W3C home > Mailing lists > Public > public-html-commits@w3.org > April 2012

html5/spec Overview.html,1.5623,1.5624

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Fri, 13 Apr 2012 23:10:12 +0000
To: public-html-commits@w3.org
Message-Id: <E1SIpd6-00081z-UX@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv30856

Modified Files:
	Overview.html 
Log Message:
Refactor the sandboxing flags further to make it even easier to hook into for CSP. (whatwg r7053)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5623
retrieving revision 1.5624
diff -u -d -r1.5623 -r1.5624
--- Overview.html	13 Apr 2012 22:55:52 -0000	1.5623
+++ Overview.html	13 Apr 2012 23:10:08 -0000	1.5624
@@ -24139,80 +24139,12 @@
   
 
   <p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
-  attribute is specified, the <code><a href="#the-iframe-element">iframe</a></code> element's
-  <a href="#nested-browsing-context">nested browsing context</a>'s <a href="#iframe-sandboxing-flag-set"><code>iframe</code>
-  sandboxing flag set</a> must have the flags given in the
-  following list set.</p>
-
-  <ul><li><p>The <a href="#sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</a></li>
-
-   <li><p>The <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
-   flag</a>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
-   <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
-   found to have the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
-   keyword set</li>
-
-   <li><p>The <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a></li>
-
-   <li><p>The <a href="#sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</a></li>
-
-   <li>
-
-    <p>The <a href="#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>, unless
-    the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
-    value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
-    spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-same-origin" title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
-    keyword set</p>
-
-    <div class="note">
-
-     <p>The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
-     keyword is intended for two cases.</p>
-
-     <p>First, it can be used to allow content from the same site to
-     be sandboxed to disable scripting, while still allowing access to
-     the DOM of the sandboxed content.</p>
-
-     <p>Second, it can be used to embed content from a third-party
-     site, sandboxed to prevent that site from opening popup windows,
-     etc, without preventing the embedded page from communicating back
-     to its originating site, using the database APIs to store data,
-     etc.</p>
-
-    </div>
-
-   </li>
-
-   <li><p>The <a href="#sandboxed-forms-browsing-context-flag">sandboxed forms browsing context flag</a>, unless
-   the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
-   value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
-   spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-forms" title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
-   keyword set</li>
-
-   <li><p>The <a href="#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>, unless
-   the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
-   value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
-   spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
-   keyword set</li>
-
-   <li>
-
-    <p>The <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
-    flag</a>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
-    <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
-    found to have the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
-    keyword (defined above) set</p>
-
-    <p class="note">This flag is relaxed by the same flag as
-    scripts, because when scripts are enabled these features are
-    trivially possible anyway, and it would be unfortunate to force
-    authors to use script to do them when sandboxed rather than
-    allowing them to use the declarative features.</p>
-
-   </li>
-
-  </ul><p>These flags must not be set unless the conditions listed above
-  define them as being set.</p>
+  attribute is set or changed, the user agent must <a href="#parse-a-sandboxing-directive" title="parse
+  a sandboxing directive">parse the sandboxing directive</a> using
+  the attribute's value as the <var title="">input</var> and the
+  <code><a href="#the-iframe-element">iframe</a></code> element's <a href="#nested-browsing-context">nested browsing context</a>'s
+  <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the
+  output.</p>
 
   <p class="warning">These flags only take effect when the
   <a href="#nested-browsing-context">nested browsing context</a> of the <code><a href="#the-iframe-element">iframe</a></code> is
@@ -54063,7 +53995,80 @@
 
    </dd>
 
-  </dl><p>Every <a href="#nested-browsing-context">nested browsing context</a> has an
+  </dl><p>When the user agent is to <dfn id="parse-a-sandboxing-directive">parse a sandboxing
+  directive</dfn>, given a string <var title="">input</var> and a
+  <a href="#sandboxing-flag-set">sandboxing flag set</a> <var title="">output</var>, it must
+  run the following steps:</p>
+
+  <ol><li><p><a href="#split-a-string-on-spaces" title="split a string on spaces">Split <var title="">input</var> on spaces</a>, to obtain <var title="">tokens</var>.</li>
+
+   <li><p>Let <var title="">output</var> be empty.</li>
+
+   <li>
+
+    <p>Add the following flags to <var title="">output</var>:</p>
+
+    <ul><li><p>The <a href="#sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</a></li>
+
+     <li><p>The <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
+     flag</a>, unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
+     keyword</li>
+
+     <li><p>The <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a></li>
+
+     <li><p>The <a href="#sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</a></li>
+
+     <li>
+
+      <p>The <a href="#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>,
+      unless the <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-same-origin" title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
+      keyword</p>
+
+      <div class="note">
+
+       <p>The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+       keyword is intended for two cases.</p>
+
+       <p>First, it can be used to allow content from the same site to
+       be sandboxed to disable scripting, while still allowing access to
+       the DOM of the sandboxed content.</p>
+
+       <p>Second, it can be used to embed content from a third-party
+       site, sandboxed to prevent that site from opening popup windows,
+       etc, without preventing the embedded page from communicating back
+       to its originating site, using the database APIs to store data,
+       etc.</p>
+
+      </div>
+
+     </li>
+
+     <li><p>The <a href="#sandboxed-forms-browsing-context-flag">sandboxed forms browsing context flag</a>,
+     unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-forms" title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
+     keyword</li>
+
+     <li><p>The <a href="#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>,
+     unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
+     keyword</li>
+
+     <li>
+
+      <p>The <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
+      flag</a>, unless <var title="">tokens</var> contains the
+      <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
+      keyword (defined above)</p>
+
+      <p class="note">This flag is relaxed by the same keyword as
+      scripts, because when scripts are enabled these features are
+      trivially possible anyway, and it would be unfortunate to force
+      authors to use script to do them when sandboxed rather than
+      allowing them to use the declarative features.</p>
+
+     </li>
+
+    </ul></li>
+
+  </ol><hr><p>Every <a href="#nested-browsing-context">nested browsing context</a> has an
   <dfn id="iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</dfn>, which is a
   <a href="#sandboxing-flag-set">sandboxing flag set</a>. Which flags in a <a href="#nested-browsing-context">nested
   browsing context</a>'s <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag
Received on Friday, 13 April 2012 23:10:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 13 April 2012 23:10:18 GMT