Remove the section on document.domain

We'd still like to get rid of document.domain, but rather than conflating that and secure contexts, that work has been split out into: whatwg/html#829 See also the discussion at: w3c#10
jwatt · Mar 10, 2016 · 40985fc · 40985fc
1 parent f7deb01
commit 40985fc
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 24 deletions.
diff --git a/index.html b/index.html
@@ -1363,7 +1363,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="http://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Secure Contexts</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-03-03">3 March 2016</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-03-10">10 March 2016</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -1945,12 +1945,6 @@ <h3 class="heading settled" data-level="3.1" id="settings-object"><span class="s
   status, a popups' status depend on how it is opened, as discussed
   in <a href="#examples-top-level">§1.1 Top-level Documents</a>.</p>
       </ol>
-     <li data-md="">
-      <p>The user agent MAY return "<code>Not Secure</code>" if <var>settings object</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#effective-script-origin">effective script origin</a> is <em>not</em> an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#concept-origin-alias">alias</a> to its <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#origin">origin</a>.</p>
-      <p class="note" role="note">Note: This allows user agents the option of treating documents as
-  non-secure contexts if they relax same-origin restrictions via <code>{{document.domain}}</code>. This feature’s usage is widespread enough to
-  make it difficult for this behavior to be a requirement, but user
-  agents are encouraged to migrate to this behavior over time.</p>
      <li data-md="">
       <p>If <var>settings object</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a> is "<code>modern</code>", return
   "<code>Secure</code>".</p>
@@ -2312,12 +2306,10 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
    <li>
     <a data-link-type="biblio" href="#biblio-html5">[html5]</a> defines the following terms:
     <ul>
-     <li><a href="http://www.w3.org/TR/html5/browsers.html#concept-origin-alias">alias</a>
      <li><a href="http://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor browsing context</a>
      <li><a href="http://www.w3.org/TR/html5/browsers.html#auxiliary-browsing-context">auxiliary browsing context</a>
      <li><a href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a>
      <li><a href="http://www.w3.org/TR/html5/browsers.html#creator-document">creator document</a>
-     <li><a href="http://www.w3.org/TR/html5/browsers.html#effective-script-origin">effective script origin</a>
      <li><a href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>
      <li><a href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings object</a>
      <li><a href="http://www.w3.org/TR/html5/browsers.html#origin">opaque identifier</a>

diff --git a/index.src.html b/index.src.html
@@ -697,17 +697,7 @@ <h3 id="settings-object">
           status, a popups' status depend on how it is opened, as discussed
           in [[#examples-top-level]].
 
-  3.  The user agent MAY return "`Not Secure`" if |settings object|'s
-      <a>effective script origin</a> is <em>not</em> an <a>alias</a> to its
-      <a>origin</a>.
-
-      Note: This allows user agents the option of treating documents as
-      non-secure contexts if they relax same-origin restrictions via
-      `{{document.domain}}`. This feature's usage is widespread enough to
-      make it difficult for this behavior to be a requirement, but user
-      agents are encouraged to migrate to this behavior over time.
-
-  4.  If |settings object|'s <a>HTTPS state</a> is "`modern`", return
+  3.  If |settings object|'s <a>HTTPS state</a> is "`modern`", return
       "`Secure`".
 
       <div class="note">
@@ -723,9 +713,9 @@ <h3 id="settings-object">
         `http://127.0.0.1/`.
       </div>
 
-  5.  Let |origin| be |settings object|'s <a>origin</a>.
+  4.  Let |origin| be |settings object|'s <a>origin</a>.
 
-  6.  If |origin| is an <a>opaque identifier</a>, set |origin| to the
+  5.  If |origin| is an <a>opaque identifier</a>, set |origin| to the
       <a lt="origin of a url">origin</a> of |settings object|'s <a>creation
       URL</a>.
 
@@ -734,11 +724,11 @@ <h3 id="settings-object">
       context's capabilities, and therefore to the risk it poses). This
       covers scenarios such as `<iframe sandbox src="http://localhost/">`.
 
-  7.  If the result of executing the [[#is-origin-trustworthy]] algorithm
+  6.  If the result of executing the [[#is-origin-trustworthy]] algorithm
       on |origin| is <strong>not</strong> `Potentially
       Trustworthy`, then return "`Not Secure`".
 
-  8.  Return "`Secure`".
+  7.  Return "`Secure`".
 
   <h3 id="is-origin-trustworthy">
     Is <var>origin</var> potentially trustworthy?