W3C home > Mailing lists > Public > public-html-commits@w3.org > January 2010

html5/spec Overview.html,1.3690,1.3691

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 27 Jan 2010 23:07:01 +0000
To: public-html-commits@w3.org
Message-Id: <E1NaGyT-0002K3-MM@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv8907

Modified Files:
Log Message:
Block pushState() and replaceState() from changing URLs when used by text/html-sandboxed content, to prevent them from spoofing other pages on the same origin. (whatwg r4630)

Index: Overview.html
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3690
retrieving revision 1.3691
diff -u -d -r1.3690 -r1.3691
--- Overview.html	27 Jan 2010 22:34:23 -0000	1.3690
+++ Overview.html	27 Jan 2010 23:06:57 -0000	1.3691
@@ -43470,7 +43470,16 @@
      raise a <code><a href="#security_err">SECURITY_ERR</a></code> exception and abort these
-    </ol><p>For the purposes of the comparison in the above substeps, the
+     <li>If the <a href="#origin">origin</a> of the resulting <a href="#absolute-url">absolute
+     URL</a> is not the same as the <a href="#origin">origin</a> of the
+     <a href="#entry-script">entry script</a>'s <code title="script's browsing
+     context"><a href="#script-s-browsing-context">browsing context, and either the <span title="url-path">&lt;path&gt;</span> or <span title="url-query">&lt;query&gt;</span> components of the two
+     <span title="URL">URLs</span> comparedi in the previous step
+     differ, raise a <code>SECURITY_ERR</code> exception and abort
+     these steps. (This prevents sandboxed content from spoofing other
+     pages on the same origin.)</a></code></li>
+    </ol><p>For the purposes of the comparisons in the above substeps, the
     <a href="#url-path" title="url-path">&lt;path&gt;</a> and <a href="#url-query" title="url-query">&lt;query&gt;</a> components can only be the
     same if the URLs use a hierarchical <a href="#url-scheme" title="url-scheme">&lt;scheme&gt;</a>.</p>
Received on Wednesday, 27 January 2010 23:07:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:09:41 UTC