Merge remote-tracking branch 'upstream/master' into sri-fail-on-no-cors

Author: joelweinberger

specs/clear-site-data/index.html

@@ -71,7 +71,7 @@
    <h1 class="p-name no-ref" id="title">Clear Site Data</h1>
 
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
-    <time class="dt-updated" datetime="2015-07-20">20 July 2015</time></span></h2>
+    <time class="dt-updated" datetime="2015-07-27">27 July 2015</time></span></h2>
 
    <div data-fill-with="spec-metadata">
     <dl>
@@ -326,7 +326,7 @@ <h4 class="heading settled" data-level="1.1.1" id="example-signout"><span class=
     <h4 class="heading settled" data-level="1.1.2" id="example-targeted"><span class="secno">1.1.2. </span><span class="content">Targeted Clearing</span><a class="self-link" href="#example-targeted"></a></h4>
 
 
-    <p>A user signs out of Megacorp Inc.'s site via a CSRD-protected POST to
+    <p>A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
   <code>https://megacorp.example.com/logout</code>. Megacorp has a large number
   of services available as subdomains, so many that it’s not entirely clear
   which of them would be safe to clear as a response to a logout action. One
@@ -1593,33 +1593,33 @@ <h3 class="no-ref no-num heading settled" id="conformance-classes"><span class="
   <h2 class="no-num heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
   <h3 class="no-num heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
   <ul class="indexlist">
-   <li>cache, <a href="#cache">2.1</a>
-   <li>clear(options), <a href="#dom-storagemanager-clear">2.2</a>
-   <li>Clear-Site-Data, <a href="#clear_site_data">2.1</a>
-   <li>conformant server, <a href="#conformant-server">Unnumbered section</a>
-   <li>conformant user agent, <a href="#conformant-user-agent">Unnumbered section</a>
-   <li>cookies, <a href="#cookies">2.1</a>
-   <li>data-type-list, <a href="#data_type_list">2.1</a>
-   <li>Does Not
-  Match, <a href="#does-not-match">3.1.3</a>
-   <li>domStorage, <a href="#domstorage">2.1</a>
-   <li>Exclude Subdomains, <a href="#exclude-subdomains">3.1.2</a>
-   <li>executionContexts, <a href="#executioncontexts">2.1</a>
-   <li>extension, <a href="#extension">2.1</a>
-   <li>Include Subdomains, <a href="#include-subdomains">3.1.2</a>
+   <li><a href="#cache">cache</a><span>, in §2.1</span>
+   <li><a href="#dom-storagemanager-clear">clear(options)</a><span>, in §2.2</span>
+   <li><a href="#clear_site_data">Clear-Site-Data</a><span>, in §2.1</span>
+   <li><a href="#conformant-server">conformant server</a><span>, in §Unnumbered section</span>
+   <li><a href="#conformant-user-agent">conformant user agent</a><span>, in §Unnumbered section</span>
+   <li><a href="#cookies">cookies</a><span>, in §2.1</span>
+   <li><a href="#data_type_list">data-type-list</a><span>, in §2.1</span>
+   <li><a href="#does-not-match">Does Not
+  Match</a><span>, in §3.1.3</span>
+   <li><a href="#domstorage">domStorage</a><span>, in §2.1</span>
+   <li><a href="#exclude-subdomains">Exclude Subdomains</a><span>, in §3.1.2</span>
+   <li><a href="#executioncontexts">executionContexts</a><span>, in §2.1</span>
+   <li><a href="#extension">extension</a><span>, in §2.1</span>
+   <li><a href="#include-subdomains">Include Subdomains</a><span>, in §3.1.2</span>
    <li>includeSubdomains
     <ul>
-     <li>definition of, <a href="#includesubdomains">2.1</a>
-     <li>dict-member for StorageClearOptions, <a href="#dom-storageclearoptions-includesubdomains">2.2</a>
+     <li><a href="#includesubdomains">definition of</a><span>, in §2.1</span>
+     <li><a href="#dom-storageclearoptions-includesubdomains">dict-member for StorageClearOptions</a><span>, in §2.2</span>
     </ul>
-   <li>Matches, <a href="#matches">3.1.3</a>
-   <li>options, <a href="#dom-storagemanager-clear-options-options">2.2</a>
-   <li>StorageClearOptions, <a href="#dictdef-storageclearoptions">2.2</a>
-   <li>StorageClearType, <a href="#enumdef-storagecleartype">2.2</a>
-   <li>subdomain-extension, <a href="#subdomain_extension">2.1</a>
-   <li>type, <a href="#type">2.1</a>
-   <li>types, <a href="#dom-storageclearoptions-types">2.2</a>
-   <li>unknown-extension, <a href="#unknown_extension">2.1</a></ul>
+   <li><a href="#matches">Matches</a><span>, in §3.1.3</span>
+   <li><a href="#dom-storagemanager-clear-options-options">options</a><span>, in §2.2</span>
+   <li><a href="#dictdef-storageclearoptions">StorageClearOptions</a><span>, in §2.2</span>
+   <li><a href="#enumdef-storagecleartype">StorageClearType</a><span>, in §2.2</span>
+   <li><a href="#subdomain_extension">subdomain-extension</a><span>, in §2.1</span>
+   <li><a href="#type">type</a><span>, in §2.1</span>
+   <li><a href="#dom-storageclearoptions-types">types</a><span>, in §2.2</span>
+   <li><a href="#unknown_extension">unknown-extension</a><span>, in §2.1</span></ul>
   <h3 class="no-num heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
   <ul class="indexlist">
    <li><a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> defines the following terms:

specs/clear-site-data/index.src.html

@@ -198,7 +198,7 @@ <h4 id="example-signout">Signing Out</h4>
 
   <h4 id="example-targeted">Targeted Clearing</h4>
 
-  A user signs out of Megacorp Inc.'s site via a CSRD-protected POST to
+  A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
   <code>https://megacorp.example.com/logout</code>. Megacorp has a large number
   of services available as subdomains, so many that it's not entirely clear
   which of them would be safe to clear as a response to a logout action. One

specs/content-security-policy/index.src.html

@@ -3568,7 +3568,7 @@ <h3 id="example-policies">Sample Policy Definitions</h3>
     <h3 id="example-violation-report">Sample Violation Report</h3>
 
     This section contains an example violation report the user agent
-    might sent to a server when the protected resource violations a sample
+    might send to a server when the protected resource violates a sample
     policy.
 
     In the following example, the user agent rendered a representation

specs/subresourceintegrity/index.html

@@ -380,7 +380,7 @@ <h4 id="agility">Agility</h4>
 
       <p>In this case, the user agent will choose the strongest hash function in the
 list, and use that metadata to validate the response (as described below in
-the “<a href="#parse-metadata.x">parse metadata</a>” and “<a href="#get-the-strongest-metadata-from-set.x">get the strongest metadata from
+the “<a href="#parse-metadata">parse metadata</a>” and “<a href="#get-the-strongest-metadata-from-set">get the strongest metadata from
 set</a>” algorithms).</p>
 
       <p>When a hash function is determined to be insecure, user agents SHOULD deprecate
@@ -424,7 +424,7 @@ <h4 id="priority">Priority</h4>
     <h3 id="response-verification-algorithms">Response verification algorithms</h3>
 
     <section>
-      <h4 id="apply-varalgorithmvar-to-varresponsevar">Apply <var>algorithm</var> to <var>response</var></h4>
+      <h4 id="apply-algorithm-to-response">Apply <var>algorithm</var> to <var>response</var></h4>
 
       <ol>
         <li>Let <var>result</var> be the result of <a href="#apply-algorithm-to-response">applying <var>algorithm</var></a>
@@ -436,11 +436,10 @@ <h4 id="apply-varalgorithmvar-to-varresponsevar">Apply <var>algorithm</var> to <
 <var>result</var>.</li>
         <li>Return <var>encodedResult</var>.</li>
       </ol>
-
     </section>
     <!-- Algorithms::apply -->
     <section>
-      <h4 id="is-varresponsevar-eligible-for-integrity-validation">Is <var>response</var> eligible for integrity validation</h4>
+      <h4 id="is-response-eligible-for-integrity-validation">Is <var>response</var> eligible for integrity validation</h4>
 
       <p>In order to mitigate an attacker’s ability to read data cross-origin by
 brute-forcing values via integrity checks, responses are only eligible for such
@@ -481,7 +480,7 @@ <h4 id="is-varresponsevar-eligible-for-integrity-validation">Is <var>response</v
     </section>
     <!-- Algorithms::eligible -->
     <section>
-      <h4 id="parse-varmetadatavar">Parse <var>metadata</var>.</h4>
+      <h4 id="parse-metadata">Parse <var>metadata</var>.</h4>
 
       <p>This algorithm accepts a string, and returns either <code>no metadata</code>, or a set of
 valid hash expressions whose hash functions are understood by
@@ -508,7 +507,7 @@ <h4 id="parse-varmetadatavar">Parse <var>metadata</var>.</h4>
     </section>
     <!-- Algorithms::parse -->
     <section>
-      <h4 id="get-the-strongest-metadata-from-varsetvar">Get the strongest metadata from <var>set</var>.</h4>
+      <h4 id="get-the-strongest-metadata-from-set">Get the strongest metadata from <var>set</var>.</h4>
 
       <ol>
         <li>Let <var>result</var> be the empty set and <var>strongest</var> be the empty
@@ -535,15 +534,15 @@ <h4 id="get-the-strongest-metadata-from-varsetvar">Get the strongest metadata fr
     </section>
     <!-- /Algorithms::get the strongest metadata -->
     <section>
-      <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> match <var>metadataList</var>?</h4>
+      <h4 id="does-response-match-metadatalist">Does <var>response</var> match <var>metadataList</var>?</h4>
 
       <ol>
         <li>Let <var>parsedMetadata</var> be the result of
-<a href="#parse-metadata.x">parsing <var>metadataList</var></a>.</li>
+<a href="#parse-metadata">parsing <var>metadataList</var></a>.</li>
         <li>If <var>parsedMetadata</var> is <code>no metadata</code>, return <code>true</code>.</li>
         <li>If <a href="#is-response-eligible-for-integrity-validation"><var>response</var> is not eligible for integrity
 validation</a>, return <code>false</code>.</li>
-        <li>Let <var>metadata</var> be the result of <a href="#get-the-strongest-metadata-from-set.x">getting the strongest
+        <li>Let <var>metadata</var> be the result of <a href="#get-the-strongest-metadata-from-set">getting the strongest
 metadata from <var>parsedMetadata</var></a>.</li>
         <li>For each <var>item</var> in <var>metadata</var>:
           <ol>
@@ -584,7 +583,6 @@ <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> m
 validation since Subresource Integrity requires CORS, and it is a logical error
 to attempt to use it without CORS. Additionally, user agents SHOULD report a
 warning message to the developer console to explain this failure.</p>
-
     </section>
     <!-- Algorithms::Match -->
   </section>

specs/subresourceintegrity/spec.markdown

@@ -301,6 +301,8 @@ only to simplify the algorithm description.
 
 <section>
 #### Apply <var>algorithm</var> to <var>response</var>
+{: #apply-algorithm-to-response}
+[apply-algorithm]: #apply-algorithm-to-response
 
 1.  Let <var>result</var> be the result of [applying <var>algorithm</var>][apply-algorithm]
     to the [representation data][representationdata] without any content-codings
@@ -310,11 +312,10 @@ only to simplify the algorithm description.
 2.  Let <var>encodedResult</var> be result of base64-encoding
     <var>result</var>.
 3.  Return <var>encodedResult</var>.
-
-[apply-algorithm]: #apply-algorithm-to-response
 </section><!-- Algorithms::apply -->
 <section>
 #### Is <var>response</var> eligible for integrity validation
+{: #is-response-eligible-for-integrity-validation}
 [eligible]: #is-response-eligible-for-integrity-validation
 
 In order to mitigate an attacker's ability to read data cross-origin by
@@ -363,6 +364,8 @@ checking because it won't have loaded successfully.
 </section><!-- Algorithms::eligible -->
 <section>
 #### Parse <var>metadata</var>.
+{: #parse-metadata}
+[parse]: #parse-metadata
 
 This algorithm accepts a string, and returns either `no metadata`, or a set of
 valid hash expressions whose hash functions are understood by
@@ -385,6 +388,8 @@ the user agent.
 </section><!-- Algorithms::parse -->
 <section>
 #### Get the strongest metadata from <var>set</var>.
+{: #get-the-strongest-metadata-from-set}
+[get-the-strongest]: #get-the-strongest-metadata-from-set
 
 1.  Let <var>result</var> be the empty set and <var>strongest</var> be the empty
     string.
@@ -407,6 +412,8 @@ the user agent.
 </section><!-- /Algorithms::get the strongest metadata -->
 <section>
 #### Does <var>response</var> match <var>metadataList</var>?
+{: #does-response-match-metadatalist}
+[match]: #does-response-match-metadatalist
 
 1.  Let <var>parsedMetadata</var> be the result of
     [parsing <var>metadataList</var>][parse].
@@ -453,10 +460,6 @@ validation since Subresource Integrity requires CORS, and it is a logical error
 to attempt to use it without CORS. Additionally, user agents SHOULD report a
 warning message to the developer console to explain this failure.
 {:.note}
-
-[parse]: #parse-metadata.x
-[get-the-strongest]: #get-the-strongest-metadata-from-set.x
-[match]: #does-response-match-metadatalist
 </section><!-- Algorithms::Match -->
 </section><!-- Algorithms -->
 
@@ -539,6 +542,7 @@ for all possible subresources, i.e., `a`, `audio`, `embed`, `iframe`, `img`,
 
 <section>
 #### The `integrity` attribute
+{: #the-integrity-attribute}
 
 The `integrity` attribute represents [integrity metadata][] for an element.
 The value of the attribute MUST be either the empty string, or at least one
@@ -610,6 +614,7 @@ failed resource with a different one.
 
 <section>
 ###### The `link` element for stylesheets
+{: #the-link-element-for-stylesheets}
 
 Whenever a user agent attempts to [obtain a resource][] pointed to by a
 `link` element that has a `rel` attribute with the keyword of `stylesheet`,
@@ -628,6 +633,7 @@ value of the element's `integrity` attribute.
 
 <section>
 ###### The `script` element
+{: #the-script-element}
 
 Replace step 14.1 of HTML5's ["prepare a script" algorithm][prepare] with: