HTML: The Living Standard
Edition for Web Developers — Last Updated 27 January 2023
Edition for Web Developers — Last Updated 27 January 2023
A string is a valid non-empty URL if it is a valid URL string but it is not the empty string.
A string is a valid URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid URL string.
A string is a valid non-empty URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid non-empty URL.
This specification defines the URL about:legacy-compat as a reserved,
though unresolvable, about: URL, for use in DOCTYPEs in HTML documents when needed for
compatibility with XML tools. [ABOUT]
This specification defines the URL about:html-kind as a reserved,
though unresolvable, about: URL, that is used as an
identifier for kinds of media tracks. [ABOUT]
This specification defines the URL about:srcdoc as a reserved, though
unresolvable, about: URL, that is used as the URL of iframe srcdoc documents.
[ABOUT]
The fallback base URL of a Document object document is the
URL record obtained by running these steps:
If document is an iframe srcdoc document, then return document's
container document's document base
URL.
If document's URL is
about:blank, and document's browsing
context's creator base URL is non-null, then return that creator base
URL.
Return document's URL.
The document base URL of a Document object is the
URL record obtained by running these steps:
If there is no base element that has an href attribute in the Document, then return the
Document's fallback base URL.
Otherwise, return the frozen base URL of the first base element
in the Document that has an href attribute, in
tree order.
A URL matches about:blank if its scheme is "about", its path contains a single string "blank", its
username and password are the empty string, and its host is null.
Such a URL's query and fragment can be non-null. For example, the URL
record created by parsing "about:blank?foo#bar" matches about:blank.
Support in all current engines.
A CORS settings attribute is an enumerated attribute. The following table lists the keywords and states for the attribute — the states given in the first cell of the rows with keywords give the states to which those keywords map.
| State | Keywords | Brief description |
|---|---|---|
| Anonymous | anonymous
| Requests for the element will have their
mode set to "cors" and their
credentials mode set to "same-origin".
|
| (the empty string) | ||
| Use Credentials | use-credentials
| Requests for the element will have their mode set to "cors" and their credentials mode set to "include".
|
The attribute's invalid value default is the Anonymous state, and its missing value default is the No CORS state.
For the purposes of reflection, the canonical keyword
for the Anonymous state is the anonymous keyword.
The majority of fetches governed by CORS settings attributes will be done via the create a potential-CORS request algorithm.
For more modern features, where the request's mode is always "cors", certain CORS settings attributes have been repurposed to have a
slightly different meaning, wherein they only impact the request's credentials mode. To perform this translation, we
define the CORS settings attribute credentials mode for a given CORS settings
attribute to be determined by switching on the attribute's state:
same-origin"include"A referrer policy attribute is an enumerated attribute. Each referrer policy, including the empty string, is a keyword for this attribute, mapping to a state of the same name.
The attribute's invalid value default and missing value default are both the empty string state.
The impact of these states on the processing model of various fetches is defined in more detail throughout this specification, in Fetch, and in Referrer Policy. [FETCH] [REFERRERPOLICY]
Several signals can contribute to which processing model is used for a given fetch; a referrer policy attribute is only one of them. In general, the order in which these signals are processed are:
First, the presence of a noreferrer link
type;
Then, the value of a referrer policy attribute;
Then, the presence of any meta element with name attribute set to referrer.
Finally, the `Referrer-Policy` HTTP
header.
Support in all current engines.
A nonce content
attribute represents a cryptographic nonce ("number used once") which can be used by Content
Security Policy to determine whether or not a given fetch will be allowed to proceed. The
value is text. [CSP]
Elements that have a nonce content attribute ensure that the
cryptographic nonce is only exposed to script (and not to side-channels like CSS attribute
selectors) by taking the value from the content attribute, moving it into an internal slot
named [[CryptographicNonce]], exposing it to script
via the HTMLOrSVGElement interface mixin, and setting the content attribute to the
empty string. Unless otherwise specified, the slot's value is the empty string.
element.nonceReturns the value set for element's cryptographic nonce. If the setter was not
used, this will be the value originally found in the nonce
content attribute.
element.nonce = valueUpdates element's cryptographic nonce value.
The nonce IDL attribute must, on getting, return the
value of this element's [[CryptographicNonce]]; and on setting, set this element's
[[CryptographicNonce]] to the given value.
Note how the setter for the nonce IDL attribute does not update the corresponding
content attribute. This, as well as the below setting of the nonce content attribute to the empty string when an element
becomes browsing-context connected, is meant to prevent exfiltration of the nonce
value through mechanisms that can easily read content attributes, such as selectors. Learn more in
issue #2369, where this behavior was
introduced.
The following attribute change
steps are used for the nonce content attribute:
If element does not include HTMLOrSVGElement, then
return.
If localName is not nonce or
namespace is not null, then return.
If value is null, then set element's [[CryptographicNonce]] to the empty string.
Otherwise, set element's [[CryptographicNonce]] to value.
Whenever an element including HTMLOrSVGElement
becomes browsing-context connected, the user agent must execute the following steps
on the element:
Let CSP list be element's shadow-including root's policy container's CSP list.
If CSP list contains a header-delivered Content Security Policy, and
element has a nonce content attribute
attr whose value is not the empty string, then:
Let nonce be element's [[CryptographicNonce]].
Set an attribute value for
element using "nonce" and the empty
string.
Set element's [[CryptographicNonce]] to nonce.
If element's [[CryptographicNonce]] were not restored it would be the empty string at this point.
The cloning steps for elements that
include HTMLOrSVGElement must set the
[[CryptographicNonce]] slot on the copy to the value of the slot on the element being
cloned.
Support in all current engines.
A lazy loading attribute is an enumerated attribute. The following table lists the keywords and states for the attribute — the keywords in the left column map to the states in the cell in the second column on the same row as the keyword.
The attribute directs the user agent to fetch a resource immediately or to defer fetching until some conditions associated with the element are met, according to the attribute's current state.
| Keyword | State | Description |
|---|---|---|
lazy
| Lazy | Used to defer fetching a resource until some conditions are met. |
eager
| Eager | Used to fetch a resource immediately; the default state. |
The attribute's missing value default and invalid value default are both the Eager state.
The will lazy load element steps, given an element element, are as follows:
If scripting is disabled for element, then return false.
This is an anti-tracking measure, because if a user agent supported lazy loading when scripting is disabled, it would still be possible for a site to track a user's approximate scroll position throughout a session, by strategically placing images in a page's markup such that a server can track how many images are requested and when.
If element's lazy loading attribute is in the Lazy state, then return true.
Return false.
Each img and iframe element has associated lazy load resumption
steps, initially null.
For img and iframe elements that will lazy load, these steps are run from the lazy load
intersection observer's callback or when their lazy loading attribute is set
to the Eager state. This causes the element to
continue loading.
Each Document has a lazy load intersection observer, initially set to
null but can be set to an IntersectionObserver instance.
To start intersection-observing a lazy loading element element, run these steps:
Let doc be element's node document.
If doc's lazy load intersection observer is null, set it to a new
IntersectionObserver instance, initialized as follows:
The intention is to use the original value of the
IntersectionObserver constructor. However, we're forced to use the
JavaScript-exposed constructor in this specification, until Intersection Observer
exposes low-level hooks for use in specifications. See bug w3c/IntersectionObserver#464
which tracks this. [INTERSECTIONOBSERVER]
The callback is these steps, with arguments entries and observer:
For each entry in entries using a method of iteration which does not trigger developer-modifiable array accessors or iteration hooks:
Let resumptionSteps be null.
If entry.isIntersecting is true, then
set resumptionSteps to entry.target's
lazy load resumption steps.
If resumptionSteps is null, then return.
Stop intersection-observing a lazy loading element for
entry.target.
Set entry.target's lazy load resumption
steps to null.
Invoke resumptionSteps.
The intention is to use the original value of the
isIntersecting and
target getters. See w3c/IntersectionObserver#464.
[INTERSECTIONOBSERVER]
The options is an IntersectionObserverInit dictionary with the
following dictionary members: «[ "rootMargin" → lazy load root
margin ]»
This allows for fetching the image during scrolling, when it does not yet — but is about to — intersect the viewport.
The lazy load root margin suggestions imply dynamic changes to the
value, but the IntersectionObserver API does not support changing the root
margin. See issue w3c/IntersectionObserver#428.
Call doc's lazy load intersection observer's observe method with element as the
argument.
The intention is to use the original value of the observe method. See w3c/IntersectionObserver#464.
[INTERSECTIONOBSERVER]
To stop intersection-observing a lazy loading element element, run these steps:
Let doc be element's node document.
Assert: doc's lazy load intersection observer is not null.
Call doc's lazy load intersection observer unobserve method with element as
the argument.
The intention is to use the original value of the unobserve method. See w3c/IntersectionObserver#464.
[INTERSECTIONOBSERVER]
The lazy load root margin is an implementation-defined value, but with the following suggestions to consider:
Set a minimum value that most often results in the resources being loaded before they intersect the viewport under normal usage patterns for the given device.
The typical scrolling speed: increase the value for devices with faster typical scrolling speeds.
The current scrolling speed or momentum: the UA can attempt to predict where the scrolling will likely stop, and adjust the value accordingly.
The network quality: increase the value for slow or high-latency connections.
User preferences can influence the value.
It is important for privacy that the lazy load root margin not leak additional information. For example, the typical scrolling speed on the current device could be imprecise so as to not introduce a new fingerprinting vector.
A blocking attribute explicitly indicates that certain operations should be blocked on the fetching of an external resource. The operations that can be blocked are represented by possible blocking tokens, which are strings listed by the following table:
| Possible blocking token | Description |
|---|---|
"render"
| The element is potentially render-blocking. |
In the future, there might be more possible blocking tokens.
A blocking attribute must have a value that is an unordered set of unique space-separated tokens, each of which are possible blocking tokens. The supported tokens of a blocking attribute are the possible blocking tokens. Any element can have at most one blocking attribute.
The blocking tokens set for an element el are the result of the following steps:
Let value be the value of el's blocking attribute, or the empty string if no such attribute exists.
Set value to value, converted to ASCII lowercase.
Let rawTokens be the result of splitting value on ASCII whitespace.
Return a set containing the elements of rawTokens that are possible blocking tokens.
An element is potentially render-blocking if its blocking tokens set
contains "render", or if it is
implicitly potentially render-blocking, which will be defined at the individual
elements. By default, an element is not implicitly potentially render-blocking.