1. 2.5 URLs
      1. 2.5.1 Terminology
      2. 2.5.2 CORS settings attributes
      3. 2.5.3 Referrer policy attributes
      4. 2.5.4 Nonce attributes
      5. 2.5.5 Lazy loading attributes

2.5 URLs

2.5.1 Terminology

A string is a valid non-empty URL if it is a valid URL string but it is not the empty string.

A string is a valid URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid URL string.

A string is a valid non-empty URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid non-empty URL.

This specification defines the URL about:legacy-compat as a reserved, though unresolvable, about: URL, for use in DOCTYPEs in HTML documents when needed for compatibility with XML tools. [ABOUT]

This specification defines the URL about:html-kind as a reserved, though unresolvable, about: URL, that is used as an identifier for kinds of media tracks. [ABOUT]

This specification defines the URL about:srcdoc as a reserved, though unresolvable, about: URL, that is used as the URL of iframe srcdoc documents. [ABOUT]

The fallback base URL of a Document object document is the URL record obtained by running these steps:

  1. If document is an iframe srcdoc document, then return the document base URL of document's browsing context's container document.

  2. If document's URL is about:blank, and document's browsing context's creator base URL is non-null, then return that creator base URL.

  3. Return document's URL.

The document base URL of a Document object is the absolute URL obtained by running these steps:

  1. If there is no base element that has an href attribute in the Document, then return the Document's fallback base URL.

  2. Otherwise, return the frozen base URL of the first base element in the Document that has an href attribute, in tree order.

2.5.2 CORS settings attributes

A CORS settings attribute is an enumerated attribute. The following table lists the keywords and states for the attribute — the states given in the first cell of the rows with keywords give the states to which those keywords map.

State Keywords Brief description
Anonymous anonymous Requests for the element will have their mode set to "cors" and their credentials mode set to "same-origin".
(the empty string)
Use Credentials use-credentials Requests for the element will have their mode set to "cors" and their credentials mode set to "include".

The attribute's invalid value default is the Anonymous state, and its missing value default is the No CORS state. For the purposes of reflection, the canonical keyword for the Anonymous state is the anonymous keyword.

The majority of fetches governed by CORS settings attributes will be done via the create a potential-CORS request algorithm.

For module scripts, certain CORS settings attributes have been repurposed to have a slightly different meaning, wherein they only impact the request's credentials mode (since the mode is always "cors"). To perform this translation, we define the module script credentials mode for a given CORS settings attribute to be determined by switching on the attribute's state:

No CORS
Anonymous
"same-origin"
Use Credentials
"include"

2.5.3 Referrer policy attributes

A referrer policy attribute is an enumerated attribute. Each referrer policy, including the empty string, is a keyword for this attribute, mapping to a state of the same name.

The attribute's invalid value default and missing value default are both the empty string state.

The impact of these states on the processing model of various fetches is defined in more detail throughout this specification, in Fetch, and in Referrer Policy. [FETCH] [REFERRERPOLICY]

Several signals can contribute to which processing model is used for a given fetch; a referrer policy attribute is only one of them. In general, the order in which these signals are processed are:

  1. First, the presence of a noreferrer link type;

  2. Then, the value of a referrer policy attribute;

  3. Then, the presence of any meta element with name attribute set to referrer.

  4. Finally, the `Referrer-Policy` HTTP header.

2.5.4 Nonce attributes

A nonce content attribute represents a cryptographic nonce ("number used once") which can be used by Content Security Policy to determine whether or not a given fetch will be allowed to proceed. The value is text. [CSP]

Elements that have a nonce content attribute ensure that the crytographic nonce is only exposed to script (and not to side-channels like CSS attribute selectors) by taking the value from the content attribute, moving it into an internal slot named [[CryptographicNonce]], exposing it to script via the HTMLOrSVGElement interface mixin, and setting the content attribute to the empty string. Unless otherwise specified, the slot's value is the empty string.

element . nonce

Returns the value of the element's [[CryptographicNonce]] internal slot.

Can be set, to update that slot's value.

The nonce IDL attribute must, on getting, return the value of this element's [[CryptographicNonce]]; and on setting, set this element's [[CryptographicNonce]] to the given value.

Note how the setter for the nonce IDL attribute does not update the corresponding content attribute. This, as well as the below setting of the nonce content attribute to the empty string when an element becomes browsing-context connected, is meant to prevent exfiltration of the nonce value through mechanisms that can easily read content attributes, such as selectors. Learn more in issue #2369, where this behavior was introduced.

The following attribute change steps are used for the nonce content attribute:

  1. If element does not include HTMLOrSVGElement, then return.

  2. If localName is not nonce or namespace is not null, then return.

  3. If value is null, then set element's [[CryptographicNonce]] to the empty string.

  4. Otherwise, set element's [[CryptographicNonce]] to value.

Whenever an element including HTMLOrSVGElement becomes browsing-context connected, the user agent must execute the following steps on the element:

  1. Let CSP list be element's shadow-including root's CSP list.

  2. If CSP list contains a header-delivered Content Security Policy, and element has a nonce content attribute attr whose value is not the empty string, then:

    1. Let nonce be element's [[CryptographicNonce]].

    2. Set an attribute value for element using "nonce" and the empty string.

    3. Set element's [[CryptographicNonce]] to nonce.

    If element's [[CryptographicNonce]] were not restored it would be the empty string at this point.

As each Document's CSP list is append-only, user agents can optimize away the contains a header-delivered Content Security Policy check by, for example, holding a flag on the Document, set during Document creation and initialization.

The cloning steps for elements that include HTMLOrSVGElement must set the [[CryptographicNonce]] slot on the copy to the value of the slot on the element being cloned.

2.5.5 Lazy loading attributes

Support: loading-lazy-attrChrome for Android 81+Chrome 76+iOS Safari NoneSafari NoneFirefox 75+Samsung Internet NoneEdge 79+UC Browser for Android NoneIE NoneOpera 64+Opera Mini NoneFirefox for Android None

Source: caniuse.com

A lazy loading attribute is an enumerated attribute. The following table lists the keywords and states for the attribute — the keywords in the left column map to the states in the cell in the second column on the same row as the keyword.

The attribute directs the user agent to fetch a resource immediately or to defer fetching until some conditions associated with the element are met, according to the attribute's current state.

Keyword State Description
lazy Lazy Used to defer fetching a resource until some conditions are met.
eager Eager Used to fetch a resource immediately; the default state.

The attribute's missing value default and invalid value default are both the Eager state.


The will lazy load element steps, given an element element, are as follows:

  1. If scripting is disabled for element, then return false.

    This is an anti-tracking measure, because if a user agent supported lazy loading when scripting is disabled, it would still be possible for a site to track a user's approximate scroll position throughout a session, by strategically placing images in a page's markup such that a server can track how many images are requested and when.

  2. If element's lazy loading attribute is in the Lazy state, then return true.

  3. Return false.

Each img element has associated lazy load resumption steps, initially null.

For img elements that will lazy load, this can be set to true in the lazy load intersection observer's callback, which causes the image to load by continuing the update the image data steps.

Each Document has a lazy load intersection observer, initially set to null but can be set to an IntersectionObserver instance.

To start intersection-observing a lazy loading element element, run these steps:

  1. Let doc be element's node document.

  2. If doc's lazy load intersection observer is null, set it to a new IntersectionObserver instance, initialized as follows:

    The intention is to use the original value of the IntersectionObserver constructor. However, we're forced to use the JavaScript-exposed constructor in this specification, until Intersection Observer exposes low-level hooks for use in specifications. See bug w3c/IntersectionObserver#427 which tracks this. [INTERSECTIONOBSERVER]

  3. Call doc's lazy load intersection observer's observe method with element as the argument.

    The intention is to use the original value of the observe method. See w3c/IntersectionObserver#427. [INTERSECTIONOBSERVER]

To stop intersection-observing a lazy loading element element, run these steps:

  1. Let doc be element's node document.

  2. Assert: doc's lazy load intersection observer is not null.

  3. Call doc's lazy load intersection observer unobserve method with element as the argument.

    The intention is to use the original value of the unobserve method. See w3c/IntersectionObserver#427. [INTERSECTIONOBSERVER]