得られるURLレコードである:

  1. Documentiframe srcdoc文書である場合、documentブラウジングコンテキストがもつブラウジングコンテキストコンテナノード文書に属する文書基底URLを返す。

  2. documentURLabout:blankであり、かつdocumentブラウジングコンテキストクリエイターブラウジングコンテキストを持つ場合、クリエイター基底URLを返す。

  3. documentURLを返す。

Documentオブジェクトの文書基底URLは、次の手順を実行して得られる絶対URLである:

  1. Documenthref属性を持つbase要素が存在しない場合、文書基底URLDocumentフォールバック基底URLであり、これらの手順を中止する。

  2. そうでなければ、文書基底URLツリー順で、href属性を持つDocumentで最初のbase要素の凍結基底URLである。

2.4.2 Parsing URLs

Parsing a URL is the process of taking a string and obtaining the URL record that it represents. While this process is defined in the WHATWG URL standard, the HTML standard defines a wrapper for convenience. [URL]

This wrapper is only useful when the character encoding for the URL parser has to match that of the document or environment settings object for legacy reasons. When that is not the case the URL parser can be used directly.

To parse a URL url, relative to either a document or environment settings object, the user agent must use the following steps. Parsing a URL either results in failure or a resulting URL string and resulting URL record.

  1. Let encoding be document's character encoding, if document was given, and environment settings object's API URL character encoding otherwise.

  2. Let baseURL be document's base URL, if document was given, and environment settings object's API base URL otherwise.

  3. Let urlRecord be the result of applying the URL parser to url, with baseURL and encoding.

  4. If urlRecord is failure, then abort these steps with an error.

  5. Let urlString be the result of applying the URL serializer to urlRecord.

  6. Return urlString as the resulting URL string and urlRecord as the resulting URL record.

2.4.3 Dynamic changes to base URLs

When a document's document base URL changes, all elements in that document are affected by a base URL change.

The following are base URL change steps, which run when an element is affected by a base URL change (as defined by the DOM specification):

If the element creates a hyperlink

If the URL identified by the hyperlink is being shown to the user, or if any data derived from that URL is affecting the display, then the href attribute should be reparsed relative to the element's node document and the UI updated appropriately.

For example, the CSS :link/:visited pseudo-classes might have been affected.

If the hyperlink has a ping attribute and its URL(s) are being shown to the user, then the ping attribute's tokens should be reparsed relative to the element's node document and the UI updated appropriately.

If the element is a q, blockquote, ins, or del element with a cite attribute

If the URL identified by the cite attribute is being shown to the user, or if any data derived from that URL is affecting the display, then the URL should be reparsed relative to the element's node document and the UI updated appropriately.

そうでなければ

The element is not directly affected.

For instance, changing the base URL doesn't affect the image displayed by img elements, although subsequent accesses of the src IDL attribute from script will return a new absolute URL that might no longer correspond to the image being shown.

2.5 Fetching resources

Spec bugs: 11235

2.5.1 Terminology

A response whose type is "basic", "cors", or "default" is CORS-same-origin. [FETCH]

A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin.

A response's unsafe response is its internal response if it has one, and the response itself otherwise.

To create a potential-CORS request, given a url, destination, corsAttributeState, and an optional same-origin fallback flag, run these steps:

  1. Let mode be "no-cors" if corsAttributeState is No CORS, and "cors" otherwise.

  2. If same-origin fallback flag is set and mode is "no-cors", set mode to "same-origin".

  3. Let credentialsMode be "include".

  4. If corsAttributeState is Anonymous, set credentialsMode to "same-origin".

  5. Let request be a new request whose url is url, destination is destination, mode is mode, credentials mode is credentialsMode, and whose use-URL-credentials flag is set.

2.5.2 Determining the type of a resource

The Content-Type metadata of a resource must be obtained and interpreted in a manner consistent with the requirements of the WHATWG MIME Sniffing standard. [MIMESNIFF]

The computed MIME type of a resource must be found in a manner consistent with the requirements given in the WHATWG MIME Sniffing standard. [MIMESNIFF]

The rules for sniffing images specifically, the rules for distinguishing if a resource is text or binary, and the rules for sniffing audio and video specifically are also defined in the WHATWG MIME Sniffing standard. These rules return a MIME type as their result. [MIMESNIFF]

It is imperative that the rules in the WHATWG MIME Sniffing standard be followed exactly. When a user agent uses different heuristics for content type detection than the server expects, security problems can occur. For more details, see the WHATWG MIME Sniffing standard. [MIMESNIFF]

2.5.3 Extracting character encodings from meta elements

The algorithm for extracting a character encoding from a meta element, given a string s, is as follows. It either returns a character encoding or nothing.

  1. Let position be a pointer into s, initially pointing at the start of the string.

  2. Loop: Find the first seven characters in s after position that are an ASCII case-insensitive match for the word "charset". If no such match is found, return nothing and abort these steps.

  3. Skip any ASCII whitespace that immediately follow the word "charset" (there might not be any).

  4. If the next character is not a U+003D EQUALS SIGN (=), then move position to point just before that next character, and jump back to the step labeled loop.

  5. Skip any ASCII whitespace that immediately follow the equals sign (there might not be any).

  6. Process the next character as follows:

    If it is a U+0022 QUOTATION MARK character (") and there is a later U+0022 QUOTATION MARK character (") in s
    If it is a U+0027 APOSTROPHE character (') and there is a later U+0027 APOSTROPHE character (') in s
    Return the result of getting an encoding from the substring that is between this character and the next earliest occurrence of this character.
    If it is an unmatched U+0022 QUOTATION MARK character (")
    If it is an unmatched U+0027 APOSTROPHE character (')
    If there is no next character
    Return nothing.
    そうでなければ
    Return the result of getting an encoding from the substring that consists of this character up to but not including the first ASCII whitespace or U+003B SEMICOLON character (;), or the end of s, whichever comes first.

This algorithm is distinct from those in the HTTP specification (for example, HTTP doesn't allow the use of single quotes and requires supporting a backslash-escape mechanism that is not supported by this algorithm). While the algorithm is used in contexts that, historically, were related to HTTP, the syntax as supported by implementations diverged some time ago. [HTTP]

2.5.4 CORS設定属性

CORS設定属性は、列挙属性である。次の表は、キーワードと属性の状態を示す。1列目のキーワードは、キーワードと同じ行で2列目のセル内の状態に対応づける。

キーワード 状態 概要
anonymous Anonymous 要素に対するリクエストは、"cors"に設定されるリクエストのモードおよび"same-origin"に設定されるリクエストの認証情報モードを持つ。
use-credentials Use Credentials 要素に対するリクエストは、"cors"に設定されるリクエストのモードおよび"include"に設定されるリクエストの認証情報モードを持つ。

空文字列も妥当なキーワードであり、匿名状態に対応づける。属性の不正な値のデフォルトは、匿名状態である。反射のために、匿名状態の正規ケースはanonymousキーワードである。属性が省略された場合に用いられる、欠損値のデフォルトは、No CORS状態である。

2.5.5 リファラーポリシー属性

リファラポリシー属性は、列挙属性である。空文字列を含む各リファラーポリシーは、同じ名前の状態にマッピングする、この属性のためのキーワードである。

属性の不正値のデフォルトおよび欠損値のデフォルトの両方は、空文字列状態である。

様々なフェッチの処理モデルにこの状態の影響は、WHATWG Fetch標準、およびReferrer Policyで、この仕様を通してより詳細に定義される。[FETCH] [REFERRERPOLICY]

複数の信号は、どの処理モデルが与えられるフェッチに使用されるかに寄与することができる。リファラポリシー属性はそのうちの一つである。一般に、この信号が処理される順序は次のとおり:

  1. まず、noreferrerリンクタイプの存在

  2. 次に、リファラーポリシー属性の値

  3. それからreferrerに設定されるnameをもつ任意のmeta要素の存在

  4. 最後に、`Referrer-Policy` HTTPヘッダー。