w3c · chaals · Feb 4, 2018 · Feb 2, 2018 · Feb 2, 2018 · Feb 2, 2018
diff --git a/sections/attributes.include b/sections/attributes.include
@@ -380,6 +380,12 @@
       <td>The element's <a>ID</a></td>
       <td><a>Text</a>*</td>
     </tr>
+    <tr>
+      <th><code>integrity</code></th>
+      <td><{link}>; <{script}></td>
+      <td>Integrity metadata used in Subresource Integrity checks [[!SRI]]</td>
+      <td><a>Text</a></td>
+    </tr>
     <tr>
       <th><code>ismap</code></th>
       <td><{img}></td>
@@ -532,7 +538,7 @@
     </tr>
     <tr>
       <th><code>nonce</code></th>
-      <td><{link}>; <{script}>; <{style}></td>
+      <td><a>HTML elements</a></td>
       <td>Cryptographic nonce used in <a>Content Security Policy</a> checks [[CSP3]]</td>
       <td><a>Text</a></td>
     </tr>

diff --git a/sections/changes.include b/sections/changes.include
@@ -24,6 +24,8 @@
             <dd>Substantive change. Fixed <a href="https://github.com/w3c/html/issues/1104">issue 1104</a></dd>
     <dt><a href="https://github.com/w3c/html/pull/1167">Added <{media/disableRemotePlayback}> to the {{HTMLMediaElement}} interface</a></dt>
             <dd>Fixed <a href="https://github.com/w3c/html/issues/1047">issue 1047</a></dd>
+    <dt><a href="https://github.com/w3c/html/pull/1177">Cleaned up the Fetch sections</a> to apply the <a>cryptographic nonce metadata</a> and [[SRI]]</dt>
+            <dd>Fixed <a href="https://github.com/w3c/html/issues/198">issue 198</a></dd>
   </dl>
 
   <h3 id="changes-wd1">Changes between the <a href="https://www.w3.org/TR/2017/WD-html53-20171214/">HTML 5.3 First Public Working Draft</a> and

diff --git a/sections/elements.include b/sections/elements.include
@@ -768,6 +768,7 @@
      <td><a>globals</a>;
          <{link/href}>;
          <{link/crossorigin}>;
+         <{link/integrity}>;
          <{link/rel}>;
          <{link/media}>;
          <{link/referrerpolicy}>;
@@ -1134,7 +1135,7 @@
          <{script/async}>;
          <{script/defer}>;
          <{script/crossorigin}>
-         <{script/nonce}></td>
+         <{script/integrity}></td>
      <td>{{HTMLScriptElement}}</td>
     </tr>
 

diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include
@@ -449,7 +449,9 @@
   The <dfn element-attr for="link"><code>media</code></dfn> attribute says which media the resource
   applies to. The value must be a <a>valid media query list</a>.
 
-  <!-- def <{link/integrity}> -->
+  The <dfn element-attr for="link"><code>integrity</code></dfn> attribute represents the <a>integrity metadata</a>
+  for requests which this element is responsible for. The value is text. The attribute must not be specified on 
+  <{link}> elements that do not have a <{link/rel}> attribute that contains the <{link/stylesheet}> keyword. [[!SRI]]
 
   The <dfn element-attr for="link"><code>hreflang</code></dfn> attribute on the <{link}> element has
   the same semantics as the {{HTMLLinkElement/hreflang}} attribute on the <{a}> element.
@@ -516,7 +518,7 @@
   The IDL attributes
   <dfn attribute for="HTMLLinkElement"><code>href</code></dfn>,
   <dfn attribute for="HTMLLinkElement"><code>hreflang</code></dfn>,
-  <!-- <dfn attribute for="HTMLLinkElement"><code>integrity</code></dfn>, -->
+  <dfn attribute for="HTMLLinkElement"><code>integrity</code></dfn>,
   <dfn attribute for="HTMLLinkElement"><code>media</code></dfn>,
   <dfn attribute for="HTMLLinkElement"><code>rel</code></dfn>,
   <dfn attribute for="HTMLLinkElement"><code>rev</code></dfn>,
@@ -631,26 +633,28 @@
   must run the following steps:
 
 
-  1. If the <{link/href}> attribute's value is the empty string, then abort these steps.
+  1. If the <{link/href}> attribute's value is the empty string, then return.
   2. <a>Parse</a> the [=url/URL=] given by the <{link/href}> attribute, relative to the
-      element's <a>node document</a>. If that fails, then abort these steps. Otherwise, let
+      element's <a>node document</a>. If that fails, then return. Otherwise, let
       <var>url</var> be the <a>resulting URL record</a>.
   3. Let <var>corsAttributeState</var> be the current state of the element's <{link/crossorigin}>
       content attribute.
   4. Let <var>request</var> be the result of <a>creating a potential-CORS request</a> given
-      <var>url</var> and <var>corsAttributeState</var>.
+      <var>url</var>, the empty string, and <var>corsAttributeState</var>.
   5. Set <var>request</var>'s <a>client</a> to the <{link}> element's <a>node document</a>'s
       {{Window}} object's <a>environment settings object</a>.
   6. Set <var>request</var>'s <a>cryptographic nonce metadata</a> to the 
     current value of the <{link}> element's 
     <a href="#cryptographicnonce">[[<span>CryptographicNonce</span>]]</a> internal slot.
-  7. Set <var>request</var>'s <a>referrer policy</a> to the current state of the
-      <{link}> element's <{link/referrerpolicy}> content attribute.
-  8. If the <{link/rel}> attribute contains the <{link/preload}> keyword, then:
+  7. Set <var>request</var>'s <a>integrity metadata</a> to the current value of
+     the <{link}> element's <{link/integrity}> content attribute.
+  8. Set <var>request</var>'s <a>referrer policy</a> to the current state of the
+      <{link}> element's <{link/referrerpolicy}> attribute.
+  9. If the <{link/rel}> attribute contains the <{link/preload}> keyword, then:
     1. Let <var>as</var> be the current state of the <{link/as}> attribute.
     2. If <var>as</var> is no state, then return.
     3. Set <var>request</var>'s <a>destination</a> to the result of <a>translating</a> <var>as</var>.
-  9. <a>Fetch</a> <var>request</var>.
+  10. <a>Fetch</a> <var>request</var>.
 
   User agents may opt to only try to obtain such resources when they are needed, instead of
   pro-actively fetching all the external resources that are not applied.
@@ -660,17 +664,18 @@
   resource to not be applied.)
 
   Once the attempts to obtain the resource and its <a>critical subresources</a> are complete, the
-  user agent must, if the loads were successful, <a>queue a task</a> to <a>fire a simple event</a>
+  user agent must, if the loads were successful, <a>queue a task</a> to <a>fire an event</a>
   named <code>load</code> at the <{link}> element, or, if the resource or one of its
   <a>critical subresources</a> failed to completely load for any reason (e.g., DNS error, HTTP 404
   response, a connection being prematurely closed, unsupported Content-Type), <a>queue a task</a>
-  to <a>fire a simple event</a> named <code>error</code> at the <{link}> element.
+  to <a>fire an event</a> named <code>error</code> at the <{link}> element.
   Non-network errors in processing the resource or its subresources (e.g., CSS parse errors, PNG
   decoding errors) are not failures for the purposes of this paragraph.
 
   The <a>task source</a> for these <a>tasks</a> is the <a>DOM manipulation task source</a>.
 
-  The element must <a>delay the load event</a> of the element's <a>node document</a> until all the
+  Unless otherwise specified for a given <{link/rel}> keyword, the element must 
+  <a>delay the load event</a> of the element's <a>node document</a> until all the
   attempts to obtain the resource and its <a>critical subresources</a> are complete. (Resources
   that the user agent has not yet attempted to obtain, e.g., because it is waiting for the resource
   to be needed, do not <a>delay the load event</a>.)

diff --git a/sections/semantics-scriptings.include b/sections/semantics-scriptings.include
@@ -53,7 +53,7 @@
     <dd><{script/async}> - Execute script <a>in parallel</a></dd>
     <dd><{script/defer}> - Defer script execution</dd>
     <dd><{script/crossorigin}> - How the element handles crossorigin requests</dd>
-    <dd><{script/nonce}> - Cryptographic nonce used in <em>Content Security Policy</em> checks [[CSP3]]</dd>
+    <dd><{script/integrity}> -  Integrity metadata used in <em>Subresource Integrity</em> checks [[!SRI]]</dd>
     <dt>[=Allowed ARIA role attribute values=]:</dt>
     <dd>None</dd>
     <dt>[=Allowed ARIA state and property attributes=]:</dt>
@@ -431,11 +431,11 @@ o............A....e
 
       Otherwise, if the <{script}> element has a <{script/type}> attribute, let
       <var>the script block's type string</var> for this <{script}> element be the value of that
-      attribute with any leading or trailing sequences of [=space characters=] removed.
+      attribute after <a>stripping leading and trailing whitespace</a>.
 
       Otherwise, the element has a non-empty <{script/language}> attribute; let
       <var>the script block's type string</var> for this <{script}> element be the
-      <a>child text content</a> of the <{script/language}> attribute.
+      concatenation of the string "<var>text/</var>" followed by the value of the <{script/language}> attribute.
 
       <p class="note">The <{script/language}> attribute is never conforming, and is always ignored
       if there is a <{script/type}> attribute present.</p>
@@ -492,11 +492,17 @@ o............A....e
        content attribute.
   15. <p>Let <var>cryptographic nonce</var> be the element's <a href="#cryptographicnonce">[[<span>CryptographicNonce</span>]]</a>
        internal slot's value.
-  16. Let <var>parser state</var> be "<code>parser-inserted</code>" if the <{script}> element has been flagged
+  16. If the <{script}> element has an <{script/integrity}> attribute, then let <var>integrity metadata</var> be that attribute's value.
+      Otherwise, let <var>integrity metadata</var> be the empty string.
+  17. Let <var>parser metadata</var> be "<code>parser-inserted</code>" if the <{script}> element has been flagged
        as "[=parser-inserted=]", and "`not parser-inserted`" otherwise.
-  17. Let <var>settings</var> be the element's <a>node document</a>'s {{Window}} object's
+  18. Let options be a set of <a>script fetch options</a> whose <a>cryptographic nonce metadata</a> is 
+       cryptographic nonce, <a>integrity metadata</a> is integrity metadata, 
+       <a>parser metadata</a> is parser metadata, <a>credentials mode</a> is module 
+       script credentials mode, and <a>referrer policy</a> is the empty string.
+  19. Let <var>settings</var> be the element's <a>node document</a>'s {{Window}} object's
        <a>environment settings object</a>.
-  18. If the element has a <{script/src}> content attribute, run these substeps:
+  20. If the element has a <{script/src}> content attribute, run these substeps:
 
        1. Let <var>src</var> be the value of the element's <{script/src}> attribute.
        2. If <var>src</var> is the empty string, <a>queue a task</a> to <a>fire a simple event</a>
@@ -510,34 +516,20 @@ o............A....e
        6. Switch on <a>the script's type</a>:
            <dl class="switch">
              <dt>`"classic"`</dt>
-             <dd><a>Fetch a classic script</a> given <var>url</var>, <var>CORS setting</var>,
-             <var>cryptographic nonce</var>, <var>parser state</var>, <var>settings</var>, and
+             <dd><a>Fetch a classic script</a> given <var>url</var>, <var>settings object</var>,
+             <var>options</var>, <var>classic script CORS setting</var>, and
              <var>encoding</var>.
 
              <dt><code>"module"</code></dt>
-             <dd>
-                   1. Let <var>credentials mode</var> be determined by switching on
-                       <var>CORS setting</var>:
-                       <dl class="switch">
-                         <dt><a state for="cors">No CORS</a></dt>
-                         <dd><code>"omit"</code></dd>
-
-                         <dt><a state for="cors">Anonymous</a></dt>
-                         <dd><code>"same-origin"</code></dd>
-
-                         <dt><a state for="cors">Use Credentials</a></dt>
-                         <dd><code>"include"</code></dd>
-                       </dl>
-                   2. <a>Fetch a module script tree</a> given <var>url</var>,
-                       <var>credentials mode</var>, <var>cryptographic nonce</var>,
-                       <var>parser state</var>, "<code>script</code>", and <var>settings</var>.
+             <dd><a>Fetch a module script tree</a> given <var>url</var>,
+                       <var>settings object</var>, "<code>script</code>", and <var>options</var>.
              </dd>
            </dl>
            When the chosen algorithm asynchronously completes, set <a>the script's script</a> to the
            result. At that time, <a>the script is ready</a>.
 
            For performance reasons, user agents may start fetching the classic script or module tree
-           (as defined above) as the <{script/src}> attribute is set, instead, in the hope that the
+           (as defined above) as soon as the <{script/src}> attribute is set, instead, in the hope that the
            element will be <a for="document">inserted into the document</a> (and that the
            <{script/crossorigin}> attribute won't change value in the meantime). Either way, once
            the element is <a for="document">inserted into the document</a>, the load must have
@@ -546,34 +538,33 @@ o............A....e
            changed, or the <{script/crossorigin}> attribute is dynamically changed, then the user
            agent will not execute the script so obtained, and the fetching process will have been
            effectively wasted.
-  19. If the element does not have a <{script/src}> content attribute, run these substeps:
+  21. If the element does not have a <{script/src}> content attribute, run these substeps:
 
-       1. Let <var>source text</var> be the value of the {{HTMLScriptElement/text}} IDL attribute.
-       2. Switch on <a>the script's type</a>:
+       1. Let <var>source text</var> be the <{script}> element's <a>child text content</a>.
+       2. Let <var>base URL</var> be the <{script}> element's <a>node document</a>'s <a>document base URL</a>.
+       3. Switch on <a>the script's type</a>:
            <dl class="switch">
              <dt>`"classic"`</dt>
              <dd>
                   1. Let <var>script</var> be the result of <a>creating a classic script</a> using
-                      <var>source text</var> and <var>settings</var>.
+                      <var>source text</var>, <var>settings object</var>, <var>base URL</var> and <var>options</var>.
                   2. Set <a>the script's script</a> to <var>script</var>.
                   3. <a>The script is ready</a>.
              </dd>
 
              <dt><code>"module"</code></dt>
              <dd>
-                  1. Let <var>base URL</var> be the <{script}> element's <a>node document</a>'s
-                      <a>document base URL</a>.
-                  2. Let <var>script</var> be the result of <a>creating a module script</a> using
-                      <var>source text</var>, <var>settings</var>, <var>base URL</var>, and
-                      <var>CORS setting</var>.
-                  3. If this returns null, set <a>the script's script</a> to null and abort these
+                  1. Let <var>script</var> be the result of <a>creating a module script</a> using
+                      <var>source text</var>, <var>settings object</var>, <var>base URL</var>, and
+                      <var>options</var>.
+                  2. If this returns null, set <a>the script's script</a> to null and abort these
                       substeps; <a>the script is ready</a>.
-                  4. <a>Fetch the descendants</a> of <var>script</var>. When this asynchronously
+                  3. <a>Fetch the descendants</a> of and instantiate script, given the destination "<var>script</var>". When this asynchronously
                       completes, set <a>the script's script</a> to the result. At that time,
                       <a>the script is ready</a>.
              </dd>
            </dl>
-  20. Then, follow the first of the following options that describes the situation:
+  22. Then, follow the first of the following options that describes the situation:
        <dl class="switch">
          <dt></dt>
          <dd>