HTML

Living Standard — Last Updated 9 November 2025

1. 1. 7.6 Speculative loading
      1. 7.6.1 Speculation rules
         1. 7.6.1.1 Data model
         2. 7.6.1.2 Parsing
         3. 7.6.1.3 Processing model
      2. 7.6.2 Navigational prefetching
      3. 7.6.3 The ` Speculation-Rules ` header
      4. 7.6.4 The ` Sec-Speculation-Tags ` header
      5. 7.6.5 Security considerations
         1. 7.6.5.1 Cross-site requests
         2. 7.6.5.2 Injected content
         3. 7.6.5.3 IP anonymization
      6. 7.6.6 Privacy considerations
         1. 7.6.6.1 Heuristics and optionality
         2. 7.6.6.2 State partitioning
         3. 7.6.6.3 Identity joining
   2. 7.7 The ` X-Frame-Options ` header
   3. 7.8 Text directives and URL fragments
      1. 7.8.1 Introduction
      2. 7.8.2 Link lifetime
      3. 7.8.3 Exposure to script
      4. 7.8.4 Applying directives to a document
         1. 7.8.4.1 URLs in UA features
            1. 7.8.4.1.1 Location bar
            2. 7.8.4.1.2 Bookmarks
            3. 7.8.4.1.3 Sharing
      5. 7.8.5 Supporting concepts
      6. 7.8.6 Syntax
      7. 7.8.7 Parsing and processing model
         1. 7.8.7.1 Parsing
         2. 7.8.7.2 Finding and invoking text directives
         3. 7.8.7.3 Word boundaries
      8. 7.8.8 Generating text fragment directives
         1. 7.8.8.1 Prefer exact matching to range-based
         2. 7.8.8.2 Use context only when necessary
         3. 7.8.8.3 Determine if fragment ID is needed
      9. 7.8.9 Security and privacy considerations
         1. 7.8.9.1 Scroll on navigation
         2. 7.8.9.2 Search timing
         3. 7.8.9.3 Restricting the text fragment
         4. 7.8.9.4 Restricting scroll on load
   4. 7.9 The ` Refresh ` header
   5. 7.9 7.10 Browser user interface considerations

7.6 Speculative loading

Speculative loading is the practice of performing navigation actions, such as prefetching, ahead of navigation starting. This makes subsequent navigations faster.

Developers can initiate speculative loads by using speculation rules . User agents might also perform speculative loads in certain implementation-defined scenarios, such as typing into the address bar.

7.6.1 Speculation rules

Speculation rules are how developers instruct the browser about speculative loading operations that the developer believes will be beneficial. They are delivered as JSON documents, via either:

• inline script elements with their type attribute set to " speculationrules "; or

• resources fetched from a URL specified in the ` Speculation-Rules ` HTTP response header.

{
  "prefetch": [
    {
      "urls": ["/chapters/5"]
    },
    {
      "eagerness": "moderate",
      "where": {
        "and": [
          { "href_matches": "/*" },
          { "not": { "selector_matches": ".no-prefetch" } }
        ]
      }
    }
  ]
}

A JSON document representing a speculation rule set must meet the following speculation rule set authoring requirements :

• It must be valid JSON. [JSON]

• The JSON must represent a JSON object, with at most three keys " tag ", " prefetch " and " prerender ".

  In this standard, " prerender " is optionally converted to " prefetch " at parse time . Some implementations might implement different behavior for prerender, as specified in Prerendering Revamped . [PRERENDERING-REVAMPED]

• The value corresponding to the " tag " key, if present, must be a speculation rule tag .

• The values corresponding to the " prefetch " and " prerender " keys, if present, must be arrays of valid speculation rules .

A valid speculation rule is a JSON object that meets the following requirements:

• It must have at most the following keys: " source ", " urls ", " where ", " relative_to ", " eagerness ", " referrer_policy ", " tag ", " requires ", " expects_no_vary_search ", or " target_hint ".

  In this standard, " target_hint " is ignored .

• The value corresponding to the " source " key, if present, must be either " list " or " document ".

• If the value corresponding to the " source " key is " list ", then the " urls " key must be present, and the " where " key must be absent.

• If the value corresponding to the " source " key is " document ", then the " urls " key must be absent.

• The " urls " and " where " keys must not both be present.

• If the value corresponding to the " source " key is " document " or the " where " key is present, then the " relative_to " key must be absent.

• The value corresponding to the " urls " key, if present, must be an array of valid URL strings .

• The value corresponding to the " where " key, if present, must be a valid document rule predicate .

• The value corresponding to the " relative_to " key, if present, must be either " ruleset " or " document ".

• The value corresponding to the " eagerness " key, if present, must be a speculation rule eagerness .

• The value corresponding to the " referrer_policy " key, if present, must be a referrer policy .

• The value corresponding to the " tag " key, if present, must be a speculation rule tag .

• The value corresponding to the " requires " key, if present, must be an array of speculation rule requirements .

• The value corresponding to the " expects_no_vary_search " key, if present, must be a string that is parseable as a ` No-Vary-Search ` header value.

A valid document rule predicate is a JSON object that meets the following requirements:

• It must contain exactly one of the keys " and ", " or ", " not ", " href_matches ", or " selector_matches ".

• It must not contain any keys apart from the above or " relative_to ".

• If it contains the key " relative_to ", then it must also contain the key " href_matches ".

• The value corresponding to the " relative_to " key, if present, must be either " ruleset " or " document ".

• The value corresponding to the " and " or " or " keys, if present, must be arrays of valid document rule predicates .

• The value corresponding to the " not " key, if present, must be a valid document rule predicate .

• The value corresponding to the " href_matches " key, if present, must be either a valid URL pattern input or an array of valid URL pattern inputs .

• The value corresponding to the " selector_matches " key, if present, must be either a string matching <selector-list> or an array of strings that match <selector-list> .

A valid URL pattern input is either:

• a scalar value string that can be successfully parsed as a URL pattern constructor string, or;

• a JSON object whose keys are drawn from the members of the URLPatternInit dictionary and whose values are scalar value strings .

7.6.1.1 Data model

A speculation rule set is a struct with the following items :

• prefetch rules , a list of speculation rules , initially empty

In the future, other rules will be possible, e.g., prerender rules. See Prerendering Revamped for such not-yet-accepted extensions. [PRERENDERING-REVAMPED]

A speculation rule is a struct with the following items :

• URLs , an ordered set of URLs

• predicate , a document rule predicate or null

• eagerness , a speculation rule eagerness

• referrer policy , a referrer policy

• tags , an ordered set of speculation rule tags

• requirements , an ordered set of speculation rule requirements

• No-Vary-Search hint , a URL search variance

A document rule predicate is one of the following:

• a document rule conjunction ;

• a document rule disjunction ;

• a document rule negation ;

• a document rule URL pattern predicate ; or

• a document rule selector predicate .

A document rule conjunction is a struct with the following items :

• clauses , a list of document rule predicates

A document rule disjunction is a struct with the following items :

• clauses , a list of document rule predicates

A document rule negation is a struct with the following items :

• clause , a document rule predicate

A document rule URL pattern predicate is a struct with the following items :

• patterns , a list of URL patterns

A document rule selector predicate is a struct with the following items :

• selectors , a list of selectors

A speculation rule eagerness is one of the following strings :

" immediate "

The developer believes that performing the associated speculative loads is very likely to be worthwhile, and they might also expect that load to require significant lead time to complete. User agents should usually enact the speculative load candidate as soon as practical, subject only to considerations such as user preferences, device conditions, and resource limits.

" eager "

User agents should enact the speculative load candidate on even a slight suggestion that the user may navigate to this URL in the future. For instance, the user might have moved the cursor toward a link or hovered it, even momentarily, or paused scrolling when the link is one of the more prominent ones in the viewport. The author is seeking to capture as many navigations as possible, as early as possible.

" moderate "

User agents should enact the candidate if user behavior suggests the user may navigate to this URL in the near future. For instance, the user might have scrolled a link into the viewport and shown signs of being likely to click it, e.g., by moving the cursor over it for some time. The developer is seeking a balance between " eager " and " conservative ".

" conservative "

User agents should enact the candidate only when the user is very likely to navigate to this URL at any moment. For instance, the user might have begun to interact with a link. The developer is seeking to capture some of the benefits of speculative loading with a fairly small tradeoff of resources.

A speculation rule tag is either an ASCII string whose code points are all in the range U+0020 to U+007E inclusive, or null.

This code point range restriction ensures the value can be sent in an HTTP header with no escaping or modification.

A speculation rule requirement is the string " anonymous-client-ip-when-cross-origin ".

In the future, more possible requirements might be defined.

7.6.1.2 Parsing

7.6.1.3 Processing model

A speculative load candidate is a struct with the following items :

• URL , a URL

• No-Vary-Search hint , a URL search variance

• eagerness , a speculation rule eagerness

• referrer policy , a referrer policy

• tags , an ordered set of speculation rule tags

A prefetch candidate is a speculative load candidate with the following additional item :

• anonymization policy , a prefetch IP anonymization policy

A prefetch IP anonymization policy is either null or a cross-origin prefetch IP anonymization policy .

A cross-origin prefetch IP anonymization policy is a struct whose single item is its origin , an origin .

Every Document has speculation rule sets , a list of speculation rule sets , initially empty.

Every Document has a consider speculative loads microtask queued , a boolean, initially false.

In addition to the call sites explicitly given in this standard:

• When style recalculation would cause selector matching results to change, the user agent must consider speculative loads for the relevant Document .

• When the user indicates interest in hyperlinks , in one of the implementation-defined ways that the user agent uses to implement the speculation rule eagerness heuristics, the user agent may consider speculative loads for the hyperlink's node document .

  For example, a user agent which implements " conservative " eagerness by watching for pointerdown events would want to consider speculative loads as part of reacting to such events.

Speculation rules features use the speculation rules task source , which is a task source .

Because speculative loading is generally less important than processing tasks for the purpose of the current document, implementations might give tasks enqueued here an especially low priority.

7.6.2 Navigational prefetching

For now, the navigational prefetching process is defined in the Prefetch specification. Moving it into this standard is tracked in issue #11123 . [PREFETCH]

This standard refers to the following concepts defined there:

• prefetch record , and its items source , URL , No-Vary-Search hint , referrer policy , anonymization policy , tags , and state
• cancel and discard
• still being speculated
• prefetch records
• start a referrer-initiated navigational prefetch

7.6.3 The ` Speculation-Rules ` header

The ` Speculation-Rules ` HTTP response header allows the developer to request that the user agent fetch and apply a given speculation rule set to the current Document . It is a structured header whose value must be a list of strings that are all valid URL strings .

7.6.4 The ` Sec-Speculation-Tags ` header

The ` Sec-Speculation-Tags ` HTTP request header specifies the web developer-provided tags associated with the speculative navigation request. It can also be used to distinguish speculative navigation requests from speculative subresource requests, since ` Sec-Purpose ` can be sent by both categories of requests.

The header is a structured header whose value must be a list . The list can contain either token or string values. String values represent developer-provided tags, whereas token values represent predefined tags. As of now, the only predefined tag is null , which indicates a speculative navigation request with no developer-defined tag.

7.6.5 Security considerations

7.6.5.1 Cross-site requests

Speculative loads can be initiated by web pages to cross-site destinations. However, because such cross-site speculative loads are always done without credentials , as explained below , ambient authority is limited to requests that are already possible via other mechanisms on the platform.

The ` Speculation-Rules ` header can also be used to issue requests, for JSON documents whose body will be parsed as a speculation rule set string . However, they use the " same-origin " credentials mode , the " cors " mode , and responses which do not use the application/speculationrules+json MIME type essence are ignored, so they are not useful in mounting attacks.

7.6.5.2 Injected content

Because links in a document can be selected for speculative loading via document rule predicates , developers need to be cautious if such links might contain user-generated markup. For example, if the href of a link can be entered by one user and displayed to all other users, a malicious user might choose a value like " /logout ", causing other users' browsers to automatically log out of the site when that link is speculatively loaded. Using a document rule selector predicate to exclude such potentially-dangerous links, or using a document rule URL pattern predicate to allowlist known-safe links, are useful techniques in this regard.

As with all uses of the script element, developers need to be cautious about inserting user-provided content into <script type=speculationrules> 's child text content . In particular, the insertion of an unescaped closing </script> tag could be used to break out of the script element context and inject attacker-controlled markup.

The <script type=speculationrules> feature causes activity in response to content found in the document, so it is worth considering the options open to an attacker able to inject unescaped HTML. Such an attacker is already able to inject JavaScript or iframe elements. Speculative loads are generally less dangerous than arbitrary script execution. However, the use of document rule predicates could be used to speculatively load links in the document, and the existence of those loads could provide a vector for exfiltrating information about those links. Defense-in-depth against this possibility is provided by Content Security Policy. In particular, the script-src directive can be used to restrict the parsing of speculation rules script elements, and the default-src directive applies to navigational prefetch requests arising from such speculation rules. Additional defense is provided by the requirement that speculative loads are only performed to potentially-trustworthy URLs , so an on-path attacker would only have access to metadata and traffic analysis, and could not see the URLs directly. [CSP]

It's generally not expected that user-generated content will be added as arbitrary response headers: server operators are already going to encounter significant trouble if this is possible. It is therefore unlikely that the ` Speculation-Rules ` header meaningfully expands the XSS attack surface. For this reason, Content Security Policy does not apply to the loading of rule sets via that header.

7.6.5.3 IP anonymization

This standard allows developers to request that navigational prefetches are performed using IP anonymization technology provided by the user agent. The details of this anonymization are not specified, but some general security principles apply.

To the extent IP anonymization is implemented using a proxy service, it is advisable to minimize the information available to the service operator and other entities on the network path. This likely involves, at a minimum, the use of TLS for the connection.

Site operators need to be aware that, similar to virtual private network (VPN) technology, the client IP address seen by the HTTP server might not exactly correspond to the user's actual network provider or location, and a traffic for multiple distinct subscribers could originate from a single client IP address. This can affect site operators' security and abuse prevention measures. IP anonymization measures might make an effort to use an egress IP address which has a similar geolocation or is located in the same jurisdiction as the user, but any such behavior is particular to the user agent and not guaranteed.

7.6.6 Privacy considerations

7.6.6.1 Heuristics and optionality

The consider speculative loads algorithm contains a crucial "may" step, which encourages user agents to start referrer-initiated navigational prefetches based on a combination of the speculation rule eagerness and other features of the user's environment. Because it can be observable to the document whether speculative loads are performed, user agents must take care to protect privacy when making such decisions—for instance by only using information which is already available to the origin. If these heuristics depend on any persistent state, that state must be erased whenever the user erases other site data. If the user agent automatically clears other site data from time to time, it must erase such persistent state at the same time.

The use of origin instead of site here is intentional. Although same-site origins are generally allowed to coordinate if they wish, the web's security model is premised on preventing origins from accessing the data of other origins, even same-site ones. Thus, the user agent needs to be sure not to leak such data unintentionally across origins, not just across sites.

Examples of inputs which would be already known to the document:

• author-supplied eagerness

• order of appearance in the document

• whether a link is in the viewport

• whether the cursor is near a link

• rendered size of a link

Examples of persistent data related to the origin (which the origin could have gathered itself) but which must be erased according to user intent:

• whether the user has clicked this or similar links on this document or other documents on the same origin

Examples of device information which might be valuable in deciding whether speculative loading is appropriate, but which needs to be considered as part of the user agent's overall privacy posture because it can make the user more identifiable across origins:

• coarse device class (CPU, memory)

• coarse battery level

• whether the network connection is known to be metered

• any user-toggleable settings, such as a speculative loading toggle, a battery-saver toggle, or a data-saver toggle

7.6.6.2 State partitioning

The start a referrer-initiated navigational prefetch algorithm is designed to ensure that the HTTP requests that it issues behave consistently with how user agents partition credentials according to storage keys . This property is maintained even for cross-partition prefetches, as follows.

If a future navigation using a prefetched response would load a document in the same partition, then at prefetch time, the partitioned credentials can be sent, as they can with subresource requests and scripted fetches. If such a future navigation would instead load a document in another partition, it would be inconsistent with the partitioning scheme to use partitioned credentials for the destination partition (since this would cross the boundary between partitions without a top-level navigation) and also inconsistent to use partitioned credentials within the originating partition (since this would result in the user seeing a document with different state than a non-prefetched navigation). Instead, a third, initially empty, partition is used for such requests. These requests therefore send along no credentials from either partition. However, the resulting prefetched response body constructed using this initially-empty partition can only be used if, at activation time, the destination partition contains no credentials.

This is somewhat similar to the behavior of only sending such prefetch requests if the destination partition is known ahead of time to not contain credentials. However, to avoid such behavior being used a way of probing for the presence of credentials, instead such prefetch requests are always completed, and in the case of conflicting credentials, their results are not used.

Redirects are possible between these two types of requests. A redirect from a same- to cross-partition URL could contain information derived from partitioned credentials in the originating partition; however, this is equivalent to the originating document fetching the same-partition URL itself and then issuing a request for the cross-partition URL. A redirect from a cross- to same-origin URL could carry credentials from the isolated partition, but since this partition has no prior state this does not enable tracking based on the user's prior browsing activity on that site, and the document could construct the same state by issuing uncredentialed requests itself.

7.6.6.3 Identity joining

Speculative loads provide a mechanism through which HTTP requests for later top-level navigation can be made without a user gesture. It is natural to ask whether it is possible for two coordinating sites to connect user identities.

Since existing credentials for the destination site are not sent (as explained in the previous section), that site is limited in its ability to identify the user before navigation in a similar way to if the referrer site had simply used fetch() to make an uncredentialed request. Upon navigation, this becomes similar to ordinary navigation (e.g., by clicking a link that was not speculatively loaded).

To the extent that user agents attempt to mitigate identity joining for ordinary fetches and navigations, they can apply similar mitigations to speculatively-loaded navigations.

7.7 The ` X-Frame-Options ` header

The ` X-Frame-Options ` HTTP response header is a way of controlling whether and how a Document may be loaded inside of a child navigable . For sites using CSP, the frame-ancestors directive provides more granular control over the same situations. It was originally defined in HTTP Header Field X-Frame-Options , but the definition and processing model here supersedes that document. [CSP] [RFC7034]

In particular, HTTP Header Field X-Frame-Options specified an ` ALLOW-FROM ` variant of the header, but that is not to be implemented.

Per the below processing model, if both a CSP frame-ancestors directive and an ` X-Frame-Options ` header are used in the same response , then ` X-Frame-Options ` is ignored.

For web developers and conformance checkers, its value ABNF is:

X-Frame-Options
=
"DENY"
/
"SAMEORIGIN"

7.8 Text directives and URL fragments

7.8.1 Introduction

This section is non-normative.

Text directives add support for specifying a text snippet in a URL fragment . When navigating to a URL whose fragment contains a text directive , the user agent can quickly emphasize the captured text on the page, bringing it to the user's attention.

The core use case for text directives is to allow URLs to serve as an exact text reference across the web. For example, Wikipedia URLs might link to the exact text they are quoting from a page. Similarly, search engines can serve URLs that embed text directives that direct the user to the content they are looking for in the page, rather than just linking to the top of the page.

This section defines how text directives are parsed , constructed, and "invoked" , which is the process of finding the text encapsulated by the directive, in a document.

With text directives , browsers may implement an option to "Copy URL to this text" when the user engages with various UI components, such as a context menu referring to a text selection. The browser can then generate a URL with the text selection appropriately specified , and the recipient of the URL will have the specified text conveniently indicated. Without text directives, if a user wants to share a passage of text from a page, they would likely just copy and paste the passage, in which case the recipient loses the context of the page.

7.8.2 Link lifetime

This section is non-normative.

Page on the web often update and change their content. As such, text directive links may "rot" in that the text content they point to no longer exists on the destination page. This specification attempts to maximize the useful lifetime of text directive links by using the actual text content as the URL payload, and allowing a fallback element-id fragment.

In user sharing use cases, the link is often transient, intended to be used only within a short time of sending. For longer duration use cases, such as references and web page links, text directives are still valuable since they degrade gracefully into an ordinary link. Additionally, the presence of a stale text directive can be useful information to surface to a user, to help them understand the link creator's original intent and that the page content may have changed since the link was created.

See the Generating text fragment directives section for best practices on how to create robust text directive links.

7.8.3 Exposure to script

This section is non-normative.

This section describes how fragment directives are exposed to script and updated across navigations.

When a URL including a fragment directive is written to a session history entry , the directive is extracted from the URL and stored in the entry's directive state member. Importantly, since a Document is populated from a session history entry , its URL will not include fragment directives . Similarly, since the Location object is a representation of the active document 's URL , all getters on it will produce a fragment directive -stripped version of the URL.

In short, this ensures that fragment directives are not exposed to script, and are rather tracked by internal mechanisms alongside script-exposed URLs.

Additionally, since the HashChangeEvent is fired in response to a changed fragment between URLs of session history entries, hashchange will not be fired if a navigation or traversal changes only the fragment directive.

Furthermore, same-document navigations that only change a URL's fragment without specifying a new directive, create new session history entries whose directive state refers to the previous entry's directive state .

Consider the below examples, which help clarify various edge cases of the above implications.

window.location = "https://example.com#page1:~:hello";
console.log(window.location.href); // 'https://example.com#page1'
console.log(window.location.hash); // '#page1'

location.hash = "page2";
console.log(location.href); // 'https://example.com#page2'

    onhashchange = () => console.assert(false, "hashchange doesn't fire.");
    location.hash = "page2:~:world";
    console.log(location.href); // 'https://example.com#page2'
    onhashchange = null;

    history.pushState("", "", "page3");
    console.log(location.href); // 'https://example.com/page3'

let url = new URL('https://example.com#foo:~:bar');
console.log(url.href); // 'https://example.com#foo:~:bar'
console.log(url.hash); // '#foo:~:bar'
document.url = url;
console.log(document.url.href); // 'https://example.com#foo:~:bar'
console.log(document.url.hash); // '#foo:~:bar'

<a id='anchor' href="https://example.com#foo:~:bar">Anchor</a>
<script>
  console.log(anchor.href); // 'https://example.com#foo:~:bar'
  console.log(anchor.hash); // '#foo:~:bar'
</script>

7.8.4 Applying directives to a document

This specification intentionally doesn't define what actions a user agent takes to "indicate" a text match. There are different experiences and trade-offs a user agent could make. Some examples of possible actions:

1. Providing visual emphasis or highlight of the text passage.

2. Automatically scrolling the passage into view when the page is navigated.

3. Activating a UA's find-in-page feature on the text passage.

4. Providing a "Click to scroll to text passage" notification.

5. Providing a notification when the text passage isn't found in the page.

The choice of action can have implications for user security and privacy. See the security and privacy section for details.

The UA may choose to scroll the text fragment into view as part of the try to scroll to the fragment steps or by some other mechanism; however, it is not required to scroll the match into view.

The UA should visually indicate the matched text in some way such that the user is made aware of the text match, such as with a high-contrast highlight.

The UA should provide to the user some method of dismissing the match, such that the matched text no longer appears visually indicated.

The exact appearance and mechanics of the indication are left as UA-defined. However, the UA must not use any methods observable by author script, such as the Document's selection , to indicate the text match. Doing so could allow attack vectors for content exfiltration.

The UA must not visually indicate any provided context terms.

Since the indicator is not part of the document's content, UAs should consider ways to differentiate it from the page's content as perceived by the user.

The UA could provide an in-product help prompt the first few times the indicator appears to help train the user that it comes from the linking page and is provided by the UA.

7.8.4.1 URLs in UA features

UAs provide a number of consumers for a document's URL (outside of programmatic APIs like window.location ). Examples include a location bar indicating the URL of the currently visible document, or the URL used when a user requests to create a bookmark for the current page.

To avoid user confusion, UAs should be consistent in whether such URLs include the fragment directive . This section provides a default set of recommendations for how UAs can handle these cases.

The general principle is that a URL should include the fragment directive only while the visual indicator is visible (i.e., not dismissed). If the user dismisses the indicator, then the URL should reflect this by removing the fragment directive .

If the URL includes a text fragment but a match wasn't found in the current page, the UA may choose to omit it from the exposed URL.

A few common examples are provided in the subsections below.

We use "text fragment" and "fragment directive" interchangeably here as text fragments are assumed to be the only kind of directive. If additional directives are added in the future, the UX in these cases will have to be re-evaluated separately for new directive types.

7.8.4.1.1 Location bar

The location bar's URL should include a text fragment while it is visually indicated. The fragment directive should be stripped from the location bar URL when the user dismisses the indication.

It is recommended that the text fragment be displayed in the location bar's URL even if a match wasn't located in the document.

7.8.4.1.2 Bookmarks

Many UAs provide a "bookmark" feature allowing users to store a convenient link to the current page in the UA's interface.

A newly created bookmark should, by default, include the fragment directive in the URL if, and only if, a match was found and the visual indicator hasn't been dismissed.

Navigating to a URL from a bookmark should process a fragment directive as if it were navigated to in a typical navigation.

7.8.4.1.3 Sharing

Some UAs provide a method for users to share the current page with others, typically by providing the URL to another app or messaging service.

When providing a URL in these situations, it should include the fragment directive if, and only if, a match was found and the visual indicator hasn't been dismissed.

7.8.5 Supporting concepts

To avoid compatibility issues with usage of existing URL fragments, this spec introduces the concept of a fragment directive . It is the portion of the URL fragment that follows the fragment directive delimiter and may be null if the delimiter does not appear in the fragment.

The fragment directive delimiter is the string " :~: ", that is the three consecutive code points U+003A (:), U+007E (~), U+003A (:).

The fragment directive is part of the URL fragment. This means it always appears after a U+0023 (#) code point in a URL.

To add a fragment directive to a URL like " https://example.com ", a fragment is first appended to the URL: " https://example.com#:~:text=foo ".

The fragment directive is parsed and processed into individual directives , which are instructions to the user agent to perform some action. Multiple directives may appear in the fragment directive.

The only directive introduced in this spec is the text directive but others could be added in the future.

" https://example.com#:~:text=foo&text=bar&unknownDirective " Contains 2 text directives and one unknown directive.

To prevent impacting page operation, it is stripped from script-accessible APIs to prevent interaction with author script. This also ensures future directives can be added without web compatibility risk.

A text directive is a kind of directive representing a range of text to be indicated to the user. It is a struct consisting of four strings:

start

a non-empty string

end

null or a non-empty string

prefix

null or a non-empty string

suffix

null or a non-empty string

Each Document has a pending text directives which is either a list of text directives or null, initially null.

7.8.6 Syntax

A text directive is specified in the fragment directive with the following format:

#:~:text=[prefix-,]start[,end][,-suffix]
          context  |--match--|  context

(Square brackets indicate an optional parameter) .

The text parameters are percent-decoded before matching. Dash (-), ampersand (&), and comma (,) characters in text parameters are percent-encoded to avoid being interpreted as part of the text directive syntax.

The only required parameter is " start ". If only " start " is specified, then the first instance of this exact text string is the target text.

" #:~:text=an%20example%20text%20fragment " indicates that the exact text " an example text fragment" is the target text.

If the " end " parameter is also specified, then the text directive refers to a range of text in the page. The target text range is the text range starting at the first instance of " start ", until the first instance of " end " that appears after " start ". This is equivalent to specifying the entire text range in the " start " parameter, but allows the URL to avoid being bloated with a long text directive.

" #:~:text=an%20example,text%20fragment " indicates that the first instance of " an example " until the following first instance of "text fragment" is the target text.

The other two optional parameters are context terms. They are specified by the dash (-) character succeeding the prefix and preceding the suffix, to differentiate them from the " start " and " end " parameters, as any combination of optional parameters can be specified.

Context terms are used to disambiguate the target text fragment. The context terms can specify the text immediately before (prefix) and immediately after (suffix) the text fragment, allowing for whitespace.

While a match succeeds only if the context terms surround the target text fragment, any amount of whitespace is allowed between context terms and the text fragment. This allows context terms to cross element boundaries, for example if the target text fragment is at the beginning of a paragraph and needs disambiguation by the previous element's text as a prefix.

The context terms are not part of the targeted text fragment and are not visually indicated.

" #:~:text=this%20is-,an%20example,-text%20fragment " would match to " an example " in " this is an example text fragment ", but not match to " an example " in " here is an example text ".

7.8.7 Parsing and processing model

7.8.7.1 Parsing

This algorithm makes a URL's fragment end at the fragment directive delimiter . The returned fragment directive includes all characters that follow the delimiter but does not include the delimiter.

TODO: If a URL's fragment ends with ':~:' (i.e., empty directive), this will return null which is treated as the URL not specifying an explicit directive (and avoids clobbering an existing one. But maybe in this case we should return the empty string? That way a page can explicitly clear directives/highlights by navigating/pushState to '#:~:'.

https://example.org/#test:~:text=foo will be parsed such that the fragment is the string "test" and the fragment directive is the string "text=foo".

7.8.7.2 Finding and invoking text directives

This section outlines several algorithms and definitions that specify how to turn a full fragment directive string into a list of Range objects.

At a high level, we take a fragment directive string that looks like this:

    text=prefix-,foo&unknown&text=bar,baz

We break this up into the individual text directives:

    text=prefix-,foo
    text=bar,baz

For each text directive, we perform a search in the document for the first instance of rendered text that matches the restrictions in the directive. Each search is independent of any others; that is, the result is the same regardless of how many other directives are provided or their match result.

If a directive successfully matches to text in the document, it returns a range indicating the match in the document. The invoke text directives steps are the high level API provided by this section. These return a list of ranges that were matched by the individual directive matching steps, in the order the directives were specified in the fragment directive string.

If a directive was not matched, it does not add an item to the returned list.

Maybe describe what this next set of algorithms and primitives do.

:~:text=The
quick,lazy
dog

Collection breaks when we hit a block node, e.g. searching over this tree:

  abc
d
e

A node is search invisible if it is an element in the HTML namespace and meets any of the following conditions:

• the computed value of its 'display' property is 'none';

• if the node serializes as void ;

• if the node is any of the following types: HTMLIFrameElement , HTMLImageElement , HTMLMeterElement , HTMLObjectElement , HTMLProgressElement , HTMLStyleElement , HTMLScriptElement , HTMLVideoElement , HTMLAudioElement ; or

• if the node is a select element whose multiple content attribute is absent.

A node is part of a non-searchable subtree if it is or has a shadow-including ancestor that is search invisible .

A node is a visible text node if it is a Text node, the computed value of its parent element 's 'visibility' property is 'visible', and it is being rendered .

A node has block-level display if it is an element and the computed value of its 'display' property is any of 'block', 'table', 'flow-root', 'grid', 'flex', 'list-item'.

Optionally, this will only return a match if the matched text is at the beginning of the node list.

7.8.7.3 Word boundaries

Limiting matching to word boundaries is one of the mitigations to limit cross-origin information leakage.

See Intl.Segmenter , a proposal to specify unicode segmentation, including word segmentation. Once specified, this algorithm can be improved by making use of the Intl.Segmenter API for word boundary matching.

A word boundary is defined in [[!UAX29]] in [[UAX29#Word_Boundaries]]. [[UAX29#Default_Word_Boundaries]] defines a default set of what constitutes a word boundary, but as the specification mentions, a more sophisticated algorithm should be used based on the locale.

Dictionary-based word bounding should take specific care in locales without a word-separating character. E.g. In English, words are separated by the space character (' '); however, in Japanese there is no character that separates one word from the next. In such cases, and where the alphabet contains fewer than 100 characters, the dictionary must not contain more than 20% of the alphabet as valid, one-letter words.

A locale is a string containing a valid [[BCP47]] language tag, or the empty string. An empty string indicates that the primary language is unknown.

7.8.8 Generating text fragment directives

This section is non-normative.

This section contains recommendations for UAs automatically generating URLs with a text directive . These recommendations aren't normative but are provided to ensure generated URLs result in maximally stable and usable URLs.

7.8.8.1 Prefer exact matching to range-based

The match text can be provided either as an exact string " text=foo%20bar%20baz " or as a range " text=foo,bar ".

Prefer to specify the entire string where practical. This ensures that if the destination page is removed or changed, the intended destination can still be derived from the URL itself.

      The first recorded idea of using digital electronics for computing was the
      1931 paper "The Use of Thyratrons for High Speed Automatic Counting of
      Physical Phenomena" by C. E. Wynn-Williams.

Range-based matches can be helpful when the quoted text is excessively long and encoding the entire string would produce an unwieldy URL.

Text snippets shorter than 300 characters are encouraged to be encoded using an exact match. Above this limit, the UA can encode the string as a range-based match.

TODO: Can we determine the above limit in some less arbitrary way?

7.8.8.2 Use context only when necessary

Context terms allow the text directive to disambiguate text snippets on a page. However, their use can make the URL more brittle in some cases. Often, the desired string will start or end at an element boundary. The context will therefore exist in an adjacent element. Changes to the page structure could invalidate the text directive since the context and match text will no longer appear to be adjacent.

      <div class="section">HEADER</div>
      <div class="content">Text to quote</div>

      text=HEADER-,Text%20to%20quote

Where a text snippet is long enough and unique, a UAs are encouraged to avoid adding superfluous context terms.

Use context only if one of the following is true:

• The UA determines the quoted text is ambiguous.

• The quoted text contains 3 or fewer words.

TODO: Determine the numeric limit above in less arbitrary way.

7.8.8.3 Determine if fragment ID is needed

When the UA navigates to a URL containing a text directive , it will fallback to scrolling into view a regular element-id based fragment if it exists and the text fragment isn't found.

This can be useful to provide a fallback, in case the text in the document changes, invalidating the text directive .

      The earliest known tool for use in computation is the Sumerian abacus

However, UAs should take care that the fallback element-id fragment is the correct one:

      By the late 1960s, computer systems could perform symbolic algebraic
      manipulations

7.8.9 Security and privacy considerations

Care must be taken when implementing text directives so that it cannot be used to exfiltrate information across origins. Scripts can navigate a page to a cross-origin URL with a text directive . If a malicious actor can determine that the text fragment was successfully found in victim page as a result of such a navigation, they can infer the existence of any text on the page.

This section describes some of the attacks that could be executed with the help of text directives , and the navigation processing model changes that restrict this feature to mitigate said attacks. In summary, text directives are restricted to:

• top-level traversables .

  This isn't strictly true, Chrome allows this for same-origin initiators. Need to update the spec on this point. See WICG/scroll-to-text-fragment#240 .

• navigations that are the result of a user action.

• in cases where the navigation has a cross-origin initiator, the destination must be opener isolated (i.e. no references to its global objects in other documents)

7.8.9.1 Scroll on navigation

A UA may choose to automatically scroll a matched text passage into view. This can be a convenient experience for the user but does present some risks that implementing UAs need to be aware of.

There are known (and potentially unknown) ways a scroll on navigation might be detectable and distinguished from natural user scrolls.

All known cases like this rely on specific circumstances about the target page so don't apply generally. With additional restrictions about when the text fragment can invoke an attacker is further restricted. Nonetheless, different UAs can come to different conclusions about whether these risks are acceptable. UAs need to consider these factors when determining whether to scroll as part of navigating to a text fragment.

Conforming UAs may choose not to scroll automatically on navigation. Such UAs may, instead, provide UI to initiate the scroll ("click to scroll") or none at all. In these cases UA should provide some indication to the user that an indicated passage exists further down on the page.

The examples above illustrate that in specific circumstances, it can be possible for an attacker to extract 1 bit of information about content on the page. However, care must be taken so that such opportunities cannot be exploited to extract arbitrary content from the page by repeating the attack. For this reason, restrictions based on user activation and browsing context isolation are very important and must be implemented.

If a UA does choose to scroll automatically, it must ensure no scrolling is performed while the document is in the background (for example, in an inactive tab). This ensures any malicious usage is visible to the user and prevents attackers from trying to secretly automate a search in background documents.

If a UA chooses not to scroll automatically, it must scroll a fallback element-id into view, if provided, regardless of whether a text fragment was matched. Not doing so would allow detecting the text fragment match based on whether the element-id was scrolled.

7.8.9.2 Search timing

A naive implementation of the text search algorithm could allow information exfiltration based on runtime duration differences between a matching and non- matching query. If an attacker could find a way to synchronously navigate to a text directive -invoking URL, they would be able to determine the existence of a text snippet by measuring how long the navigation call takes.

For this reason, the implementation must ensure the runtime of [[#navigating-to-text-fragment]] steps does not differ based on whether a match has been successfully found .

This specification does not specify exactly how a UA achieves this as there are multiple solutions with differing tradeoffs. For example, a UA may continue to walk the tree even after a match is found in [=find a range from a text directive=]. Alternatively, it may schedule an asynchronous task to find and set the [=/Document=]'s indicated part.

7.8.9.3 Restricting the text fragment

7.8.9.4 Restricting scroll on load

7.9 The ` Refresh ` header

The ` Refresh ` HTTP response header is the HTTP-equivalent to a meta element with an http-equiv attribute in the Refresh state . It takes the same value and works largely the same. Its processing model is detailed in create and initialize a Document object .

7.9 7.10 Browser user interface considerations

Browser user agents should provide the ability to navigate , reload , and stop loading any top-level traversable in their top-level traversable set .

For example, via a location bar and reload/stop button UI.

Browser user agents should provide the ability to traverse by a delta any top-level traversable in their top-level traversable set .

For example, via back and forward buttons, possibly including long-press abilities to change the delta.

It is suggested that such user agents allow traversal by deltas greater than one, to avoid letting a page "trap" the user by stuffing the session history with spurious entries. (For example, via repeated calls to history.pushState() or fragment navigations .)

Some user agents have heuristics for translating a single "back" or "forward" button press into a larger delta, specifically to overcome such abuses. We are contemplating specifying these heuristics in issue #7832 .

Browser user agents should offer users the ability to create a fresh top-level traversable , given a user-provided or user agent-determined initial URL .

For example, via a "new tab" or "new window" button.

Browser user agents should offer users the ability to arbitrarily close any top-level traversable in their top-level traversable set .

For example, by clicking a "close tab" button.

Browser user agents may provide ways for the user to explicitly cause any navigable (not just a top-level traversable ) to navigate , reload , or stop loading .

For example, via a context menu.

Browser user agents may provide the ability for users to destroy a top-level traversable .

For example, by force-closing a window containing one or more such top-level traversables .

When a user requests a reload of a navigable whose active session history entry 's document state 's resource is a POST resource , the user agent should prompt the user to confirm the operation first, since otherwise transactions (e.g., purchases or database modifications) could be repeated.

When a user requests a reload of a navigable , user agents may provide a mechanism for ignoring any caches when reloading.

All calls to navigate initiated by the mechanisms mentioned above must have the userInvolvement argument set to " browser UI ".

All calls to reload initiated by the mechanisms mentioned above must have the userInvolvement argument set to " browser UI ".

All calls to traverse the history by a delta initiated by the mechanisms mentioned above must not pass a value for the sourceDocument argument.

The above recommendations, and the data structures in this specification, are not meant to place restrictions on how user agents represent the session history to the user.

For example, although a top-level traversable 's session history entries are stored and maintained as a list, and the user agent is recommended to give an interface for traversing that list by a delta , a novel user agent could instead or in addition present a tree-like view, with each page having multiple "forward" pages that the user can choose between.

Similarly, although session history for all descendant navigables is stored in their traversable navigable , user agents could present the user with a more nuanced per- navigable view of the session history.

Browser user agents may use a top-level browsing context 's is popup boolean for the following purposes:

• Deciding whether or not to provide a minimal web browser user interface for the corresponding top-level traversable .

• Performing the optional steps in set up browsing context features .

In both cases user agents might additionally incorporate user preferences, or present a choice as to whether to go down the popup route.

User agents that provide a minimal user interface for such popups are encouraged to not hide the browser's location bar.