HTML 5

Draft Recommendation — 7 July 2008

2. Common infrastructure

2.1 Conformance requirements

All diagrams, examples, and notes in this specification are non-normative, as are all sections explicitly marked non-normative. Everything else in this specification is normative.

The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this document are to be interpreted as described in RFC2119. For readability, these words do not appear in all uppercase letters in this specification. [RFC2119]

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

This specification describes the conformance criteria for user agents (relevant to implementors) and documents (relevant to authors and authoring tool implementors).

There is no implied relationship between document conformance requirements and implementation conformance requirements. User agents are not free to handle non-conformant documents as they please; the processing model described in this specification applies to implementations regardless of the conformity of the input documents.

User agents fall into several (overlapping) categories with different conformance requirements.

Web browsers and other interactive user agents

Web browsers that support XHTML must process elements and attributes from the HTML namespace found in XML documents as described in this specification, so that users can interact with them, unless the semantics of those elements have been overridden by other specifications.

A conforming XHTML processor would, upon finding an XHTML script element in an XML document, execute the script contained in that element. However, if the element is found within an XSLT transformation sheet (assuming the UA also supports XSLT), then the processor would instead treat the script element as an opaque element that forms part of the transform.

Web browsers that support HTML must process documents labeled as text/html as described in this specification, so that users can interact with them.

Non-interactive presentation user agents

User agents that process HTML and XHTML documents purely to render non-interactive versions of them must comply to the same conformance criteria as Web browsers, except that they are exempt from requirements regarding user interaction.

Typical examples of non-interactive presentation user agents are printers (static UAs) and overhead displays (dynamic UAs). It is expected that most static non-interactive presentation user agents will also opt to lack scripting support.

A non-interactive but dynamic presentation UA would still execute scripts, allowing forms to be dynamically submitted, and so forth. However, since the concept of "focus" is irrelevant when the user cannot interact with the document, the UA would not need to support any of the focus-related DOM APIs.

User agents with no scripting support

Implementations that do not support scripting (or which have their scripting features disabled entirely) are exempt from supporting the events and DOM interfaces mentioned in this specification. For the parts of this specification that are defined in terms of an events model or in terms of the DOM, such user agents must still act as if events and the DOM were supported.

Scripting can form an integral part of an application. Web browsers that do not support scripting, or that have scripting disabled, might be unable to fully convey the author's intent.

Conformance checkers

Conformance checkers must verify that a document conforms to the applicable conformance criteria described in this specification. Automated conformance checkers are exempt from detecting errors that require interpretation of the author's intent (for example, while a document is non-conforming if the content of a blockquote element is not a quote, conformance checkers running without the input of human judgement do not have to check that blockquote elements only contain quoted material).

Conformance checkers must check that the input document conforms when parsed without a browsing context (meaning that no scripts are run, and that the parser's scripting flag is disabled), and should also check that the input document conforms when parsed with a browsing context in which scripts execute, and that the scripts never cause non-conforming states to occur other than transiently during script execution itself. (This is only a "SHOULD" and not a "MUST" requirement because it has been proven to be impossible. [HALTINGPROBLEM])

The term "HTML5 validator" can be used to refer to a conformance checker that itself conforms to the applicable requirements of this specification.

XML DTDs cannot express all the conformance requirements of this specification. Therefore, a validating XML processor and a DTD cannot constitute a conformance checker. Also, since neither of the two authoring formats defined in this specification are applications of SGML, a validating SGML system cannot constitute a conformance checker either.

To put it another way, there are three types of conformance criteria:

  1. Criteria that can be expressed in a DTD.
  2. Criteria that cannot be expressed by a DTD, but can still be checked by a machine.
  3. Criteria that can only be checked by a human.

A conformance checker must check for the first two. A simple DTD-based validator only checks for the first class of errors and is therefore not a conforming conformance checker according to this specification.

Data mining tools

Applications and tools that process HTML and XHTML documents for reasons other than to either render the documents or check them for conformance should act in accordance to the semantics of the documents that they process.

A tool that generates document outlines but increases the nesting level for each paragraph and does not increase the nesting level for each section would not be conforming.

Authoring tools and markup generators

Authoring tools and markup generators must generate conforming documents. Conformance criteria that apply to authors also apply to authoring tools, where appropriate.

Authoring tools are exempt from the strict requirements of using elements only for their specified purpose, but only to the extent that authoring tools are not yet able to determine author intent.

For example, it is not conforming to use an address element for arbitrary contact information; that element can only be used for marking up contact information for the author of the document or section. However, since an authoring tool is likely unable to determine the difference, an authoring tool is exempt from that requirement.

In terms of conformance checking, an editor is therefore required to output documents that conform to the same extent that a conformance checker will verify.

When an authoring tool is used to edit a non-conforming document, it may preserve the conformance errors in sections of the document that were not edited during the editing session (i.e. an editing tool is allowed to round-trip erroneous content). However, an authoring tool must not claim that the output is conformant if errors have been so preserved.

Authoring tools are expected to come in two broad varieties: tools that work from structure or semantic data, and tools that work on a What-You-See-Is-What-You-Get media-specific editing basis (WYSIWYG).

The former is the preferred mechanism for tools that author HTML, since the structure in the source information can be used to make informed choices regarding which HTML elements and attributes are most appropriate.

However, WYSIWYG tools are legitimate. WYSIWYG tools should use elements they know are appropriate, and should not use elements that they do not know to be appropriate. This might in certain extreme cases mean limiting the use of flow elements to just a few elements, like div, b, i, and span and making liberal use of the style attribute.

All authoring tools, whether WYSIWYG or not, should make a best effort attempt at enabling users to create well-structured, semantically rich, media-independent content.

Some conformance requirements are phrased as requirements on elements, attributes, methods or objects. Such requirements fall into two categories: those describing content model restrictions, and those describing implementation behavior. The former category of requirements are requirements on documents and authoring tools. The second category are requirements on user agents.

Conformance requirements phrased as algorithms or specific steps may be implemented in any manner, so long as the end result is equivalent. (In particular, the algorithms defined in this specification are intended to be easy to follow, and not intended to be performant.)

User agents may impose implementation-specific limits on otherwise unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of memory, or to work around platform-specific limitations.

For compatibility with existing content and prior specifications, this specification describes two authoring formats: one based on XML (referred to as XHTML5), and one using a custom format inspired by SGML (referred to as HTML5). Implementations may support only one of these two formats, although supporting both is encouraged.

XHTML documents (XML documents using elements from the HTML namespace) that use the new features described in this specification and that are served over the wire (e.g. by HTTP) must be sent using an XML MIME type such as application/xml or application/xhtml+xml and must not be served as text/html. [RFC3023]

Such XML documents may contain a DOCTYPE if desired, but this is not required to conform to this specification.

According to the XML specification, XML processors are not guaranteed to process the external DTD subset referenced in the DOCTYPE. This means, for example, that using entity references for characters in XHTML documents is unsafe (except for <, >, &, " and ').

HTML documents, if they are served over the wire (e.g. by HTTP) must be labeled with the text/html MIME type.

The language in this specification assumes that the user agent expands all entity references, and therefore does not include entity reference nodes in the DOM. If user agents do include entity reference nodes in the DOM, then user agents must handle them as if they were fully expanded when implementing this specification. For example, if a requirement talks about an element's child text nodes, then any text nodes that are children of an entity reference that is a child of that element would be used as well. Entity references to unknown entities must be treated as if they contained just an empty text node for the purposes of the algorithms defined in this specification.

2.1.1 Dependencies

This specification relies on several other underlying specifications.

XML

Implementations that support XHTML5 must support some version of XML, as well as its corresponding namespaces specification, because XHTML5 uses an XML serialization with namespaces. [XML] [XMLNAMES]

DOM

The Document Object Model (DOM) is a representation — a model — of a document and its content. The DOM is not just an API; the conformance criteria of HTML implementations are defined, in this specification, in terms of operations on the DOM. [DOM3CORE]

Implementations must support some version of DOM Core and DOM Events, because this specification is defined in terms of the DOM, and some of the features are defined as extensions to the DOM Core interfaces. [DOM3CORE] [DOM3EVENTS]

ECMAScript

Implementations that use ECMAScript to implement the APIs defined in this specification must implement them in a manner consistent with the ECMAScript Bindings defined in the Web IDL specification, as this specification uses that specification's terminology. [WebIDL]

Media Queries

Implementations must support some version of the Media Queries language. [MQ]

This specification does not require support of any particular network transport protocols, style sheet language, scripting language, or any of the DOM and WebAPI specifications beyond those described above. However, the language described by this specification is biased towards CSS as the styling language, ECMAScript as the scripting language, and HTTP as the network protocol, and several features assume that those languages and protocols are in use.

This specification might have certain additional requirements on character encodings, image formats, audio formats, and video formats in the respective sections.

2.1.2 Features defined in other specifications

this section will be removed at some point

Some elements are defined in terms of their DOM textContent attribute. This is an attribute defined on the Node interface in DOM3 Core. [DOM3CORE]

Should textContent be defined differently for dir="" and <bdo>? Should we come up with an alternative to textContent that handles those and other things, like alt=""?

The interface DOMTimeStamp is defined in DOM3 Core. [DOM3CORE]

The term activation behavior is used as defined in the DOM3 Events specification. [DOM3EVENTS] At the time of writing, DOM3 Events hadn't yet been updated to define that phrase.

The rules for handling alternative style sheets are defined in the CSS object model specification. [CSSOM]

See http://dev.w3.org/cvsweb/~checkout~/csswg/cssom/Overview.html?content-type=text/html;%20charset=utf-8

2.1.3 Common conformance requirements for APIs exposed to JavaScript

This section will eventually be removed in favour of WebIDL.

A lot of arrays/lists/collections in this spec assume zero-based indexes but use the term "indexth" liberally. We should define those to be zero-based and be clearer about this.

Unless otherwise specified, if a DOM attribute that is a floating point number type (float) is assigned an Infinity or Not-a-Number value, a NOT_SUPPORTED_ERR exception must be raised.

Unless otherwise specified, if a method with an argument that is a floating point number type (float) is passed an Infinity or Not-a-Number value, a NOT_SUPPORTED_ERR exception must be raised.

Unless otherwise specified, if a method is passed fewer arguments than is defined for that method in its IDL definition, a NOT_SUPPORTED_ERR exception must be raised.

Unless otherwise specified, if a method is passed more arguments than is defined for that method in its IDL definition, the excess arguments must be ignored.

2.2 Terminology

This specification refers to both HTML and XML attributes and DOM attributes, often in the same context. When it is not clear which is being referred to, they are referred to as content attributes for HTML and XML attributes, and DOM attributes for those from the DOM. Similarly, the term "properties" is used for both ECMAScript object properties and CSS properties. When these are ambiguous they are qualified as object properties and CSS properties respectively.

To ease migration from HTML to XHTML, UAs conforming to this specification will place elements in HTML in the http://www.w3.org/1999/xhtml namespace, at least for the purposes of the DOM and CSS. The term "elements in the HTML namespace", or "HTML elements" for short, when used in this specification, thus refers to both HTML and XHTML elements.

Unless otherwise stated, all elements defined or mentioned in this specification are in the http://www.w3.org/1999/xhtml namespace, and all attributes defined or mentioned in this specification have no namespace (they are in the per-element partition).

When an XML name, such as an attribute or element name, is referred to in the form prefix:localName, as in xml:id or svg:rect, it refers to a name with the local name localName and the namespace given by the prefix, as defined by the following table:

xml
http://www.w3.org/XML/1998/namespace
html
http://www.w3.org/1999/xhtml
svg
http://www.w3.org/2000/svg

Attribute names are said to be XML-compatible if they match the Name production defined in XML, they contain no U+003A COLON (:) characters, and they do not start with three characters "xml". [XML]

The term HTML documents is sometimes used in contrast with XML documents to specifically mean documents that were parsed using an HTML parser (as opposed to using an XML parser or created purely through the DOM).

Generally, when the specification states that a feature applies to HTML or XHTML, it also includes the other. When a feature specifically only applies to one of the two languages, it is called out by explicitly stating that it does not apply to the other format, as in "for HTML, ... (this does not apply to XHTML)".

This specification uses the term document to refer to any use of HTML, ranging from short static documents to long essays or reports with rich multimedia, as well as to fully-fledged interactive applications.

The term root element, when not explicitly qualified as referring to the document's root element, means the furthest ancestor element node of whatever node is being discussed, or the node itself if it has no ancestors. When the node is a part of the document, then that is indeed the document's root element; however, if the node is not currently part of the document tree, the root element will be an orphaned node.

An element is said to have been inserted into a document when its root element changes and is now the document's root element.

The term tree order means a pre-order, depth-first traversal of DOM nodes involved (through the parentNode/childNodes relationship).

When it is stated that some element or attribute is ignored, or treated as some other value, or handled as if it was something else, this refers only to the processing of the node after it is in the DOM. A user agent must not mutate the DOM in such situations.

For simplicity, terms such as shown, displayed, and visible might sometimes be used when referring to the way a document is rendered to the user. These terms are not meant to imply a visual medium; they must be considered to apply to other media in equivalent ways.

The construction "a Foo object", where Foo is actually an interface, is sometimes used instead of the more accurate "an object implementing the interface Foo".

A DOM attribute is said to be getting when its value is being retrieved (e.g. by author script), and is said to be setting when a new value is assigned to it.

If a DOM object is said to be live, then that means that any attributes returning that object must always return the same object (not a new object each time), and the attributes and methods on that object must operate on the actual underlying data, not a snapshot of the data.

The terms fire and dispatch are used interchangeably in the context of events, as in the DOM Events specifications. [DOM3EVENTS]

The term text node refers to any Text node, including CDATASection nodes; specifically, any Node with node type TEXT_NODE (3) or CDATA_SECTION_NODE (4). [DOM3CORE]

The term plugin is used to mean any content handler, typically a third-party content handler, for Web content types that are not supported by the user agent natively, or for content types that do not expose a DOM, that supports rendering the content as part of the user agent's interface.

One example of a plugin would be a PDF viewer that is instantiated in a browsing context when the user navigates to a PDF file. This would count as a plugin regardless of whether the party that implemented the PDF viewer component was the same as that which implemented the user agent itself. However, a PDF viewer application that launches separate from the user agent (as opposed to using the same interface) is not a plugin by this definition.

This specification does not define a mechanism for interacting with plugins, as it is expected to be user-agent- and platform-specific. Some UAs might opt to support a plugin mechanism such as the Netscape Plugin API; others might use remote content converters or have built-in support for certain types. [NPAPI]

Browsers should take extreme care when interacting with external content intended for plugins. When third-party software is run with the same privileges as the user agent itself, vulnerabilities in the third-party software become as dangerous as those in the user agent.

Some of the algorithms in this specification, for historical reasons, require the user agent to pause until some condition has been met. While a user agent is paused, it must ensure that no scripts execute (e.g. no event handlers, no timers, etc). User agents should remain responsive to user input while paused, however, albeit without letting the user interact with Web pages where that would involve invoking any script.

2.3 URLs

This specification defines the term URL, and defines various algorithms for dealing with URLs, because for historical reasons the rules defined by the URI and IRI specifications are not a complete description of what HTML user agents need to implement to be compatible with Web content.

2.3.1 Terminology

A URL is a string used to identify a resource. A URL is always associated with a Document, either explicitly when the URL is created or defined; or through a DOM node, in which case the associated Document is the node's Document; or through a script, in which case the associated Document is the script's script document context.

A URL is a valid URL if at least one of the following conditions holds:

The term "URL" in this specification is used in a manner distinct from the precise technical meaning it is given in RFC 3986. Readers familiar with that RFC will find it easier to read this specification if they pretend the term "URL" as used herein is really called something else altogether.

2.3.2 Parsing URLs

To parse a URL url into its component parts, the user agent must use the following steps:

  1. Strip leading and trailing space characters from url.

  2. Parse url in the manner defined by RFC 3986, with the following exceptions:

  3. If url doesn't match the <URI-reference> production, even after the above changes are made to the ABNF definitions, then parsing the URL fails with an error. [RFC3986]

    Otherwise, parsing url was successful; the components of the URL are substrings of url defined as follows:

    <scheme>

    The substring matched by the <scheme> production, if any.

    <host>

    The substring matched by the <host> production, if any.

    <port>

    The substring matched by the <port> production, if any.

    <hostport>

    If there is a <scheme> component and a <port> component and the port given by the <port> component is different than the default port defined for the protocol given by the <scheme> component, then <hostport> is the substring that starts with the substring matched by the <host> production and ends with the substring matched by the <port> production, and includes the colon in between the two. Otherwise, it is the same as the <host> component.

    <path>

    The substring matched by one of the following productions, if one of them was matched:

    • <path-abempty>
    • <path-absolute>
    • <path-noscheme>
    • <path-rootless>
    • <path-empty>
    <query>

    The substring matched by the <query> production, if any.

    <fragment>

    The substring matched by the <fragment> production, if any.

2.3.3 Resolving URLs

Relative URLs are resolved relative to a base URL. The base URL of a URL is the absolute URL obtained as follows:

If the URL to be resolved was passed to an API

The base URL is the document base URL of the script's script document context.

If the URL to be resolved is from the value of a content attribute

The base URL is the base URI of the element that the attribute is on, as defined by the XML Base specification, with the base URI of the document entity being defined as the document base URL of the Document that owns the element.

For the purposes of the XML Base specification, user agents must act as if all Document objects represented XML documents.

It is possible for xml:base attributes to be present even in HTML fragments, as such attributes can be added dynamically using script. (Such scripts would not be conforming, however, as xml:base attributes are not allowed in HTML documents.)

If the URL to be resolved was found in an offline application cache manifest

The base URL is the URL of the application cache manifest.

The document base URL of a Document is the absolute URL obtained by running these steps:

  1. If there is no base element that is both a child of the head element and has an href attribute, then the document base URL is the document's address.

  2. Otherwise, let url be the value of the href attribute of the first such element.

  3. Resolve the url URL, using the document's address as the base URL (thus, the base href attribute isn't affect by xml:base attributes).

  4. The document base URL is the result of the previous step if it was successful; otherwise it is the document's address.

To resolve a URL to an absolute URL the user agent must use the following steps. Resolving a URL can result in an error, in which case the URL is not resolvable.

  1. Let url be the URL being resolved.

  2. Let document be the Document associated with url.

  3. Let encoding be the character encoding of document.

  4. If encoding is UTF-16, then change it to UTF-8.

  5. Let base be the base URL for url. (This is an absolute URL.)

  6. Parse url into its component parts.

  7. If parsing url resulted in a <host> component, then replace the matching subtring of url with the string that results from expanding any sequences of percent-encoded octets in that component that are valid UTF-8 sequences into Unicode characters as defined by UTF-8.

    If any percent-encoded octets in that component are not valid UTF-8 sequences, then return an error and abort these steps.

    Apply the IDNA ToASCII algorithm to the matching substring, with both the AllowUnassigned and UseSTD3ASCIIRules flags set. Replace the matching substring with the result of the ToASCII algorithm.

    If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return an error and abort these steps. [RFC3490]

  8. If parsing url resulted in a <path> component, then replace the matching substring of url with the string that results from applying the following steps to each character other than U+0025 PERCENT SIGN (%) that doesn't match the original <path> production defined in RFC 3986:

    1. Encode the character into a sequence of octets as defined by UTF-8.
    2. Replace the character with the percent-encoded form of those octets. [RFC3986]

    For instance if url was "//example.com/a^b☺c%FFd%z/?e", then the <path> component's substring would be "/a^b☺c%FFd%z/" and the two characters that would have to be escaped would be "^" and "". The result after this step was applied would therefore be that url now had the value "//example.com/a%5Eb%E2%98%BAc%FFd%z/?e".

  9. If parsing url resulted in a <query> component, then replace the matching substring of url with the string that results from applying the following steps to each character other than U+0025 PERCENT SIGN (%) that doesn't match the original <query> production defined in RFC 3986:

    1. If the character in question cannot be expressed in the encoding encoding, then replace it with a single 0x3F octet (an ASCII question mark) and skip the remaining substeps for this character.
    2. Encode the character into a sequence of octets as defined by the encoding encoding.
    3. Replace the character with the percent-encoded form of those octets. [RFC3986]
  10. Apply the algorithm described in RFC 3986 section 5.2 Relative Resolution, using url as the potentially relative URI reference (R), and base as the base URI (Base). [RFC3986]

  11. Apply any relevant conformance criteria of RFC 3986 and RFC 3987, returning an error and aborting these steps if appropriate. [RFC3986] [RFC3987]

    For instance, if an absolute URI that would be returned by the above algorithm violates the restrictions specific to its scheme, e.g. a data: URI using the "//" server-based naming authority syntax, then user agents are to treat this as an error instead.

  12. Let result be the target URI (T) returned by the Relative Resolution algorithm.

  13. If result uses a scheme with a server-based naming authority, replace all U+005C REVERSE SOLIDUS (\) characters in result with U+002F SOLIDUS (/) characters.

  14. Return result.

A URL is an absolute URL if resolving it results in the same URL without an error.

2.3.4 Dynamic changes to base URLs

When an xml:base attribute changes, the attribute's element, and all descendant elements, are affected by a base URL change.

When a document's document base URL changes, all elements in that document are affected by a base URL change.

When an element is moved from one document to another, if the two documents have different base URLs, then that element and all its descendants are affected by a base URL change.

When an element is affected by a base URL change, it must act as described in the following list:

If the element is a hyperlink element

If the absolute URL identified by the hyperlink is being shown to the user, or if any data derived from that URL is affecting the display, then the href attribute should be reresolved and the UI updated appropriately.

For example, the CSS :link/:visited pseudo-classes might have been affected.

If the hyperlink has a ping attribute and its absolute URL(s) are being shown to the user, then the ping attribute's tokens should be reresolved and the UI updated appropriately.

If the element is a blockquote, q, ins, or del element with a cite attribute

If the absolute URL identified by the cite attribute is being shown to the user, or if any data derived from that URL is affecting the display, then the it should be reresolved and the UI updated appropriately.

Otherwise

The element is not directly affected.

Changing the base URL doesn't affect the image displayed by img elements, although subsequent accesses of the src DOM attribute from script will return a new absolute URL that might no longer correspond to the image being shown.

2.3.5 Interfaces for URL manipulation

An interface that has a complement of URL decomposition attributes will have seven attributes with the following definitions:

           attribute DOMString protocol;
           attribute DOMString host;
           attribute DOMString hostname;
           attribute DOMString port;
           attribute DOMString pathname;
           attribute DOMString search;
           attribute DOMString hash;

The attributes defined to be URL decomposition attributes must act as described for the attributes with the same corresponding names in this section.

In addition, an interface with a complement of URL decomposition attributes will define an input, which is a URL that the attributes act on, and a common setter action, which is a set of steps invoked when any of the attributes' setters are invoked.

The seven URL decomposition attributes have similar requirements.

On getting, if the input fulfills the condition given in the "getter condition" column corresponding to the attribute in the table below, the user agent must return the part of the input URL given in the "component" column, with any prefixes specified in the "prefix" column appropriately added to the start of the string and any suffixes specified in the "suffix" column appropriately added to the end of the string. Otherwise, the attribute must return the empty string.

On setting, the new value must first be mutated as described by the "setter preprocessor" column, then mutated by %-escaping any characters in the new value that are not valid in the relevant component as given by the "component" column. Then, if the resulting new value fulfills the condition given in the "setter condition" column, the user agent must make a new string output by replacing the component of the URL given by the "component" column in the input URL with the new value; otherwise, the user agent must let output be equal to the input. Finally, the user agent must invoke the common setter action with the value of output.

When replacing a component in the URL, if the component is part of an optional group in the URL syntax consisting of a character followed by the component, the component (including its prefix character) must be included even if the new value is the empty string.

The previous paragraph applies in particular to the ":" before a <port> component, the "?" before a <query> component, and the "#" before a <fragment> component.

For the purposes of the above definitions, URLs must be parsed using the URL parsing rules defined in this specification.

Attribute Component Getter Condition Prefix Suffix Setter Preprocessor Setter Condition
protocol <scheme> U+003A COLON (":") Remove all trailing U+003A COLON (":") characters The new value is not the empty string
host <hostport> input is hierarchical and uses a server-based naming authority
hostname <host> input is hierarchical and uses a server-based naming authority Remove all leading U+002F SOLIDUS ("/") characters
port <port> input is hierarchical, uses a server-based naming authority, and contained a <port> component (possibly an empty one) Remove any characters in the new value that are not in the range U+0030 DIGIT ZERO .. U+0039 DIGIT NINE. If the resulting string is empty, set it to a single U+0030 DIGIT ZERO character ('0').
pathname <path> input is hierarchical If it has no leading U+002F SOLIDUS ("/") character, prepend a U+002F SOLIDUS ("/") character to the new value
search <query> input is hierarchical, and contained a <query> component (possibly an empty one) U+003F QUESTION MARK ("?") Remove one leading U+003F QUESTION MARK ("?") character, if any
hash <fragment> input contained a <fragment> component (possibly an empty one) U+0023 NUMBER SIGN ("#") Remove one leading U+0023 NUMBER SIGN ("#") character, if any

The table below demonstrates how the getter condition for search results in different results depending on the exact original syntax of the URL:

Input URL search value Explanation
http://example.com/ empty string No <query> component in input URL.
http://example.com/? ? There is a <query> component, but it is empty. The question mark in the resulting value is the prefix.
http://example.com/?test ?test The <query> component has the value "test".
http://example.com/?test# ?test The (empty) <fragment> component is not part of the <query> component.

2.4 Common microsyntaxes

There are various places in HTML that accept particular data types, such as dates or numbers. This section describes what the conformance criteria for content in those formats is, and how to parse them.

Need to go through the whole spec and make sure all the attribute values are clearly defined either in terms of microsyntaxes or in terms of other specs, or as "Text" or some such.

2.4.1 Common parser idioms

The space characters, for the purposes of this specification, are U+0020 SPACE, U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED (LF), U+000C FORM FEED (FF), and U+000D CARRIAGE RETURN (CR).

Some of the micro-parsers described below follow the pattern of having an input variable that holds the string being parsed, and having a position variable pointing at the next character to parse in input.

For parsers based on this pattern, a step that requires the user agent to collect a sequence of characters means that the following algorithm must be run, with characters being the set of characters that can be collected:

  1. Let input and position be the same variables as those of the same name in the algorithm that invoked these steps.

  2. Let result be the empty string.

  3. While position doesn't point past the end of input and the character at position is one of the characters, append that character to the end of result and advance position to the next character in input.

  4. Return result.

The step skip whitespace means that the user agent must collect a sequence of characters that are space characters. The step skip Zs characters means that the user agent must collect a sequence of characters that are in the Unicode character class Zs. In both cases, the collected characters are not used. [UNICODE]

2.4.2 Boolean attributes

A number of attributes in HTML5 are boolean attributes. The presence of a boolean attribute on an element represents the true value, and the absence of the attribute represents the false value.

If the attribute is present, its value must either be the empty string or a value that is a case-insensitive match for the attribute's canonical name, with no leading or trailing whitespace.

2.4.3 Numbers

2.4.3.1. Unsigned integers

A string is a valid non-negative integer if it consists of one of more characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9).

The rules for parsing non-negative integers are as given in the following algorithm. When invoked, the steps must be followed in the order given, aborting at the first step that returns a value. This algorithm will either return zero, a positive integer, or an error. Leading spaces are ignored. Trailing spaces and indeed any trailing garbage characters are ignored.

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let value have the value 0.

  4. Skip whitespace.

  5. If position is past the end of input, return an error.

  6. If the next character is not one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9), then return an error.

  7. If the next character is one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9):

    1. Multiply value by ten.
    2. Add the value of the current character (0..9) to value.
    3. Advance position to the next character.
    4. If position is not past the end of input, return to the top of step 7 in the overall algorithm (that's the step within which these substeps find themselves).
  8. Return value.

2.4.3.2. Signed integers

A string is a valid integer if it consists of one of more characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), optionally prefixed with a U+002D HYPHEN-MINUS ("-") character.

The rules for parsing integers are similar to the rules for non-negative integers, and are as given in the following algorithm. When invoked, the steps must be followed in the order given, aborting at the first step that returns a value. This algorithm will either return an integer or an error. Leading spaces are ignored. Trailing spaces and trailing garbage characters are ignored.

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let value have the value 0.

  4. Let sign have the value "positive".

  5. Skip whitespace.

  6. If position is past the end of input, return an error.

  7. If the character indicated by position (the first character) is a U+002D HYPHEN-MINUS ("-") character:

    1. Let sign be "negative".
    2. Advance position to the next character.
    3. If position is past the end of input, return an error.
  8. If the next character is not one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9), then return an error.

  9. If the next character is one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9):

    1. Multiply value by ten.
    2. Add the value of the current character (0..9) to value.
    3. Advance position to the next character.
    4. If position is not past the end of input, return to the top of step 9 in the overall algorithm (that's the step within which these substeps find themselves).
  10. If sign is "positive", return value, otherwise return 0-value.

2.4.3.3. Real numbers

A string is a valid floating point number if it consists of one of more characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), optionally with a single U+002E FULL STOP (".") character somewhere (either before these numbers, in between two numbers, or after the numbers), all optionally prefixed with a U+002D HYPHEN-MINUS ("-") character.

The rules for parsing floating point number values are as given in the following algorithm. As with the previous algorithms, when this one is invoked, the steps must be followed in the order given, aborting at the first step that returns a value. This algorithm will either return a number or an error. Leading spaces are ignored. Trailing spaces and garbage characters are ignored.

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let value have the value 0.

  4. Let sign have the value "positive".

  5. Skip whitespace.

  6. If position is past the end of input, return an error.

  7. If the character indicated by position (the first character) is a U+002D HYPHEN-MINUS ("-") character:

    1. Let sign be "negative".
    2. Advance position to the next character.
    3. If position is past the end of input, return an error.
  8. If the next character is not one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9) or U+002E FULL STOP ("."), then return an error.

  9. If the next character is U+002E FULL STOP ("."), but either that is the last character or the character after that one is not one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9), then return an error.

  10. If the next character is one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9):

    1. Multiply value by ten.
    2. Add the value of the current character (0..9) to value.
    3. Advance position to the next character.
    4. If position is past the end of input, then if sign is "positive", return value, otherwise return 0-value.
    5. Otherwise return to the top of step 10 in the overall algorithm (that's the step within which these substeps find themselves).
  11. Otherwise, if the next character is not a U+002E FULL STOP ("."), then if sign is "positive", return value, otherwise return 0-value.

  12. The next character is a U+002E FULL STOP ("."). Advance position to the character after that.

  13. Let divisor be 1.

  14. If the next character is one of U+0030 DIGIT ZERO (0) .. U+0039 DIGIT NINE (9):

    1. Multiply divisor by ten.
    2. Add the value of the current character (0..9) divided by divisor, to value.
    3. Advance position to the next character.
    4. If position is past the end of input, then if sign is "positive", return value, otherwise return 0-value.
    5. Otherwise return to the top of step 14 in the overall algorithm (that's the step within which these substeps find themselves).
  15. Otherwise, if sign is "positive", return value, otherwise return 0-value.

2.4.3.4. Ratios

The algorithms described in this section are used by the progress and meter elements.

A valid denominator punctuation character is one of the characters from the table below. There is a value associated with each denominator punctuation character, as shown in the table below.

Denominator Punctuation Character Value
U+0025 PERCENT SIGN % 100
U+066A ARABIC PERCENT SIGN ٪ 100
U+FE6A SMALL PERCENT SIGN 100
U+FF05 FULLWIDTH PERCENT SIGN 100
U+2030 PER MILLE SIGN 1000
U+2031 PER TEN THOUSAND SIGN 10000

The steps for finding one or two numbers of a ratio in a string are as follows:

  1. If the string is empty, then return nothing and abort these steps.
  2. Find a number in the string according to the algorithm below, starting at the start of the string.
  3. If the sub-algorithm in step 2 returned nothing or returned an error condition, return nothing and abort these steps.
  4. Set number1 to the number returned by the sub-algorithm in step 2.
  5. Starting with the character immediately after the last one examined by the sub-algorithm in step 2, skip any characters in the string that are in the Unicode character class Zs (this might match zero characters). [UNICODE]
  6. If there are still further characters in the string, and the next character in the string is a valid denominator punctuation character, set denominator to that character.
  7. If the string contains any other characters in the range U+0030 DIGIT ZERO to U+0039 DIGIT NINE, but denominator was given a value in the step 6, return nothing and abort these steps.
  8. Otherwise, if denominator was given a value in step 6, return number1 and denominator and abort these steps.
  9. Find a number in the string again, starting immediately after the last character that was examined by the sub-algorithm in step 2.
  10. If the sub-algorithm in step 9 returned nothing or an error condition, return nothing and abort these steps.
  11. Set number2 to the number returned by the sub-algorithm in step 9.
  12. If there are still further characters in the string, and the next character in the string is a valid denominator punctuation character, return nothing and abort these steps.
  13. If the string contains any other characters in the range U+0030 DIGIT ZERO to U+0039 DIGIT NINE, return nothing and abort these steps.
  14. Otherwise, return number1 and number2.

The algorithm to find a number is as follows. It is given a string and a starting position, and returns either nothing, a number, or an error condition.

  1. Starting at the given starting position, ignore all characters in the given string until the first character that is either a U+002E FULL STOP or one of the ten characters in the range U+0030 DIGIT ZERO to U+0039 DIGIT NINE.
  2. If there are no such characters, return nothing and abort these steps.
  3. Starting with the character matched in step 1, collect all the consecutive characters that are either a U+002E FULL STOP or one of the ten characters in the range U+0030 DIGIT ZERO to U+0039 DIGIT NINE, and assign this string of one or more characters to string.
  4. If string contains more than one U+002E FULL STOP character then return an error condition and abort these steps.
  5. Parse string according to the rules for parsing floating point number values, to obtain number. This step cannot fail (string is guaranteed to be a valid floating point number).
  6. Return number.
2.4.3.5. Percentages and dimensions

valid positive non-zero integers rules for parsing dimension values (only used by height/width on img, embed, object — lengths in css pixels or percentages)

2.4.3.6. Lists of integers

A valid list of integers is a number of valid integers separated by U+002C COMMA characters, with no other characters (e.g. no space characters). In addition, there might be restrictions on the number of integers that can be given, or on the range of values allowed.

The rules for parsing a list of integers are as follows:

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let numbers be an initially empty list of integers. This list will be the result of this algorithm.

  4. If there is a character in the string input at position position, and it is either a U+0020 SPACE, U+002C COMMA, or U+003B SEMICOLON character, then advance position to the next character in input, or to beyond the end of the string if there are no more characters.

  5. If position points to beyond the end of input, return numbers and abort.

  6. If the character in the string input at position position is a U+0020 SPACE, U+002C COMMA, or U+003B SEMICOLON character, then return to step 4.

  7. Let negated be false.

  8. Let value be 0.

  9. Let started be false. This variable is set to true when the parser sees a number or a "-" character.

  10. Let got number be false. This variable is set to true when the parser sees a number.

  11. Let finished be false. This variable is set to true to switch parser into a mode where it ignores characters until the next separator.

  12. Let bogus be false.

  13. Parser: If the character in the string input at position position is:

    A U+002D HYPHEN-MINUS character

    Follow these substeps:

    1. If got number is true, let finished be true.
    2. If finished is true, skip to the next step in the overall set of steps.
    3. If started is true, let negated be false.
    4. Otherwise, if started is false and if bogus is false, let negated be true.
    5. Let started be true.
    A character in the range U+0030 DIGIT ZERO .. U+0039 DIGIT NINE

    Follow these substeps:

    1. If finished is true, skip to the next step in the overall set of steps.
    2. Multiply value by ten.
    3. Add the value of the digit, interpreted in base ten, to value.
    4. Let started be true.
    5. Let got number be true.
    A U+0020 SPACE character
    A U+002C COMMA character
    A U+003B SEMICOLON character

    Follow these substeps:

    1. If got number is false, return the numbers list and abort. This happens if an entry in the list has no digits, as in "1,2,x,4".
    2. If negated is true, then negate value.
    3. Append value to the numbers list.
    4. Jump to step 4 in the overall set of steps.
    A U+002E FULL STOP character

    Follow these substeps:

    1. If got number is true, let finished be true.
    2. If finished is true, skip to the next step in the overall set of steps.
    3. Let negated be false.
    Any other character

    Follow these substeps:

    1. If finished is true, skip to the next step in the overall set of steps.
    2. Let negated be false.
    3. Let bogus be true.
    4. If started is true, then return the numbers list, and abort. (The value in value is not appended to the list first; it is dropped.)
  14. Advance position to the next character in input, or to beyond the end of the string if there are no more characters.

  15. If position points to a character (and not to beyond the end of input), jump to the big Parser step above.

  16. If negated is true, then negate value.

  17. If got number is true, then append value to the numbers list.

  18. Return the numbers list and abort.

2.4.4 Dates and times

In the algorithms below, the number of days in month month of year year is: 31 if month is 1, 3, 5, 7, 8, 10, or 12; 30 if month is 4, 6, 9, or 11; 29 if month is 2 and year is a number divisible by 400, or if year is a number divisible by 4 but not by 100; and 28 otherwise. This takes into account leap years in the Gregorian calendar. [GREGORIAN]

2.4.4.1. Specific moments in time

A string is a valid datetime if it has four digits (representing the year), a literal hyphen, two digits (representing the month), a literal hyphen, two digits (representing the day), optionally some spaces, either a literal T or a space, optionally some more spaces, two digits (for the hour), a colon, two digits (the minutes), optionally the seconds (which, if included, must consist of another colon, two digits (the integer part of the seconds), and optionally a decimal point followed by one or more digits (for the fractional part of the seconds)), optionally some spaces, and finally either a literal Z (indicating the time zone is UTC), or, a plus sign or a minus sign followed by two digits, a colon, and two digits (for the sign, the hours and minutes of the timezone offset respectively); with the month-day combination being a valid date in the given year according to the Gregorian calendar, the hour values (h) being in the range 0 ≤ h ≤ 23, the minute values (m) in the range 0 ≤ m ≤ 59, and the second value (s) being in the range 0 ≤ h < 60. [GREGORIAN]

The digits must be characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), the hyphens must be a U+002D HYPHEN-MINUS characters, the T must be a U+0054 LATIN CAPITAL LETTER T, the colons must be U+003A COLON characters, the decimal point must be a U+002E FULL STOP, the Z must be a U+005A LATIN CAPITAL LETTER Z, the plus sign must be a U+002B PLUS SIGN, and the minus U+002D (same as the hyphen).

The following are some examples of dates written as valid datetimes.

"0037-12-13 00:00 Z"
Midnight UTC on the birthday of Nero (the Roman Emperor).
"1979-10-14T12:00:00.001-04:00"
One millisecond after noon on October 14th 1979, in the time zone in use on the east coast of North America during daylight saving time.
"8592-01-01 T 02:09 +02:09"
Midnight UTC on the 1st of January, 8592. The time zone associated with that time is two hours and nine minutes ahead of UTC.

Several things are notable about these dates:

Conformance checkers can use the algorithm below to determine if a datetime is a valid datetime or not.

To parse a string as a datetime value, a user agent must apply the following algorithm to the string. This will either return a time in UTC, with associated timezone information for round tripping or display purposes, or nothing, indicating the value is not a valid datetime. If at any point the algorithm says that it "fails", this means that it returns nothing.

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly four characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the year.

  4. If position is beyond the end of input or if the character at position is not a U+002D HYPHEN-MINUS character, then fail. Otherwise, move position forwards one character.

  5. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the month.

  6. If month is not a number in the range 1 ≤ month ≤ 12, then fail.
  7. Let maxday be the number of days in month month of year year.

  8. If position is beyond the end of input or if the character at position is not a U+002D HYPHEN-MINUS character, then fail. Otherwise, move position forwards one character.

  9. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the day.

  10. If day is not a number in the range 1 ≤ month ≤ maxday, then fail.

  11. Collect a sequence of characters that are either U+0054 LATIN CAPITAL LETTER T characters or space characters. If the collected sequence is zero characters long, or if it contains more than one U+0054 LATIN CAPITAL LETTER T character, then fail.

  12. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the hour.

  13. If hour is not a number in the range 0 ≤ hour ≤ 23, then fail.
  14. If position is beyond the end of input or if the character at position is not a U+003A COLON character, then fail. Otherwise, move position forwards one character.

  15. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the minute.

  16. If minute is not a number in the range 0 ≤ minute ≤ 59, then fail.
  17. Let second be a string with the value "0".

  18. If position is beyond the end of input, then fail.

  19. If the character at position is a U+003A COLON, then:

    1. Advance position to the next character in input.

    2. If position is beyond the end of input, or at the last character in input, or if the next two characters in input starting at position are not two characters both in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), then fail.

    3. Collect a sequence of characters that are either characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9) or U+002E FULL STOP characters. If the collected sequence has more than one U+002E FULL STOP characters, or if the last character in the sequence is a U+002E FULL STOP character, then fail. Otherwise, let the collected string be second instead of its previous value.

  20. Interpret second as a base-ten number (possibly with a fractional part). Let that number be second instead of the string version.

  21. If second is not a number in the range 0 ≤ hour < 60, then fail. (The values 60 and 61 are not allowed: leap seconds cannot be represented by datetime values.)
  22. If position is beyond the end of input, then fail.

  23. Skip whitespace.

  24. If the character at position is a U+005A LATIN CAPITAL LETTER Z, then:

    1. Let timezonehours be 0.

    2. Let timezoneminutes be 0.

    3. Advance position to the next character in input.

  25. Otherwise, if the character at position is either a U+002B PLUS SIGN ("+") or a U+002D HYPHEN-MINUS ("-"), then:

    1. If the character at position is a U+002B PLUS SIGN ("+"), let sign be "positive". Otherwise, it's a U+002D HYPHEN-MINUS ("-"); let sign be "negative".

    2. Advance position to the next character in input.

    3. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the timezonehours.

    4. If timezonehours is not a number in the range 0 ≤ timezonehours ≤ 23, then fail.
    5. If sign is "negative", then negate timezonehours.
    6. If position is beyond the end of input or if the character at position is not a U+003A COLON character, then fail. Otherwise, move position forwards one character.

    7. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then fail. Otherwise, interpret the resulting sequence as a base-ten integer. Let that number be the timezoneminutes.

    8. If timezoneminutes is not a number in the range 0 ≤ timezoneminutes ≤ 59, then fail.
    9. If sign is "negative", then negate timezoneminutes.
  26. If position is not beyond the end of input, then fail.

  27. Let time be the moment in time at year year, month month, day day, hours hour, minute minute, second second, subtracting timezonehours hours and timezoneminutes minutes. That moment in time is a moment in the UTC timezone.

  28. Let timezone be timezonehours hours and timezoneminutes minutes from UTC.

  29. Return time and timezone.

2.4.4.2. Vaguer moments in time

This section defines date or time strings. There are two kinds, date or time strings in content, and date or time strings in attributes. The only difference is in the handling of whitespace characters.

To parse a date or time string, user agents must use the following algorithm. A date or time string is a valid date or time string if the following algorithm, when run on the string, doesn't say the string is invalid.

The algorithm may return nothing (in which case the string will be invalid), or it may return a date, a time, a date and a time, or a date and a time and a timezone. Even if the algorithm returns one or more values, the string can still be invalid.

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let results be the collection of results that are to be returned (one or more of a date, a time, and a timezone), initially empty. If the algorithm aborts at any point, then whatever is currently in results must be returned as the result of the algorithm.

  4. For the "in content" variant: skip Zs characters; for the "in attributes" variant: skip whitespace.

  5. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is empty, then the string is invalid; abort these steps.

  6. Let the sequence of characters collected in the last step be s.

  7. If position is past the end of input, the string is invalid; abort these steps.

  8. If the character at position is not a U+003A COLON character, then:

    1. If the character at position is not a U+002D HYPHEN-MINUS ("-") character either, then the string is invalid, abort these steps.

    2. If the sequence s is not exactly four digits long, then the string is invalid. (This does not stop the algorithm, however.)

    3. Interpret the sequence of characters collected in step 5 as a base-ten integer, and let that number be year.

    4. Advance position past the U+002D HYPHEN-MINUS ("-") character.

    5. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is empty, then the string is invalid; abort these steps.

    6. If the sequence collected in the last step is not exactly two digits long, then the string is invalid.

    7. Interpret the sequence of characters collected two steps ago as a base-ten integer, and let that number be month.

    8. If month is not a number in the range 1 ≤ month ≤ 12, then the string is invalid, abort these steps.
    9. Let maxday be the number of days in month month of year year.

    10. If position is past the end of input, or if the character at position is not a U+002D HYPHEN-MINUS ("-") character, then the string is invalid, abort these steps. Otherwise, advance position to the next character.

    11. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is empty, then the string is invalid; abort these steps.

    12. If the sequence collected in the last step is not exactly two digits long, then the string is invalid.

    13. Interpret the sequence of characters collected two steps ago as a base-ten integer, and let that number be day.

    14. If day is not a number in the range 1 ≤ day ≤ maxday, then the string is invalid, abort these steps.

    15. Add the date represented by year, month, and day to the results.

    16. For the "in content" variant: skip Zs characters; for the "in attributes" variant: skip whitespace.

    17. If the character at position is a U+0054 LATIN CAPITAL LETTER T, then move position forwards one character.

    18. For the "in content" variant: skip Zs characters; for the "in attributes" variant: skip whitespace.

    19. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is empty, then the string is invalid; abort these steps.

    20. Let s be the sequence of characters collected in the last step.

  9. If s is not exactly two digits long, then the string is invalid.

  10. Interpret the sequence of characters collected two steps ago as a base-ten integer, and let that number be hour.

  11. If hour is not a number in the range 0 ≤ hour ≤ 23, then the string is invalid, abort these steps.

  12. If position is past the end of input, or if the character at position is not a U+003A COLON character, then the string is invalid, abort these steps. Otherwise, advance position to the next character.

  13. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is empty, then the string is invalid; abort these steps.

  14. If the sequence collected in the last step is not exactly two digits long, then the string is invalid.

  15. Interpret the sequence of characters collected two steps ago as a base-ten integer, and let that number be minute.

  16. If minute is not a number in the range 0 ≤ minute ≤ 59, then the string is invalid, abort these steps.

  17. Let second be 0. It might be changed to another value in the next step.

  18. If position is not past the end of input and the character at position is a U+003A COLON character, then:

    1. Collect a sequence of characters that are either characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9) or are U+002E FULL STOP. If the collected sequence is empty, or contains more than one U+002E FULL STOP character, then the string is invalid; abort these steps.

    2. If the first character in the sequence collected in the last step is not in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), then the string is invalid.

    3. Interpret the sequence of characters collected two steps ago as a base-ten number (possibly with a fractional part), and let that number be second.

    4. If second is not a number in the range 0 ≤ minute < 60, then the string is invalid, abort these steps.

  19. Add the time represented by hour, minute, and second to the results.

  20. If results has both a date and a time, then:

    1. For the "in content" variant: skip Zs characters; for the "in attributes" variant: skip whitespace.

    2. If position is past the end of input, then skip to the next step in the overall set of steps.

    3. Otherwise, if the character at position is a U+005A LATIN CAPITAL LETTER Z, then:

      1. Add the timezone corresponding to UTC (zero offset) to the results.

      2. Advance position to the next character in input.

      3. Skip to the next step in the overall set of steps.

    4. Otherwise, if the character at position is either a U+002B PLUS SIGN ("+") or a U+002D HYPHEN-MINUS ("-"), then:

      1. If the character at position is a U+002B PLUS SIGN ("+"), let sign be "positive". Otherwise, it's a U+002D HYPHEN-MINUS ("-"); let sign be "negative".

      2. Advance position to the next character in input.

      3. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then the string is invalid.

      4. Interpret the sequence collected in the last step as a base-ten number, and let that number be timezonehours.

      5. If timezonehours is not a number in the range 0 ≤ timezonehours ≤ 23, then the string is invalid; abort these steps.
      6. If sign is "negative", then negate timezonehours.
      7. If position is beyond the end of input or if the character at position is not a U+003A COLON character, then the string is invalid; abort these steps. Otherwise, move position forwards one character.

      8. Collect a sequence of characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9). If the collected sequence is not exactly two characters long, then the string is invalid.

      9. Interpret the sequence collected in the last step as a base-ten number, and let that number be timezoneminutes.

      10. If timezoneminutes is not a number in the range 0 ≤ timezoneminutes ≤ 59, then the string is invalid; abort these steps.
      11. Add the timezone corresponding to an offset of timezonehours hours and timezoneminutes minutes to the results.

      12. Skip to the next step in the overall set of steps.

    5. Otherwise, the string is invalid; abort these steps.

  21. For the "in content" variant: skip Zs characters; for the "in attributes" variant: skip whitespace.

  22. If position is not past the end of input, then the string is invalid.

  23. Abort these steps (the string is parsed).

2.4.5 Time offsets

valid time offset, rules for parsing time offsets, time offset serialization rules; in the format "5d4h3m2s1ms" or "3m 9.2s" or "00:00:00.00" or similar.

2.4.6 Tokens

A set of space-separated tokens is a set of zero or more words separated by one or more space characters, where words consist of any string of one or more characters, none of which are space characters.

A string containing a set of space-separated tokens may have leading or trailing space characters.

An unordered set of unique space-separated tokens is a set of space-separated tokens where none of the words are duplicated.

An ordered set of unique space-separated tokens is a set of space-separated tokens where none of the words are duplicated but where the order of the tokens is meaningful.

Sets of space-separated tokens sometimes have a defined set of allowed values. When a set of allowed values is defined, the tokens must all be from that list of allowed values; other values are non-conforming. If no such set of allowed values is provided, then all values are conforming.

When a user agent has to split a string on spaces, it must use the following algorithm:

  1. Let input be the string being parsed.

  2. Let position be a pointer into input, initially pointing at the start of the string.

  3. Let tokens be a list of tokens, initially empty.

  4. Skip whitespace

  5. While position is not past the end of input:

    1. Collect a sequence of characters that are not space characters.

    2. Add the string collected in the previous step to tokens.

    3. Skip whitespace

  6. Return tokens.

When a user agent has to remove a token from a string, it must use the following algorithm:

  1. Let input be the string being modified.

  2. Let token be the token being removed. It will not contain any space characters.

  3. Let output be the output string, initially empty.

  4. Let position be a pointer into input, initially pointing at the start of the string.

  5. If position is beyond the end of input, set the string being modified to output, and abort these steps.

  6. If the character at position is a space character:

    1. Append the character at position to the end of output.

    2. Increment position so it points at the next character in input.

    3. Return to step 5 in the overall set of steps.

  7. Otherwise, the character at position is the first character of a token. Collect a sequence of characters that are not space characters, and let that be s.

  8. If s is exactly equal to token, then:

    1. Skip whitespace (in input).

    2. Remove any space characters currently at the end of output.

    3. If position is not past the end of input, and output is not the empty string, append a single U+0020 SPACE character at the end of output.

  9. Otherwise, append s to the end of output.

  10. Return to step 6 in the overall set of steps.

This causes any occurrences of the token to be removed from the string, and any spaces that were surrounding the token to be collapsed to a single space, except at the start and end of the string, where such spaces are removed.

2.4.7 Keywords and enumerated attributes

Some attributes are defined as taking one of a finite set of keywords. Such attributes are called enumerated attributes. The keywords are each defined to map to a particular state (several keywords might map to the same state, in which case some of the keywords are synonyms of each other; additionally, some of the keywords can be said to be non-conforming, and are only in the specification for historical reasons). In addition, two default states can be given. The first is the invalid value default, the second is the missing value default.

If an enumerated attribute is specified, the attribute's value must be one of the given keywords that are not said to be non-conforming, with no leading or trailing whitespace. The keyword may use any mix of uppercase and lowercase letters.

When the attribute is specified, if its value case-insensitively matches one of the given keywords then that keyword's state is the state that the attribute represents. If the attribute value matches none of the given keywords, but the attribute has an invalid value default, then the attribute represents that state. Otherwise, if the attribute value matches none of the keywords but there is a missing value default state defined, then that is the state represented by the attribute. Otherwise, there is no default, and invalid values must be ignored.

When the attribute is not specified, if there is a missing value default state defined, then that is the state represented by the (missing) attribute. Otherwise, the absence of the attribute means that there is no state represented.

The empty string can be one of the keywords in some cases. For example the contenteditable attribute has two states: true, matching the true keyword and the empty string, false, matching false and all other keywords (it's the invalid value default). It could further be thought of as having a third state inherit, which would be the default when the attribute is not specified at all (the missing value default), but for various reasons that isn't the way this specification actually defines it.

2.4.8 References

A valid hash-name reference to an element of type type is a string consisting of a U+0023 NUMBER SIGN (#) character followed by a string which exactly matches the value of the name attribute of an element in the document with type type.

The rules for parsing a hash-name reference to an element of type type are as follows:

  1. If the string being parsed does not contain a U+0023 NUMBER SIGN character, or if the first such character in the string is the last character in the string, then return null and abort these steps.

  2. Let s be the string from the character immediately after the first U+0023 NUMBER SIGN character in the string being parsed up to the end of that string.

  3. Return the first element of type type that has an id or name attribute whose value case-insensitively matches s.

2.5 Common DOM interfaces

2.5.1 Reflecting content attributes in DOM attributes

Some DOM attributes are defined to reflect a particular content attribute. This means that on getting, the DOM attribute returns the current value of the content attribute, and on setting, the DOM attribute changes the value of the content attribute to the given value.

If a reflecting DOM attribute is a DOMString attribute whose content attribute is defined to contain a URL, then on getting, the DOM attribute must resolve the value of the content attribute and return the resulting absolute URL if that was successful, or the empty string otherwise; and on setting, must set the content attribute to the specified literal value. If the content attribute is absent, the DOM attribute must return the default value, if the content attribute has one, or else the empty string.

If a reflecting DOM attribute is a DOMString attribute whose content attribute is defined to contain one or more URLs, then on getting, the DOM attribute must split the content attribute on spaces and return the concatenation of resolving each token URL to an absolute URL, with a single U+0020 SPACE character between each URL, ignoring any tokens that did not resolve successfully. If the content attribute is absent, the DOM attribute must return the default value, if the content attribute has one, or else the empty string. On setting, the DOM attribute must set the content attribute to the specified literal value.

If a reflecting DOM attribute is a DOMString whose content attribute is an enumerated attribute, and the DOM attribute is limited to only known values, then, on getting, the DOM attribute must return the conforming value associated with the state the attribute is in (in its canonical case), or the empty string if the attribute is in a state that has no associated keyword value; and on setting, if the new value case-insensitively matches one of the keywords given for that attribute, then the content attribute must be set to the conforming value associated with the state that the attribute would be in if set to the given new value, otherwise, if the new value is the empty string, then the content attribute must be removed, otherwise, the setter must raise a SYNTAX_ERR exception.

If a reflecting DOM attribute is a DOMString but doesn't fall into any of the above categories, then the getting and setting must be done in a transparent, case-preserving manner.

If a reflecting DOM attribute is a boolean attribute, then on getting the DOM attribute must return true if the attribute is set, and false if it is absent. On setting, the content attribute must be removed if the DOM attribute is set to false, and must be set to have the same value as its name if the DOM attribute is set to true. (This corresponds to the rules for boolean content attributes.)

If a reflecting DOM attribute is a signed integer type (long) then, on getting, the content attribute must be parsed according to the rules for parsing signed integers, and if that is successful, the resulting value must be returned. If, on the other hand, it fails, or if the attribute is absent, then the default value must be returned instead, or 0 if there is no default value. On setting, the given value must be converted to the shortest possible string representing the number as a valid integer in base ten and then that string must be used as the new content attribute value.

If a reflecting DOM attribute is an unsigned integer type (unsigned long) then, on getting, the content attribute must be parsed according to the rules for parsing unsigned integers, and if that is successful, the resulting value must be returned. If, on the other hand, it fails, or if the attribute is absent, the default value must be returned instead, or 0 if there is no default value. On setting, the given value must be converted to the shortest possible string representing the number as a valid non-negative integer in base ten and then that string must be used as the new content attribute value.

If a reflecting DOM attribute is an unsigned integer type (unsigned long) that is limited to only positive non-zero numbers, then the behavior is similar to the previous case, but zero is not allowed. On getting, the content attribute must first be parsed according to the rules for parsing unsigned integers, and if that is successful, the resulting value must be returned. If, on the other hand, it fails, or if the attribute is absent, the default value must be returned instead, or 1 if there is no default value. On setting, if the value is zero, the user agent must fire an INDEX_SIZE_ERR exception. Otherwise, the given value must be converted to the shortest possible string representing the number as a valid non-negative integer in base ten and then that string must be used as the new content attribute value.

If a reflecting DOM attribute is a floating point number type (float) and the content attribute is defined to contain a time offset, then, on getting, the content attribute must be parsed according to the rules for parsing time offsets, and if that is successful, the resulting value, in seconds, must be returned. If that fails, or if the attribute is absent, the default value must be returned, or the not-a-number value (NaN) if there is no default value. On setting, the given value, interpreted as a time offset in seconds, must be converted to a string using the time offset serialization rules, and that string must be used as the new content attribute value.

If a reflecting DOM attribute is a floating point number type (float) and it doesn't fall into one of the earlier categories, then, on getting, the content attribute must be parsed according to the rules for parsing floating point number values, and if that is successful, the resulting value must be returned. If, on the other hand, it fails, or if the attribute is absent, the default value must be returned instead, or 0.0 if there is no default value. On setting, the given value must be converted to the shortest possible string representing the number as a valid floating point number in base ten and then that string must be used as the new content attribute value.

If a reflecting DOM attribute is of the type DOMTokenList, then on getting it must return a DOMTokenList object whose underlying string is the element's corresponding content attribute. When the DOMTokenList object mutates its underlying string, the content attribute must itself be immediately mutated. When the attribute is absent, then the string represented by the DOMTokenList object is the empty string; when the object mutates this empty string, the user agent must first add the corresponding content attribute, and then mutate that attribute instead. DOMTokenList attributes are always read-only. The same DOMTokenList object must be returned every time for each attribute.

If a reflecting DOM attribute has the type HTMLElement, or an interface that descends from HTMLElement, then, on getting, it must run the following algorithm (stopping at the first point where a value is returned):

  1. If the corresponding content attribute is absent, then the DOM attribute must return null.
  2. Let candidate be the element that the document.getElementById() method would find if it was passed as its argument the current value of the corresponding content attribute.
  3. If candidate is null, or if it is not type-compatible with the DOM attribute, then the DOM attribute must return null.
  4. Otherwise, it must return candidate.

On setting, if the given element has an id attribute, then the content attribute must be set to the value of that id attribute. Otherwise, the DOM attribute must be set to the empty string.

2.5.2 Collections

The HTMLCollection, HTMLFormControlsCollection, and HTMLOptionsCollection interfaces represent various lists of DOM nodes. Collectively, objects implementing these interfaces are called collections.

When a collection is created, a filter and a root are associated with the collection.

For example, when the HTMLCollection object for the document.images attribute is created, it is associated with a filter that selects only img elements, and rooted at the root of the document.

The collection then represents a live view of the subtree rooted at the collection's root, containing only nodes that match the given filter. The view is linear. In the absence of specific requirements to the contrary, the nodes within the collection must be sorted in tree order.

The rows list is not in tree order.

An attribute that returns a collection must return the same object every time it is retrieved.

2.5.2.1. HTMLCollection

The HTMLCollection interface represents a generic collection of elements.

interface HTMLCollection {
  readonly attribute unsigned long length;
  [IndexGetter] Element item(in unsigned long index);
  [NameGetter] Element namedItem(in DOMString name);
};

The length attribute must return the number of nodes represented by the collection.

The item(index) method must return the indexth node in the collection. If there is no indexth node in the collection, then the method must return null.

The namedItem(key) method must return the first node in the collection that matches the following requirements:

If no such elements are found, then the method must return null.

2.5.2.2. HTMLFormControlsCollection

The HTMLFormControlsCollection interface represents a collection of form controls.

interface HTMLFormControlsCollection {
  readonly attribute unsigned long length;
  [IndexGetter] HTMLElement item(in unsigned long index);
  [NameGetter] Object namedItem(in DOMString name);
};

The length attribute must return the number of nodes represented by the collection.

The item(index) method must return the indexth node in the collection. If there is no indexth node in the collection, then the method must return null.

The namedItem(key) method must act according to the following algorithm:

  1. If, at the time the method is called, there is exactly one node in the collection that has either an id attribute or a name attribute equal to key, then return that node and stop the algorithm.
  2. Otherwise, if there are no nodes in the collection that have either an id attribute or a name attribute equal to key, then return null and stop the algorithm.
  3. Otherwise, create a NodeList object representing a live view of the HTMLFormControlsCollection object, further filtered so that the only nodes in the NodeList object are those that have either an id attribute or a name attribute equal to key. The nodes in the NodeList object must be sorted in tree order.
  4. Return that NodeList object.
2.5.2.3. HTMLOptionsCollection

The HTMLOptionsCollection interface represents a list of option elements.

interface HTMLOptionsCollection {
           attribute unsigned long length;
  [IndexGetter] HTMLOptionElement item(in unsigned long index);
  [NameGetter] Object namedItem(in DOMString name);
};

On getting, the length attribute must return the number of nodes represented by the collection.

On setting, the behavior depends on whether the new value is equal to, greater than, or less than the number of nodes represented by the collection at that time. If the number is the same, then setting the attribute must do nothing. If the new value is greater, then n new option elements with no attributes and no child nodes must be appended to the select element on which the HTMLOptionsCollection is rooted, where n is the difference between the two numbers (new value minus old value). If the new value is lower, then the last n nodes in the collection must be removed from their parent nodes, where n is the difference between the two numbers (old value minus new value).

Setting length never removes or adds any optgroup elements, and never adds new children to existing optgroup elements (though it can remove children from them).

The item(index) method must return the indexth node in the collection. If there is no indexth node in the collection, then the method must return null.

The namedItem(key) method must act according to the following algorithm:

  1. If, at the time the method is called, there is exactly one node in the collection that has either an id attribute or a name attribute equal to key, then return that node and stop the algorithm.
  2. Otherwise, if there are no nodes in the collection that have either an id attribute or a name attribute equal to key, then return null and stop the algorithm.
  3. Otherwise, create a NodeList object representing a live view of the HTMLOptionsCollection object, further filtered so that the only nodes in the NodeList object are those that have either an id attribute or a name attribute equal to key. The nodes in the NodeList object must be sorted in tree order.
  4. Return that NodeList object.

We may want to add add() and remove() methods here too because IE implements HTMLSelectElement and HTMLOptionsCollection on the same object, and so people use them almost interchangeably in the wild.

2.5.3 DOMTokenList

The DOMTokenList interface represents an interface to an underlying string that consists of an unordered set of unique space-separated tokens.

Which string underlies a particular DOMTokenList object is defined when the object is created. It might be a content attribute (e.g. the string that underlies the classList object is the class attribute), or it might be an anonymous string (e.g. when a DOMTokenList object is passed to an author-implemented callback in the datagrid APIs).

[Stringifies] interface DOMTokenList {
  readonly attribute unsigned long length;
  [IndexGetter] DOMString item(in unsigned long index);
  boolean has(in DOMString token);
  void add(in DOMString token);
  void remove(in DOMString token);
  boolean toggle(in DOMString token);
};

The length attribute must return the number of unique tokens that result from splitting the underlying string on spaces.

The item(index) method must split the underlying string on spaces, sort the resulting list of tokens by Unicode codepoint, remove exact duplicates, and then return the indexth item in this list. If index is equal to or greater than the number of tokens, then the method must return null.

The has(token) method must run the following algorithm:

  1. If the token argument contains any space characters, then raise an INVALID_CHARACTER_ERR exception and stop the algorithm.
  2. Otherwise, split the underlying string on spaces to get the list of tokens in the object's underlying string.
  3. If the token indicated by token is one of the tokens in the object's underlying string then return true and stop this algorithm.
  4. Otherwise, return false.

The add(token) method must run the following algorithm:

  1. If the token argument contains any space characters, then raise an INVALID_CHARACTER_ERR exception and stop the algorithm.
  2. Otherwise, split the underlying string on spaces to get the list of tokens in the object's underlying string.
  3. If the given token is already one of the tokens in the DOMTokenList object's underlying string then stop the algorithm.
  4. Otherwise, if the DOMTokenList object's underlying string is not the empty string and the last character of that string is not a space character, then append a U+0020 SPACE character to the end of that string.
  5. Append the value of token to the end of the DOMTokenList object's underlying string.

The remove(token) method must run the following algorithm:

  1. If the token argument contains any space characters, then raise an INVALID_CHARACTER_ERR exception and stop the algorithm.
  2. Otherwise, remove the given token from the underlying string.

The toggle(token) method must run the following algorithm:

  1. If the token argument contains any space characters, then raise an INVALID_CHARACTER_ERR exception and stop the algorithm.
  2. Otherwise, split the underlying string on spaces to get the list of tokens in the object's underlying string.
  3. If the given token is already one of the tokens in the DOMTokenList object's underlying string then remove the given token from the underlying string, and stop the algorithm, returning false.
  4. Otherwise, if the DOMTokenList object's underlying string is not the empty string and the last character of that string is not a space character, then append a U+0020 SPACE character to the end of that string.
  5. Append the value of token to the end of the DOMTokenList object's underlying string.
  6. Return true.

Objects implementing the DOMTokenList interface must stringify to the object's underlying string representation.

2.5.4 DOMStringMap

The DOMStringMap interface represents a set of name-value pairs. When a DOMStringMap object is instanced, it is associated with three algorithms, one for getting values from names, one for setting names to certain values, and one for deleting names.

The names of the methods on this interface are temporary and will be fixed when the Web IDL / "Language Bindings for DOM Specifications" spec is ready to handle this case.

interface DOMStringMap {
  [NameGetter] DOMString XXX1(in DOMString name); 
  [NameSetter] void XXX2(in DOMString name, in DOMString value); 
  [XXX] boolean XXX3(in DOMString name); 
};

The XXX1(name) method must call the algorithm for getting values from names, passing name as the name, and must return the corresponding value, or null if name has no corresponding value.

The XXX2(name, value) method must call the algorithm for setting names to certain values, passing name as the name and value as the value.

The XXX3(name) method must call the algorithm for deleting names, passing name as the name, and must return true.

2.5.5 DOM feature strings

DOM3 Core defines mechanisms for checking for interface support, and for obtaining implementations of interfaces, using feature strings. [DOM3CORE]

A DOM application can use the hasFeature(feature, version) method of the DOMImplementation interface with parameter values "HTML" and "5.0" (respectively) to determine whether or not this module is supported by the implementation. In addition to the feature string "HTML", the feature string "XHTML" (with version string "5.0") can be used to check if the implementation supports XHTML. User agents should respond with a true value when the hasFeature method is queried with these values. Authors are cautioned, however, that UAs returning true might not be perfectly compliant, and that UAs returning false might well have support for features in this specification; in general, therefore, use of this method is discouraged.

The values "HTML" and "XHTML" (both with version "5.0") should also be supported in the context of the getFeature() and isSupported() methods, as defined by DOM3 Core.

The interfaces defined in this specification are not always supersets of the interfaces defined in DOM2 HTML; some features that were formerly deprecated, poorly supported, rarely used or considered unnecessary have been removed. Therefore it is not guaranteed that an implementation that supports "HTML" "5.0" also supports "HTML" "2.0".

2.6 Fetching resources

replace all instances of the word 'fetch' or 'download' with a reference to this section, and put something here that talks about caching, that redirects to the offline storage stuff when appropriate, that defines that before fetching a URL you have to resolve the URL, so that every case of fetching doesn't have to independently say to resolve the URL, etc; "once fetched, a resource might have to have its type determined", pointing to the next section but also explicitly saying that it's up to the part of the spec doing the fetching to determine how the type is established

2.7 Determining the type of a resource

It is imperative that the rules in this section be followed exactly. When a user agent uses different heuristics for content type detection than the server expects, security problems can occur. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a Web browser believes the content to be HTML (and thus execute any scripts contained therein), the end user can be exposed to malicious content, making the user vulnerable to cookie theft attacks and other cross-site scripting attacks.

2.7.1 Content-Type metadata

What explicit Content-Type metadata is associated with the resource (the resource's type information) depends on the protocol that was used to fetch the resource.

For HTTP resources, only the first Content-Type HTTP header, if any, contributes any type information; the explicit type of the resource is then the value of that header, interpreted as described by the HTTP specifications. If the Content-Type HTTP header is present but the value of the first such header cannot be interpreted as described by the HTTP specifications (e.g. because its value doesn't contain a U+002F SOLIDUS ('/') character), then the resource has no type information (even if there are multiple Content-Type HTTP headers and one of the other ones is syntactically correct). [HTTP]

For resources fetched from the file system, user agents should use platform-specific conventions, e.g. operating system extension/type mappings.

Extensions must not be used for determining resource types for resources fetched over HTTP.

For resources fetched over most other protocols, e.g. FTP, there is no type information.

The algorithm for extracting an encoding from a Content-Type, given a string s, is as follows. It either returns an encoding or nothing.

  1. Find the first seven characters in s that are a case-insensitive match for the word 'charset'. If no such match is found, return nothing.

  2. Skip any U+0009, U+000A, U+000C, U+000D, or U+0020 characters that immediately follow the word 'charset' (there might not be any).

  3. If the next character is not a U+003D EQUALS SIGN ('='), return nothing.

  4. Skip any U+0009, U+000A, U+000C, U+000D, or U+0020 characters that immediately follow the equals sign (there might not be any).

  5. Process the next character as follows:

    If it is a U+0022 QUOTATION MARK ('"') and there is a later U+0022 QUOTATION MARK ('"') in s
    If it is a U+0027 APOSTROPHE ("'") and there is a later U+0027 APOSTROPHE ("'") in s

    Return the string between this character and the next earliest occurrence of this character.

    If it is an unmatched U+0022 QUOTATION MARK ('"')
    If it is an unmatched U+0027 APOSTROPHE ("'")
    If there is no next character

    Return nothing.

    Otherwise

    Return the string from this character to the first U+0009, U+000A, U+000C, U+000D, U+0020, or U+003B character or the end of s, whichever comes first.

The above algorithm is a willful violation of the HTTP specification. [RFC2616]

2.7.2 Content-Type sniffing: Web pages

The sniffed type of a resource must be found as follows:

  1. Let official type be the type given by the Content-Type metadata for the resource (in lowercase, ignoring any parameters). If there is no such type, jump to the unknown type step below.

  2. If the user agent is configured to strictly obey Content-Type headers for this resource, then jump to the last step in this set of steps.

  3. If the resource was fetched over an HTTP protocol and there is an HTTP Content-Type header and the value of the first such header has bytes that exactly match one of the following lines:

    Bytes in Hexadecimal Textual representation
    74 65 78 74 2f 70 6c 61 69 6e text/plain
    74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 text/plain; charset=ISO-8859-1
    74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 text/plain; charset=iso-8859-1
    74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 text/plain; charset=UTF-8

    ...then jump to the text or binary section below.

  4. If official type is "unknown/unknown" or "application/unknown", jump to the unknown type step below.

  5. If official type ends in "+xml", or if it is either "text/xml" or "application/xml", then the sniffed type of the resource is official type; return that and abort these steps.

  6. If official type is an image type supported by the user agent (e.g. "image/png", "image/gif", "image/jpeg", etc), then jump to the images section below.

  7. If official type is "text/html", then jump to the feed or HTML section below.

  8. The sniffed type of the resource is official type.

2.7.3 Content-Type sniffing: text or binary

  1. The user agent may wait for 512 or more bytes of the resource to be available.

  2. Let n be the smaller of either 512 or the number of bytes already available.

  3. If n is 4 or more, and the first bytes of the file match one of the following byte sets:

    Bytes in Hexadecimal Description
    FE FF UTF-16BE BOM
    FF FE UTF-16LE BOM
    EF BB BF UTF-8 BOM

    ...then the sniffed type of the resource is "text/plain".

  4. Otherwise, if any of the first n bytes of the resource are in one of the following byte ranges:

    ...then the sniffed type of the resource is "application/octet-stream".

    maybe we should invoke the "Content-Type sniffing: image" section now, falling back on "application/octet-stream".

  5. Otherwise, the sniffed type of the resource is "text/plain".

2.7.4 Content-Type sniffing: unknown type

  1. The user agent may wait for 512 or more bytes of the resource to be available.

  2. Let stream length be the smaller of either 512 or the number of bytes already available.

  3. For each row in the table below:

    If the row has no "WS" bytes:
    1. Let pattern length be the length of the pattern (number of bytes described by the cell in the second column of the row).
    2. If pattern length is smaller than stream length then skip this row.
    3. Apply the "and" operator to the first pattern length bytes of the resource and the given mask (the bytes in the cell of first column of that row), and let the result be the data.
    4. If the bytes of the data matches the given pattern bytes exactly, then the sniffed type of the resource is the type given in the cell of the third column in that row; abort these steps.
    If the row has a "WS" byte:
    1. Let indexpattern be an index into the mask and pattern byte strings of the row.

    2. Let indexstream be an index into the byte stream being examined.

    3. Loop: If indexstream points beyond the end of the byte stream, then this row doesn't match, skip this row.

    4. Examine the indexstreamth byte of the byte stream as follows:

      If the indexstreamth byte of the pattern is a normal hexadecimal byte and not a "WS" byte:

      If the "and" operator, applied to the indexstreamth byte of the stream and the indexpatternth byte of the mask, yield a value different that the indexpatternth byte of the pattern, then skip this row.

      Otherwise, increment indexpattern to the next byte in the mask and pattern and indexstream to the next byte in the byte stream.

      Otherwise, if the indexstreamth byte of the pattern is a "WS" byte:

      "WS" means "whitespace", and allows insignificant whitespace to be skipped when sniffing for a type signature.

      If the indexstreamth byte of the stream is one of 0x09 (ASCII TAB), 0x0A (ASCII LF), 0x0C (ASCII FF), 0x0D (ASCII CR), or 0x20 (ASCII space), then increment only the indexstream to the next byte in the byte stream.

      Otherwise, increment only the indexpattern to the next byte in the mask and pattern.

    5. If indexpattern does not point beyond the end of the mask and pattern byte strings, then jump back to the loop step in this algorithm.

    6. Otherwise, the sniffed type of the resource is the type given in the cell of the third column in that row; abort these steps.

  4. As a last-ditch effort, jump to the text or binary section.

Bytes in Hexadecimal Sniffed type Comment
Mask Pattern
FF FF DF DF DF DF DF DF DF FF DF DF DF DF 3C 21 44 4F 43 54 59 50 45 20 48 54 4D 4C text/html The string "<!DOCTYPE HTML" in US-ASCII or compatible encodings, case-insensitively.
FF FF DF DF DF DF WS 3C 48 54 4D 4C text/html The string "<HTML" in US-ASCII or compatible encodings, case-insensitively, possibly with leading spaces.
FF FF DF DF DF DF WS 3C 48 45 41 44 text/html The string "<HEAD" in US-ASCII or compatible encodings, case-insensitively, possibly with leading spaces.
FF FF DF DF DF DF DF DF WS 3C 53 43 52 49 50 54 text/html The string "<SCRIPT" in US-ASCII or compatible encodings, case-insensitively, possibly with leading spaces.
FF FF FF FF FF 25 50 44 46 2D application/pdf The string "%PDF-", the PDF signature.
FF FF FF FF FF FF FF FF FF FF FF 25 21 50 53 2D 41 64 6F 62 65 2D application/postscript The string "%!PS-Adobe-", the PostScript signature.
FF FF FF FF FF FF 47 49 46 38 37 61 image/gif The string "GIF87a", a GIF signature.
FF FF FF FF FF FF 47 49 46 38 39 61 image/gif The string "GIF89a", a GIF signature.
FF FF FF FF FF FF FF FF 89 50 4E 47 0D 0A 1A 0A image/png The PNG signature.
FF FF FF FF D8 FF image/jpeg A JPEG SOI marker followed by the first byte of another marker.
FF FF 42 4D image/bmp The string "BM", a BMP signature.
FF FF FF FF 00 00 01 00 image/vnd.microsoft.icon A 0 word following by a 1 word, a Windows Icon file format signature.

User agents may support further types if desired, by implicitly adding to the above table. However, user agents should not use any other patterns for types already mentioned in the table above, as this could then be used for privilege escalation (where, e.g., a server uses the above table to determine that content is not HTML and thus safe from XSS attacks, but then a user agent detects it as HTML anyway and allows script to execute).

2.7.5 Content-Type sniffing: image

If the first bytes of the file match one of the byte sequences in the first columns of the following table, then the sniffed type of the resource is the type given in the corresponding cell in the second column on the same row:

Bytes in Hexadecimal Sniffed type Comment
47 49 46 38 37 61 image/gif The string "GIF87a", a GIF signature.
47 49 46 38 39 61 image/gif The string "GIF89a", a GIF signature.
89 50 4E 47 0D 0A 1A 0A image/png The PNG signature.
FF D8 FF image/jpeg A JPEG SOI marker followed by the first byte of another marker.
42 4D image/bmp The string "BM", a BMP signature.
00 00 01 00 image/vnd.microsoft.icon A 0 word following by a 1 word, a Windows Icon file format signature.

User agents must ignore any rows for image types that they do not support.

Otherwise, the sniffed type of the resource is the same as its official type.

2.7.6 Content-Type sniffing: feed or HTML

  1. The user agent may wait for 512 or more bytes of the resource to be available.

  2. Let s be the stream of bytes, and let s[i] represent the byte in s with position i, treating s as zero-indexed (so the first byte is at i=0).

  3. If at any point this algorithm requires the user agent to determine the value of a byte in s which is not yet available, or which is past the first 512 bytes of the resource, or which is beyond the end of the resource, the user agent must stop this algorithm, and assume that the sniffed type of the resource is "text/html".

    User agents are allowed, by the first step of this algorithm, to wait until the first 512 bytes of the resource are available.

  4. Initialise pos to 0.

  5. If s[0] is 0xEF, s[1] is 0xBB, and s[2] is 0xBF, then set pos to 3. (This skips over a leading UTF-8 BOM, if any.)

  6. Loop start: Examine s[pos].

    If it is 0x09 (ASCII tab), 0x20 (ASCII space), 0x0A (ASCII LF), or 0x0D (ASCII CR)
    Increase pos by 1 and repeat this step.
    If it is 0x3C (ASCII "<")
    Increase pos by 1 and go to the next step.
    If it is anything else
    The sniffed type of the resource is "text/html". Abort these steps.
  7. If the bytes with positions pos to pos+2 in s are exactly equal to 0x21, 0x2D, 0x2D respectively (ASCII for "!--"), then:

    1. Increase pos by 3.
    2. If the bytes with positions pos to pos+2 in s are exactly equal to 0x2D, 0x2D, 0x3E respectively (ASCII for "-->"), then increase pos by 3 and jump back to the previous step (the step labeled loop start) in the overall algorithm in this section.
    3. Otherwise, increase pos by 1.
    4. Return to step 2 in these substeps.
  8. If s[pos] is 0x21 (ASCII "!"):

    1. Increase pos by 1.
    2. If s[pos] equal 0x3E, then increase pos by 1 and jump back to the step labeled loop start in the overall algorithm in this section.
    3. Otherwise, return to step 1 in these substeps.
  9. If s[pos] is 0x3F (ASCII "?"):

    1. Increase pos by 1.
    2. If s[pos] and s[pos+1] equal 0x3F and 0x3E respectively, then increase pos by 1 and jump back to the step labeled loop start in the overall algorithm in this section.
    3. Otherwise, return to step 1 in these substeps.
  10. Otherwise, if the bytes in s starting at pos match any of the sequences of bytes in the first column of the following table, then the user agent must follow the steps given in the corresponding cell in the second column of the same row.

    Bytes in Hexadecimal Requirement Comment
    72 73 73 The sniffed type of the resource is "application/rss+xml"; abort these steps The three ASCII characters "rss"
    66 65 65 64 The sniffed type of the resource is "application/atom+xml"; abort these steps The four ASCII characters "feed"
    72 64 66 3A 52 44 46 Continue to the next step in this algorithm The ASCII characters "rdf:RDF"

    If none of the byte sequences above match the bytes in s starting at pos, then the sniffed type of the resource is "text/html". Abort these steps.

  11. If, before the next ">", you find two xmlns* attributes with http://www.w3.org/1999/02/22-rdf-syntax-ns# and http://purl.org/rss/1.0/ as the namespaces, then the sniffed type of the resource is "application/rss+xml", abort these steps. (maybe we only need to check for http://purl.org/rss/1.0/ actually)

  12. Otherwise, the sniffed type of the resource is "text/html".

For efficiency reasons, implementations may wish to implement this algorithm and the algorithm for detecting the character encoding of HTML documents in parallel.