CLEAR: Adding example markup.

mikewest · mikewest · commit de06e8d3464d · 2015-08-10T14:06:08.000+02:00
diff --git a/specs/clear-site-data/index.html b/specs/clear-site-data/index.html
@@ -330,39 +330,47 @@ <h3 class="heading settled" data-level="1.1" id="examples"><span class="secno">1
   
     <h4 class="heading settled" data-level="1.1.1" id="example-signout"><span class="secno">1.1.1. </span><span class="content">Signing Out</span><a class="self-link" href="#example-signout"></a></h4>
 
-
-    <p>A user signs out of Super Secret Social Network via a CSRF-protected POST to
-  <code>https://supersecretsocialnetwork.example.com/logout</code>, and the site
-  author wishes to ensure that locally stored data is removed as a result.</p>
+  
+    <div class="example" id="example-fe709765"><a class="self-link" href="#example-fe709765"></a>
+    A user signs out of Super Secret Social Network via a CSRF-protected POST to
+    <code>https://supersecretsocialnetwork.example.com/logout</code>, and the
+    site author wishes to ensure that locally stored data is removed as a
+    result.
 
 
-    <p>They can do so by sending the following HTTP header in the response:</p>
+     <p>They can do so by sending the following HTTP header in the response:</p>
+     
 
-  
-    <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: *
+    
+     <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#">*</a>
 </pre>
+     
+  
+    </div>
 
   
     <h4 class="heading settled" data-level="1.1.2" id="example-targeted"><span class="secno">1.1.2. </span><span class="content">Targeted Clearing</span><a class="self-link" href="#example-targeted"></a></h4>
 
-
-    <p>A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
-  <code>https://megacorp.example.com/logout</code>. Megacorp has a large number
-  of services available as subdomains, so many that it’s not entirely clear
-  which of them would be safe to clear as a response to a logout action. One
-  option would be to simply clear everything, and deal with the fallout.
-  Megacorp’s CEO, however, once lost hours and hours of progress in "Irate
-  Ibexes" due to inadvertant site-data clearing, and so refuses to allow such
-  a sweeping impact to the site’s users.</p>
+  
+    <div class="example" id="example-0b8e3ea5"><a class="self-link" href="#example-0b8e3ea5"></a>
+    A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
+    <code>https://megacorp.example.com/logout</code>. Megacorp has a large
+    number of services available as subdomains, so many that it’s not entirely
+    clear which of them would be safe to clear as a response to a logout action.
+    One option would be to simply clear everything, and deal with the fallout.
+    Megacorp’s CEO, however, once lost hours and hours of progress in "Irate
+    Ibexes" due to inadvertant site-data clearing, and so refuses to allow such
+    a sweeping impact to the site’s users.
 
 
-    <p>The developers know, however, that the "Minus" application is certainly safe
-  to clear out. They can target this specific subdomain by including a request
-  to that subdomain as part of the logout landing page (ideally as a
-  CORS-enabled, CSRF-protected POST):</p>
+     <p>The developers know, however, that the "Minus" application is certainly safe
+    to clear out. They can target this specific subdomain by including a request
+    to that subdomain as part of the logout landing page (ideally as a
+    CORS-enabled, CSRF-protected POST):</p>
+     
 
-  
-    <pre>fetch("https://minus.megacorp.example.com/clear-site-data",
+    
+     <pre>fetch("https://minus.megacorp.example.com/clear-site-data",
       {
           method: "POST",
           mode: "cors",
@@ -371,56 +379,72 @@ <h4 class="heading settled" data-level="1.1.2" id="example-targeted"><span class
           })
       });
 </pre>
+     
 
 
-    <p>That endpoint would return proper CORS headers in response to that request’s
-  preflight, and would return the following header for the actual request:</p>
+     <p>That endpoint would return proper CORS headers in response to that request’s
+    preflight, and would return the following header for the actual request:</p>
+     
 
-  
-    <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: *; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
+    
+     <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#">*</a>; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
 </pre>
+     
+  
+    </div>
 
   
     <h4 class="heading settled" data-level="1.1.3" id="example-keepcookies"><span class="secno">1.1.3. </span><span class="content">Keep Critical Cookies</span><a class="self-link" href="#example-keepcookies"></a></h4>
 
-
-    <p>A user opts-out of interest-based advertising via a CSRF-protected POST to
-  <code>https://ads-are-awesome.example.com/optout</code>. The site author
-  wishes to remove DOM-accessible data which might contain tracking information,
-  but needs to ensure that the opt-out cookie which the user has just received
-  isn’t wiped along with it.</p>
+  
+    <div class="example" id="example-94c4a845"><a class="self-link" href="#example-94c4a845"></a>
+    A user opts-out of interest-based advertising via a CSRF-protected POST to
+    <code>https://ads-are-awesome.example.com/optout</code>. The site author
+    wishes to remove DOM-accessible data which might contain tracking
+    information, but needs to ensure that the opt-out cookie which the user has
+    just received isn’t wiped along with it.
 
 
-    <p>They can do so by sending the following HTTP header in the response, which
-  includes all the types except for "<a data-link-type="dfn" href="#cookies">cookies</a>":</p>
+     <p>They can do so by sending the following HTTP header in the response, which
+    includes all the types except for "<a data-link-type="dfn" href="#cookies">cookies</a>":</p>
+     
 
-  
-    <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#domstorage">domStorage</a> <a data-link-type="dfn" href="#executioncontexts">executionContexts</a> <a data-link-type="dfn" href="#cache">cache</a>; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
+    
+     <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#domstorage">domStorage</a>; <a data-link-type="dfn" href="#executioncontexts">executionContexts</a>; <a data-link-type="dfn" href="#cache">cache</a>; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
 </pre>
+     
+  
+    </div>
 
   
     <h4 class="heading settled" data-level="1.1.4" id="example-killswitch"><span class="secno">1.1.4. </span><span class="content">Kill Switch</span><a class="self-link" href="#example-killswitch"></a></h4>
 
-
-    <p>Super Secret Social Network’s developers learn that the site was vulnerable
-  to cross-site scripting attacks which allowed malicious parties to inject
-  arbitrary code into its origin. They fixed the site, and added a strong
-  Content Security Policy <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a> to mitigate the risk going forward, but
-  they can’t be entirely sure that clients are really back to a trustworthy
-  state. Perhaps the attackers found a clever persistence mechanism?</p>
+  
+    <div class="example" id="example-346b1576"><a class="self-link" href="#example-346b1576"></a>
+    Super Secret Social Network’s developers learn that the site was vulnerable
+    to cross-site scripting attacks which allowed malicious parties to inject
+    arbitrary code into its origin. They fixed the site, and added a strong
+    Content Security Policy <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a> to mitigate the risk going forward, but
+    they can’t be entirely sure that clients are really back to a trustworthy
+    state. Perhaps the attackers found a clever persistence mechanism?
 
 
-    <p>They can reduce the risk of a persistent client-side XSS by sending the
-  following HTTP header in a response to wipe out local sources of data:</p>
+     <p>They can reduce the risk of a persistent client-side XSS by sending the
+    following HTTP header in a response to wipe out local sources of data:</p>
+     
 
-  
-    <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: *; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
+    
+     <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#">*</a>; <a data-link-type="dfn" href="#includesubdomains">includeSubdomains</a>
 </pre>
+     
 
 
-    <p class="note" role="note">Note: Installing a Service Worker guarantees that a request will go out to
-  a server every ~24 hours. That update ping would be a wonderful time to send
-  a header like this one in case of catastophe. <a data-link-type="biblio" href="#biblio-service-workers">[SERVICE-WORKERS]</a></p>
+     <p class="note" role="note">Note: Installing a Service Worker guarantees that a request will go out to
+    a server every ~24 hours. That update ping would be a wonderful time to send
+    a header like this one in case of catastophe. <a data-link-type="biblio" href="#biblio-service-workers">[SERVICE-WORKERS]</a></p>
+     
+  
+    </div>
 
   
     <h3 class="heading settled" data-level="1.2" id="goals"><span class="secno">1.2. </span><span class="content">Goals</span><a class="self-link" href="#goals"></a></h3>
@@ -681,7 +705,7 @@ <h4 class="heading settled" data-level="2.1.6" id="wildcard-parameter"><span cla
   storage type parameters. That is:</p>
 
   
-    <pre>Clear-Site-Data: *
+    <pre><a data-link-type="dfn" href="#clear_site_data">Clear-Site-Data</a>: <a data-link-type="dfn" href="#">*</a>
 </pre>
 
 
diff --git a/specs/clear-site-data/index.src.html b/specs/clear-site-data/index.src.html
@@ -192,84 +192,93 @@ <h3 id="examples">Examples</h3>
 
   <h4 id="example-signout">Signing Out</h4>
 
-  A user signs out of Super Secret Social Network via a CSRF-protected POST to
-  <code>https://supersecretsocialnetwork.example.com/logout</code>, and the site
-  author wishes to ensure that locally stored data is removed as a result.
+  <div class="example">
+    A user signs out of Super Secret Social Network via a CSRF-protected POST to
+    <code>https://supersecretsocialnetwork.example.com/logout</code>, and the
+    site author wishes to ensure that locally stored data is removed as a
+    result.
 
-  They can do so by sending the following HTTP header in the response:
+    They can do so by sending the following HTTP header in the response:
 
-  <pre>
-    <a>Clear-Site-Data</a>: *
-  </pre>
+    <pre>
+      <a>Clear-Site-Data</a>: <a>*</a>
+    </pre>
+  </div>
 
   <h4 id="example-targeted">Targeted Clearing</h4>
 
-  A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
-  <code>https://megacorp.example.com/logout</code>. Megacorp has a large number
-  of services available as subdomains, so many that it's not entirely clear
-  which of them would be safe to clear as a response to a logout action. One
-  option would be to simply clear everything, and deal with the fallout.
-  Megacorp's CEO, however, once lost hours and hours of progress in "Irate
-  Ibexes" due to inadvertent site-data clearing, and so refuses to allow such
-  a sweeping impact to the site's users.
-
-  The developers know, however, that the "Minus" application is certainly safe
-  to clear out. They can target this specific subdomain by including a request
-  to that subdomain as part of the logout landing page (ideally as a
-  CORS-enabled, CSRF-protected POST):
+  <div class="example">
+    A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to
+    <code>https://megacorp.example.com/logout</code>. Megacorp has a large
+    number of services available as subdomains, so many that it's not entirely
+    clear which of them would be safe to clear as a response to a logout action.
+    One option would be to simply clear everything, and deal with the fallout.
+    Megacorp's CEO, however, once lost hours and hours of progress in "Irate
+    Ibexes" due to inadvertent site-data clearing, and so refuses to allow such
+    a sweeping impact to the site's users.
+
+    The developers know, however, that the "Minus" application is certainly safe
+    to clear out. They can target this specific subdomain by including a request
+    to that subdomain as part of the logout landing page (ideally as a
+    CORS-enabled, CSRF-protected POST):
 
-  <pre>
-    fetch("https://minus.megacorp.example.com/clear-site-data",
-          {
-              method: "POST",
-              mode: "cors",
-              headers: new Headers({
-                  "CSRF": "[<em>insert sekrit token here</em>]"
-              })
-          });
-  </pre>
+    <pre>
+      fetch("https://minus.megacorp.example.com/clear-site-data",
+            {
+                method: "POST",
+                mode: "cors",
+                headers: new Headers({
+                    "CSRF": "[<em>insert sekrit token here</em>]"
+                })
+            });
+    </pre>
 
-  That endpoint would return proper CORS headers in response to that request's
-  preflight, and would return the following header for the actual request:
+    That endpoint would return proper CORS headers in response to that request's
+    preflight, and would return the following header for the actual request:
 
-  <pre>
-    <a>Clear-Site-Data</a>: *; <a>includeSubdomains</a>
-  </pre>
+    <pre>
+      <a>Clear-Site-Data</a>: <a>*</a>; <a>includeSubdomains</a>
+    </pre>
+  </div>
 
   <h4 id="example-keepcookies">Keep Critical Cookies</h4>
 
-  A user opts-out of interest-based advertising via a CSRF-protected POST to
-  <code>https://ads-are-awesome.example.com/optout</code>. The site author
-  wishes to remove DOM-accessible data which might contain tracking information,
-  but needs to ensure that the opt-out cookie which the user has just received
-  isn't wiped along with it.
+  <div class="example">
+    A user opts-out of interest-based advertising via a CSRF-protected POST to
+    <code>https://ads-are-awesome.example.com/optout</code>. The site author
+    wishes to remove DOM-accessible data which might contain tracking
+    information, but needs to ensure that the opt-out cookie which the user has
+    just received isn't wiped along with it.
 
-  They can do so by sending the following HTTP header in the response, which
-  includes all the types except for "<a>cookies</a>":
+    They can do so by sending the following HTTP header in the response, which
+    includes all the types except for "<a>cookies</a>":
 
-  <pre>
-    <a>Clear-Site-Data</a>: <a>domStorage</a> <a>executionContexts</a> <a>cache</a>; <a>includeSubdomains</a>
-  </pre>
+    <pre>
+      <a>Clear-Site-Data</a>: <a>domStorage</a>; <a>executionContexts</a>; <a>cache</a>; <a>includeSubdomains</a>
+    </pre>
+  </div>
 
   <h4 id="example-killswitch">Kill Switch</h4>
 
-  Super Secret Social Network's developers learn that the site was vulnerable
-  to cross-site scripting attacks which allowed malicious parties to inject
-  arbitrary code into its origin. They fixed the site, and added a strong
-  Content Security Policy [[CSP2]] to mitigate the risk going forward, but
-  they can't be entirely sure that clients are really back to a trustworthy
-  state. Perhaps the attackers found a clever persistence mechanism?
+  <div class="example">
+    Super Secret Social Network's developers learn that the site was vulnerable
+    to cross-site scripting attacks which allowed malicious parties to inject
+    arbitrary code into its origin. They fixed the site, and added a strong
+    Content Security Policy [[CSP2]] to mitigate the risk going forward, but
+    they can't be entirely sure that clients are really back to a trustworthy
+    state. Perhaps the attackers found a clever persistence mechanism?
 
-  They can reduce the risk of a persistent client-side XSS by sending the
-  following HTTP header in a response to wipe out local sources of data:
+    They can reduce the risk of a persistent client-side XSS by sending the
+    following HTTP header in a response to wipe out local sources of data:
 
-  <pre>
-    <a>Clear-Site-Data</a>: *; <a>includeSubdomains</a>
-  </pre>
+    <pre>
+      <a>Clear-Site-Data</a>: <a>*</a>; <a>includeSubdomains</a>
+    </pre>
 
-  Note: Installing a Service Worker guarantees that a request will go out to
-  a server every ~24 hours. That update ping would be a wonderful time to send
-  a header like this one in case of catastrophe. [[SERVICE-WORKERS]]
+    Note: Installing a Service Worker guarantees that a request will go out to
+    a server every ~24 hours. That update ping would be a wonderful time to send
+    a header like this one in case of catastrophe. [[SERVICE-WORKERS]]
+  </div>
 
   <h3 id="goals">Goals</h3>
 
@@ -456,7 +465,7 @@ <h4 id="wildcard-parameter">
   storage type parameters. That is:
   
   <pre>
-    Clear-Site-Data: *
+    <a>Clear-Site-Data</a>: <a>*</a>
   </pre>
   
   has the same meaning as:
