HTML Standard

HTML

Living Standard — Last Updated 31 January 2026

(一)2.4 URLs (一)2.4.1 Terminology (二)2.4.2 Parsing URLs (三)2.4.3 Document base URLs (二)2.5 Fetching resources (一)2.5.1 Terminology (二)2.5.2 Determining the type of a resource (三)2.5.3 Extracting character encodings from meta elements (四)2.5.4 CORS settings attributes (五)2.5.5 Referrer policy attributes (六)2.5.6 Nonce attributes (七)2.5.7 Lazy loading attributes (八)2.5.8 Blocking attributes (九)2.5.9 Fetch priority attributes

2.4 URLs

2.4.1 Terminology

A string is a valid non-empty URL if it is a valid URL string but it is not the empty string. A string is a valid URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid URL string. A string is a valid non-empty URL potentially surrounded by spaces if, after stripping leading and trailing ASCII whitespace from it, it is a valid non-empty URL.

This specification defines the URL about:legacy-compat as a reserved, though unresolvable, about: URL, for use in DOCTYPEs in HTML documents when needed for compatibility with XML tools. [ABOUT] This specification defines the URL about:html-kind as a reserved, though unresolvable, about: URL, that is used as an identifier for kinds of media tracks. [ABOUT] This specification defines the URL about:srcdoc as a reserved, though unresolvable, about: URL, that is used as the URLofiframe srcdoc documents. [ABOUT]

AURL matches about:blank if its scheme is "about", its path contains a single string "blank", its username and password are the empty string, and its host is null. Such a URL's query and fragment can be non-null. For example, the URL record created by parsing "about:blank?foo#bar" matches about:blank. AURL matches about:srcdoc if its scheme is "about", its path contains a single string "srcdoc", its query is null, its username and password are the empty string, and its host is null. The reason that matches about:srcdoc ensures that the URL's query is null is because it is not possible to create aniframe srcdoc document whose URL has a non-null query, unlike Documents whose URL matches about:blank. In other words, the set of all URLs that match about:srcdoc only vary in their fragment.

2.4.2 Parsing URLs

Parsing a URL is the process of taking a string and obtaining the URL record that it represents. While this process is defined in URL, the HTML standard defines several wrappers to abstract base URLs and encodings. [URL] Most new APIs are to use parse a URL. Older APIs and HTML elements might have reason to use encoding-parse a URL. When a custom base URL is needed or no base URL is desired, the URL parser can of course be used directly as well. Toparse a URL, given a string url, relative to a Document object or environment settings object environment, run these steps. They return failure or a URL. Let baseURLbeenvironment's base URL, if environment is a Document object; otherwise environment's API base URL. Return the result of applying the URL parsertourl, with baseURL. Toencoding-parse a URL, given a string url, relative to a Document object or environment settings object environment, run these steps. They return failure or a URL. Let encodingbeUTF-8. Ifenvironment is a Document object, then set encodingtoenvironment's character encoding. Otherwise, if environment's relevant global object is a Window object, set encodingtoenvironment's relevant global object's associated Document's character encoding. Let baseURLbeenvironment's base URL, if environment is a Document object; otherwise environment's API base URL. Return the result of applying the URL parsertourl, with baseURL and encoding. Toencoding-parse-and-serialize a URL, given a string url, relative to a Document object or environment settings object environment, run these steps. They return failure or a string. Let url be the result of encoding-parsing a URL given url, relative to environment. Ifurl is failure, then return failure. Return the result of applying the URL serializertourl.

2.4.3 Document base URLs

The document base URL of a Document document is the URL record obtained by running these steps: Ifdocument has no descendant base element that has an href attribute, then return document's fallback base URL. Otherwise, return the frozen base URL of the first base element in document that has an href attribute, in tree order. The fallback base URL of a Document object document is the URL record obtained by running these steps: Ifdocumentisaniframe srcdoc document: Assert: document's about base URL is non-null. Return document's about base URL. Ifdocument's URL matches about:blank and document's about base URL is non-null, then return document's about base URL. Return document's URL.

Toset the URL for a Document document to a URL record url: Set document's URLtourl. Respond to base URL changes given document. Torespond to base URL changes for a Document document: The user agent should update any user interface elements which are displaying affected URLs, or data derived from such URLs, to the user. Examples of such user interface elements would be a status bar that displays a hyperlink's url, or some user interface which displays the URL specified by a q, blockquote, ins, or del element's cite attribute. Ensure that the CSS :link/:visited/etc. pseudo-classes are updated appropriately. For each descendantofdocument's shadow-including descendants: Ifdescendant is a script element whose result is a speculation rules parse result, then: Let oldResultbeelement's result. Let newResult be the result of creating a speculation rules parse result given element's child text content and element's node document. Update speculation rules given element's relevant global object, oldResult, and newResult. Consider speculative loads given document. This means that changing the base URL doesn't affect, for example, the image displayed by img elements. Thus, subsequent accesses of the src IDL attribute from script will return a new absolute URL that might no longer correspond to the image being shown.

2.5 Fetching resources

2.5.1 Terminology

Aresponse whose type is "basic", "cors", or "default" is CORS-same-origin. [FETCH] Aresponse whose type is "opaque" or "opaqueredirect" is CORS-cross-origin. Aresponse's unsafe response is its internal response if it has one, and the response itself otherwise. Tocreate a potential-CORS request, given a url, destination, corsAttributeState, and an optional same-origin fallback flag, run these steps: Let mode be "no-cors" if corsAttributeStateisNo CORS, and "cors" otherwise. Ifsame-origin fallback flag is set and mode is "no-cors", set mode to "same-origin". Let credentialsMode be "include". IfcorsAttributeStateisAnonymous, set credentialsMode to "same-origin". Return a new request whose URLisurl, destinationisdestination, modeismode, credentials modeiscredentialsMode, and whose use-URL-credentials flag is set.

2.5.2 Determining the type of a resource

The Content-Type metadata of a resource must be obtained and interpreted in a manner consistent with the requirements of MIME Sniffing. [MIMESNIFF] The computed MIME type of a resource must be found in a manner consistent with the requirements given in MIME Sniffing. [MIMESNIFF] The rules for sniffing images specifically, the rules for distinguishing if a resource is text or binary, and the rules for sniffing audio and video specifically are also defined in MIME Sniffing. These rules return a MIME type as their result. [MIMESNIFF] It is imperative that the rules in MIME Sniffing be followed exactly. When a user agent uses different heuristics for content type detection than the server expects, security problems can occur. For more details, see MIME Sniffing. [MIMESNIFF]

2.5.3 Extracting character encodings from `meta` elements

The algorithm for extracting a character encoding from a meta element, given a string s, is as follows. It returns either a character encoding or nothing. Let position be a pointer into s, initially pointing at the start of the string. Loop: Find the first seven characters in safter position that are an ASCII case-insensitive match for the word "charset". If no such match is found, return nothing. Skip any ASCII whitespace that immediately follow the word "charset" (there might not be any). If the next character is not a U+003D EQUALS SIGN (=), then move position to point just before that next character, and jump back to the step labeled loop. Skip any ASCII whitespace that immediately follow the equals sign (there might not be any). Process the next character as follows: If it is a U+0022 QUOTATION MARK character (") and there is a later U+0022 QUOTATION MARK character (") in s If it is a U+0027 APOSTROPHE character (') and there is a later U+0027 APOSTROPHE character (') in s Return the result of getting an encoding from the substring that is between this character and the next earliest occurrence of this character. If it is an unmatched U+0022 QUOTATION MARK character (") If it is an unmatched U+0027 APOSTROPHE character (') If there is no next character Return nothing. Otherwise Return the result of getting an encoding from the substring that consists of this character up to but not including the first ASCII whitespace or U+003B SEMICOLON character (;), or the end of s, whichever comes first. This algorithm is distinct from those in the HTTP specifications (for example, HTTP doesn't allow the use of single quotes and requires supporting a backslash-escape mechanism that is not supported by this algorithm). While the algorithm is used in contexts that, historically, were related to HTTP, the syntax as supported by implementations diverged some time ago. [HTTP]

2.5.4 CORS settings attributes

, , ,