A string is a valid non-empty URL if it is a valid URL string but it is not the empty string.
A string is a valid URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid URL string.
A string is a valid non-empty URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid non-empty URL.
This specification defines the URL about:legacy-compat as a reserved,
though unresolvable, about: URL, for use in DOCTYPEs in HTML documents when needed for
compatibility with XML tools. [ABOUT]
This specification defines the URL about:html-kind as a reserved,
though unresolvable, about: URL, that is used as an
identifier for kinds of media tracks. [ABOUT]
This specification defines the URL about:srcdoc as a reserved, though
unresolvable, about: URL, that is used as the URL of iframe srcdoc documents.
[ABOUT]
The fallback base URL of a Document object document is the
URL record obtained by running these steps:
If document is an iframe srcdoc document, then return the document base
URL of document's browsing context's
browsing context container's node document.
If document's URL is
about:blank, and document's browsing
context's creator base URL is non-null, then return that creator base
URL.
Return document's URL.
The document base URL of a Document object is the
absolute URL obtained by running these steps:
If there is no base element that has an href attribute in the Document, then return the
Document's fallback base URL.
Otherwise, return the frozen base URL of the first base element
in the Document that has an href attribute, in
tree order.
A CORS settings attribute is an enumerated attribute. The following table lists the keywords and states for the attribute — the keywords in the left column map to the states in the cell in the second column on the same row as the keyword.
| Keyword | State | Brief description |
|---|---|---|
anonymous
| Anonymous | Requests for the element will have their mode set to "cors" and their credentials mode set to "same-origin".
|
use-credentials
| Use Credentials | Requests for the element will have their mode set to "cors" and their credentials mode set to "include".
|
The empty string is also a valid keyword, and maps to the Anonymous state. The attribute's invalid value default is the Anonymous state. For the
purposes of reflection, the canonical case for the Anonymous state is the anonymous keyword. The missing value default, used when the attribute is omitted, is the No
CORS state.
The majority of fetches governed by CORS settings attributes will be done via the create a potential-CORS request algorithm.
For module scripts, certain CORS settings attributes have been repurposed to have a slightly different
meaning, wherein they only impact the request's credentials mode (since the mode is always "cors"). To perform
this translation, we define the module script credentials mode for a given CORS
settings attribute to be determined by switching on the attribute's state:
same-origin"include"A referrer policy attribute is an enumerated attribute. Each referrer policy, including the empty string, is a keyword for this attribute, mapping to a state of the same name.
The attribute's invalid value default and missing value default are both the empty string state.
The impact of these states on the processing model of various fetches is defined in more detail throughout this specification, in the WHATWG Fetch standard, and in Referrer Policy. [FETCH] [REFERRERPOLICY]
Several signals can contribute to which processing model is used for a given fetch; a referrer policy attribute is only one of them. In general, the order in which these signals are processed are:
First, the presence of a noreferrer link
type;
Then, the value of a referrer policy attribute;
Then, the presence of any meta element with name attribute set to referrer.
Finally, the `Referrer-Policy` HTTP
header.
A nonce content attribute represents a cryptographic nonce ("number used once") which can be used by Content Security Policy to determine whether or not a given fetch will be allowed to proceed. The value is text. [CSP]
Elements that have a nonce content attribute ensure that the
crytographic nonce is only exposed to script (and not to side-channels like CSS attribute
selectors) by extracting the value from the content attribute, moving it into an internal slot
named [[CryptographicNonce]], and exposing it to script via the
HTMLOrSVGElement interface mixin. Unless otherwise specified, the slot's value
is the empty string.
nonceReturns the value of the element's [[CryptographicNonce]] internal slot.
Can be set, to update that slot's value.
The nonce IDL
attribute must, on getting, return the value of this element's
[[CryptographicNonce]]; and on setting, set this element's
[[CryptographicNonce]] to the given value.
Note how the setter for the nonce IDL attribute does not update the corresponding
content attribute. This, as well as the below setting of the nonce content attribute to the empty string when an element
becomes browsing-context connected, is meant to prevent exfiltration of the nonce
value through mechanisms that can easily read content attributes, such as selectors. Learn more in
issue #2369, where this behavior was
introduced.
Whenever an element including HTMLOrSVGElement has its nonce attribute is set or changed, set this element's
[[CryptographicNonce]] to the given value.
Whenever an element including HTMLOrSVGElement becomes browsing-context
connected, the user agent must execute the following steps on the element:
Let CSP list be element's shadow-including root's CSP list.
If CSP list contains a header-delivered Content Security Policy, and
element has a nonce content attribute
attr whose value is not the empty string, then:
Set an attribute value for
element using "nonce" and the empty
string.
As each Document's CSP
list is append-only, user agents can optimize away the contains a header-delivered
Content Security Policy check by, for example, holding a flag on the Document,
set during Document
initialization.
The cloning steps for elements that include
HTMLOrSVGElement must set the [[CryptographicNonce]] slot on the copy
to the value of the slot on the element being cloned.