- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 10 Jan 2011 22:34:12 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv2171
Modified Files:
Overview.html
Log Message:
Ensure that sandbox='allow-same-origin allow-top-navigation' doesn't allow sandboxed pages to run scripts 'by proxy' (through the top-level browsing context) (whatwg r5756)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4616
retrieving revision 1.4617
diff -u -d -r1.4616 -r1.4617
--- Overview.html 10 Jan 2011 22:08:27 -0000 1.4616
+++ Overview.html 10 Jan 2011 22:34:08 -0000 1.4617
@@ -47949,6 +47949,16 @@
<p>Use the appropriate step from the following list:</p>
<dl><dt>If a <a href="#browsing-context">browsing context</a> is being <a href="#navigate" title="navigate">navigated</a> to a <code>javascript:</code>
+ URL, and the <a href="#source-browsing-context">source browsing context</a> for that
+ navigation, if any, has <a href="#concept-bc-noscript" title="concept-bc-noscript">scripting disabled</a></dt>
+
+ <dd>
+
+ <p>Let <var title="">result</var> be void.</p>
+
+ </dd>
+
+ <dt>If a <a href="#browsing-context">browsing context</a> is being <a href="#navigate" title="navigate">navigated</a> to a <code>javascript:</code>
URL, and the <a href="#active-document">active document</a> of that browsing
context has the <a href="#same-origin">same origin</a> as the script given by
that URL</dt>
Received on Monday, 10 January 2011 22:34:14 UTC