html5/spec Overview.html,1.3661,1.3662 from Ian Hickson via cvs-syncmail on 2010-01-13 (public-html-commits@w3.org from January 2010)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 13 Jan 2010 07:06:13 +0000
To: public-html-commits@w3.org
Message-Id: <E1NUxIz-000838-JS@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv30906

Modified Files:
	Overview.html 
Log Message:
Freeze the sandbox flags and propagate them to nested browsing contexts. (whatwg r4586)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3661
retrieving revision 1.3662
diff -u -d -r1.3661 -r1.3662
--- Overview.html	13 Jan 2010 03:30:36 -0000	1.3661
+++ Overview.html	13 Jan 2010 07:06:09 -0000	1.3662
@@ -16867,10 +16867,12 @@
 
   <p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
   attribute is specified, the <code><a href="#the-iframe-element">iframe</a></code> element's
-  <a href="#nested-browsing-context">nested browsing context</a>, and all the browsing contexts
-  <a href="#nested-browsing-context" title="nested browsing context">nested</a> within it
-  (either directly or indirectly through other nested browsing
-  contexts) must have the following flags set:</p>
+  <a href="#nested-browsing-context">nested browsing context</a> must have the flags given in
+  the following list set.  In addition, any browsing contexts <a href="#nested-browsing-context" title="nested browsing context">nested</a> within an
+  <code><a href="#the-iframe-element">iframe</a></code>, either directly or indirectly, must have all
+  the flags set on them as were set on the <code><a href="#the-iframe-element">iframe</a></code>'s
+  <code>Document</code>'s <a href="#browsing-context">browsing context</a> when the
+  <code>iframe<code>'s <code>Document</code> was created.</code></code></p>
 
   <dl><dt>The <dfn id="sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</dfn></dt>
 
@@ -17020,6 +17022,44 @@
    <pre>&lt;iframe sandbox="allow-same-origin allow-forms allow-scripts"
         src="http://maps.example.com/embedded.html"&gt;&lt;/iframe&gt;</pre>
 
+  </div><div class="example">
+
+   <p>Suppose a file A contained the following fragment:</p>
+
+   <pre>&lt;iframe sandbox="allow-same-origin allow-forms" src=B&gt;&lt;/iframe&gt;</pre>
+
+   <p>Suppose that file B contained an iframe also:</p>
+
+   <pre>&lt;iframe sandbox="allow-scripts" src=C&gt;&lt;/iframe&gt;</pre>
+
+   <p>Further, suppose that file C contained a link:</p>
+
+   <pre>&lt;a href=D&gt;Link&lt;/a&gt;</pre>
+
+   <p>For this example, suppose all the files were served as
+   <code><a href="#text-html">text/html</a></code>.</p>
+
+   <p>Page C in this scenario has all the sandboxing flags
+   set. Scripts are disabled, because the <code><a href="#the-iframe-element">iframe</a></code> in A has
+   scripts disabled, and this overrides the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
+   keyword set on the <code><a href="#the-iframe-element">iframe</a></code> in B. Forms are also
+   disabled, because the inner <code><a href="#the-iframe-element">iframe</a></code> (in B) does not
+   have the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> keyword
+   set.</p>
+
+   <p>Suppose now that a script in A removes all the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attributes in A and
+   B. This would change nothing immediately. If the user clicked the
+   link in C, loading page D into the <code><a href="#the-iframe-element">iframe</a></code> in B, page D
+   would now act as if the <code><a href="#the-iframe-element">iframe</a></code> in B had the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+   and <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> keywords
+   set, because that was the state of the <a href="#nested-browsing-context">nested browsing
+   context</a> in the <code><a href="#the-iframe-element">iframe</a></code> in A when page B was
+   loaded.</p>
+
+   <p>Generally speaking, dynamically removing or changing the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is
+   ill-advised, because it can make it quite hard to reason about what
+   will be allowed and what will not.</p>
+
   </div><p class="note">Potentially hostile files can be served from the
   same server as the file containing the <code><a href="#the-iframe-element">iframe</a></code> element
   by labeling them as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> instead of
Received on Wednesday, 13 January 2010 07:06:14 UTC