- From: Sam Ruby via cvs-syncmail <cvsmail@w3.org>
- Date: Sun, 14 Oct 2012 13:44:51 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv30712
Modified Files:
introduction.html single-page.html spec.html
textFieldSelection.html the-iframe-element.html
Log Message:
commit 4f0fb36a4d6ca43275cf1a640c19d76d1df40586
Author: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
Date: Mon Oct 15 00:33:14 2012 +1100
[Editorial] Update of WHATWG commit rev up to which we've merged.
Index: introduction.html
===================================================================
RCS file: /sources/public/html5/spec/introduction.html,v
retrieving revision 1.1266
retrieving revision 1.1267
diff -u -d -r1.1266 -r1.1267
--- introduction.html 14 Oct 2012 09:45:07 -0000 1.1266
+++ introduction.html 14 Oct 2012 13:44:48 -0000 1.1267
@@ -508,7 +508,7 @@
HTML, not HTML5; and other features are omitted because at the W3C
they are published as separate specifications. At time of publication
of this document, patches from the WHATWG spec have been merged until
- revision <a href="http://html5.org/r/7389">7389</a> inclusive.
+ revision <a href="http://html5.org/r/7436">7436</a> inclusive.
There are also some minor differences. For an exact list of differences,
please see the <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/introduction.html#how-do-the-whatwg-and-w3c-specifications-differ?">WHATWG specification</a>.</p>
Index: single-page.html
===================================================================
RCS file: /sources/public/html5/spec/single-page.html,v
retrieving revision 1.169
retrieving revision 1.170
diff -u -d -r1.169 -r1.170
--- single-page.html 14 Oct 2012 12:14:44 -0000 1.169
+++ single-page.html 14 Oct 2012 13:44:48 -0000 1.170
@@ -1579,7 +1579,7 @@
HTML, not HTML5; and other features are omitted because at the W3C
they are published as separate specifications. At time of publication
of this document, patches from the WHATWG spec have been merged until
- revision <a href="http://html5.org/r/7389">7389</a> inclusive.
+ revision <a href="http://html5.org/r/7436">7436</a> inclusive.
There are also some minor differences. For an exact list of differences,
please see the <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/introduction.html#how-do-the-whatwg-and-w3c-specifications-differ?">WHATWG specification</a>.</p>
@@ -27247,12 +27247,21 @@
<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> keywords together when the
embedded page has the <a href="#same-origin">same origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code>
allows the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
- attribute.</p>
+ attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
- <p class="warning">Sandboxing hostile content is of minimal help if an attacker can convince the
- user to just visit the hostile content directly, rather than in the <code><a href="#the-iframe-element">iframe</a></code>. To limit
- the damage that can be caused by hostile HTML content, it should be served from a separate
- dedicated domain.</p>
+ <p class="warning">These flags only take effect when the <a href="#nested-browsing-context">nested browsing context</a> of
+ the <code><a href="#the-iframe-element">iframe</a></code> is <a href="#navigate" title="navigate">navigated</a>. Removing them, or removing the
+ entire <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
+
+ <p class="warning">Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href="#the-iframe-element">iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+ attacker can convince the user to just visit the hostile content directly, rather than in the
+ <code><a href="#the-iframe-element">iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+ served from a separate dedicated domain. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute.</p>
<div class="impl">
@@ -27263,16 +27272,18 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is set or changed, the
- user agent must <a href="#parse-a-sandboxing-directive" title="parse a sandboxing directive">parse the sandboxing directive</a>
- using the attribute's value as the <var title="">input</var> and the <code><a href="#the-iframe-element">iframe</a></code> element's
- <a href="#nested-browsing-context">nested browsing context</a>'s <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the
- output.</p>
+ <p>When an <code><a href="#the-iframe-element">iframe</a></code> element with a <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute has its <a href="#nested-browsing-context">nested browsing context</a> created (before the initial
+ <code><a href="#about:blank">about:blank</a></code> <code><a href="#document">Document</a></code> is created), and when an <code><a href="#the-iframe-element">iframe</a></code>
+ element's <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is set or changed while it
+ has a <a href="#nested-browsing-context">nested browsing context</a>, the user agent must <a href="#parse-a-sandboxing-directive" title="parse a sandboxing
+ directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href="#the-iframe-element">iframe</a></code> element's <a href="#nested-browsing-context">nested browsing context</a>'s
+ <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the output.</p>
- <p class="warning">These flags only take effect when the <a href="#nested-browsing-context">nested browsing context</a> of
- the <code><a href="#the-iframe-element">iframe</a></code> is <a href="#navigate" title="navigate">navigated</a>. Removing them, or removing the
- entire <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, has no effect on an
- already-loaded page.</p>
+ <p>When an <code><a href="#the-iframe-element">iframe</a></code> element's <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute is removed while it has a <a href="#nested-browsing-context">nested browsing context</a>, the user agent must
+ empty the <code><a href="#the-iframe-element">iframe</a></code> element's <a href="#nested-browsing-context">nested browsing context</a>'s
+ <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the output.</p>
</div>
@@ -27338,20 +27349,7 @@
</div>
- <p class="note">Potentially hostile files should not be served from the same server as the file
- containing the <code><a href="#the-iframe-element">iframe</a></code> element. Using a different domain ensures that scripts in the
- files are unable to attack the site, even if the user is tricked into visiting those pages
- directly, without the protection of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
- attribute.</p>
-
- <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
- keyword is set along with <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> keyword, and the file is
- from the <a href="#same-origin">same origin</a> as the <code><a href="#the-iframe-element">iframe</a></code>'s <code><a href="#document">Document</a></code>, then a
- script in the "sandboxed" iframe could just reach out, remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, and then reload itself, effectively breaking
- out of the sandbox altogether.</p>
-
-
- <hr> <!-- SEAMLESS -->
+ <hr><!-- SEAMLESS -->
<!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ -->
@@ -58733,14 +58731,15 @@
<div class="impl">
- <p>When a <a href="#browsing-context">browsing context</a> is first created, it must be
- created with a single <code><a href="#document">Document</a></code> in its session history,
- whose <a href="#the-document's-address" title="the document's address">address</a> is
- <code><a href="#about:blank">about:blank</a></code>, which is marked as being an <a href="#html-documents" title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
- UTF-8, and which is both <a href="#ready-for-post-load-tasks">ready for post-load tasks</a> and
- <a href="#completely-loaded">completely loaded</a> immediately. The
- <code><a href="#document">Document</a></code> must have a single child <code><a href="#the-html-element">html</a></code>
- node, which itself has a single child <code><a href="#the-body-element">body</a></code> node.</p>
+ <p>When a <a href="#browsing-context">browsing context</a> is first created, it must be created with a single
+ <code><a href="#document">Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+ address">address</a> is <code><a href="#about:blank">about:blank</a></code>, which is marked as being an <a href="#html-documents" title="HTML
+ documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+ encoding</a> is UTF-8, and which is both <a href="#ready-for-post-load-tasks">ready for post-load tasks</a> and
+ <a href="#completely-loaded">completely loaded</a> immediately. The <code><a href="#document">Document</a></code> must have a single child
+ <code><a href="#the-html-element">html</a></code> node, which itself has a single child <code><a href="#the-body-element">body</a></code> node. As soon as this
+ <code><a href="#document">Document</a></code> is created, the user agent must <a href="#implement-the-sandboxing">implement the sandboxing</a> for
+ it.</p>
<p class="note">If the <a href="#browsing-context">browsing context</a> is created
specifically to be immediately navigated, then that initial
@@ -61275,7 +61274,41 @@
<code><a href="#document">Document</a></code> is created, its <a href="#active-sandboxing-flag-set">active sandboxing flag
set</a> must be empty. It is populated by the <a href="#navigate" title="navigate">navigation algorithm</a>.</p>
+ <p>Every resource that is obtained by the <a href="#navigate" title="navigate">navigation algorithm</a> has a <dfn id="forced-sandboxing-flag-set">forced
+ sandboxing flag set</dfn>, which is a <a href="#sandboxing-flag-set">sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href="#forced-sandboxing-flag-set">forced sandboxing flag set</a>, but other
+ specifications can define that certain flags are set.</p>
+
+ <p class="note">In particular, the <a href="#forced-sandboxing-flag-set">forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href="#refsCSP">[CSP]</a></p>
+
+ <hr>
+
+ <p>When a user agent is to <dfn id="implement-the-sandboxing">implement the sandboxing</dfn> for a <code><a href="#document">Document</a></code>, it
+ must populate <code><a href="#document">Document</a></code>'s <a href="#active-sandboxing-flag-set">active sandboxing flag set</a> with the union of
+ the flags that are present in the following <a href="#sandboxing-flag-set" title="sandboxing flag set">sandboxing flag
+ sets</a> at the time the <code><a href="#document">Document</a></code> object is created:</p>
+
+ <ul>
+
+ <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#top-level-browsing-context">top-level browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#popup-sandboxing-flag-set">popup sandboxing
+ flag set</a>.</p></li>
+
+ <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#nested-browsing-context">nested browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s
+ <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a>.</p></li>
+ <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#nested-browsing-context">nested browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#parent-browsing-context">parent browsing
+ context</a>'s <a href="#active-document">active document</a>'s <a href="#active-sandboxing-flag-set">active sandboxing flag set</a>.</p></li>
+
+ <li><p>The flags set on the <code><a href="#document">Document</a></code>'s resource's <a href="#forced-sandboxing-flag-set">forced sandboxing flag
+ set</a>, if it has one.</p></li>
+
+ </ul>
<h3 id="history"><span class="secno">5.5 </span>Session history and navigation</h3>
@@ -62629,48 +62662,7 @@
<code><a href="#window">Window</a></code> object to point to the new
<code><a href="#document">Document</a></code>.</p>
- </li><li>
-
- <p>Populate <code><a href="#document">Document</a></code>'s <a href="#active-sandboxing-flag-set">active sandboxing flag
- set</a> with the union of the flags that are present in the
- following <a href="#sandboxing-flag-set" title="sandboxing flag set">sandboxing flag
- sets</a> at the time the <code><a href="#document">Document</a></code> object is
- created:</p>
-
- <ul>
-
- <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#top-level-browsing-context">top-level browsing context</a>,
- then: the flags set on the <a href="#browsing-context">browsing context</a>'s
- <a href="#popup-sandboxing-flag-set">popup sandboxing flag set</a>.</p></li>
-
- <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#nested-browsing-context">nested browsing context</a>, then:
- the flags set on the <a href="#browsing-context">browsing context</a>'s
- <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a>.</p></li>
-
- <li><p>If the <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#nested-browsing-context">nested browsing context</a>, then:
- the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#parent-browsing-context">parent
- browsing context</a>'s <a href="#active-document">active document</a>'s
- <a href="#active-sandboxing-flag-set">active sandboxing flag set</a>.</p></li>
-
- <li><p>The flags set on the resource's <a href="#forced-sandboxing-flag-set">forced sandboxing
- flag set</a>.</p></li>
-
- </ul>
-
- <p>Each resource obtained by this <a href="#navigate" title="navigate">navigation algorithm</a> has a <dfn id="forced-sandboxing-flag-set">forced
- sandboxing flag set</dfn>, which is a <a href="#sandboxing-flag-set">sandboxing flag
- set</a>. A resource by default has no flags set in its
- <a href="#forced-sandboxing-flag-set">forced sandboxing flag set</a>, but other
- specifications can define that certain flags are set.</p>
-
- <p class="note">In particular, the <a href="#forced-sandboxing-flag-set">forced sandboxing flag
- set</a> is used by the Content Security Policy specification.
- <a href="#refsCSP">[CSP]</a></p>
-
- </li>
+ </li><li><p><a href="#implement-the-sandboxing">Implement the sandboxing</a> for the <code><a href="#document">Document</a></code>.</p></li>
</ol>
Index: the-iframe-element.html
===================================================================
RCS file: /sources/public/html5/spec/the-iframe-element.html,v
retrieving revision 1.349
retrieving revision 1.350
diff -u -d -r1.349 -r1.350
--- the-iframe-element.html 14 Oct 2012 12:14:45 -0000 1.349
+++ the-iframe-element.html 14 Oct 2012 13:44:49 -0000 1.350
@@ -611,12 +611,21 @@
<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="textFieldSelection.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and <code title="attr-iframe-sandbox-allow-same-origin"><a href="textFieldSelection.html#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> keywords together when the
embedded page has the <a href="textFieldSelection.html#same-origin">same origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code>
allows the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
- attribute.</p>
+ attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
- <p class="warning">Sandboxing hostile content is of minimal help if an attacker can convince the
- user to just visit the hostile content directly, rather than in the <code><a href="#the-iframe-element">iframe</a></code>. To limit
- the damage that can be caused by hostile HTML content, it should be served from a separate
- dedicated domain.</p>
+ <p class="warning">These flags only take effect when the <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a> of
+ the <code><a href="#the-iframe-element">iframe</a></code> is <a href="textFieldSelection.html#navigate" title="navigate">navigated</a>. Removing them, or removing the
+ entire <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
+
+ <p class="warning">Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href="#the-iframe-element">iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+ attacker can convince the user to just visit the hostile content directly, rather than in the
+ <code><a href="#the-iframe-element">iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+ served from a separate dedicated domain. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute.</p>
<div class="impl">
@@ -627,16 +636,18 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is set or changed, the
- user agent must <a href="textFieldSelection.html#parse-a-sandboxing-directive" title="parse a sandboxing directive">parse the sandboxing directive</a>
- using the attribute's value as the <var title="">input</var> and the <code><a href="#the-iframe-element">iframe</a></code> element's
- <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a>'s <a href="textFieldSelection.html#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the
- output.</p>
+ <p>When an <code><a href="#the-iframe-element">iframe</a></code> element with a <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute has its <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a> created (before the initial
+ <code><a href="urls.html#about:blank">about:blank</a></code> <code><a href="dom.html#document">Document</a></code> is created), and when an <code><a href="#the-iframe-element">iframe</a></code>
+ element's <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is set or changed while it
+ has a <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a>, the user agent must <a href="textFieldSelection.html#parse-a-sandboxing-directive" title="parse a sandboxing
+ directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href="#the-iframe-element">iframe</a></code> element's <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a>'s
+ <a href="textFieldSelection.html#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the output.</p>
- <p class="warning">These flags only take effect when the <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a> of
- the <code><a href="#the-iframe-element">iframe</a></code> is <a href="textFieldSelection.html#navigate" title="navigate">navigated</a>. Removing them, or removing the
- entire <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, has no effect on an
- already-loaded page.</p>
+ <p>When an <code><a href="#the-iframe-element">iframe</a></code> element's <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+ attribute is removed while it has a <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a>, the user agent must
+ empty the <code><a href="#the-iframe-element">iframe</a></code> element's <a href="textFieldSelection.html#nested-browsing-context">nested browsing context</a>'s
+ <a href="textFieldSelection.html#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the output.</p>
</div>
@@ -702,19 +713,6 @@
</div>
- <p class="note">Potentially hostile files should not be served from the same server as the file
- containing the <code><a href="#the-iframe-element">iframe</a></code> element. Using a different domain ensures that scripts in the
- files are unable to attack the site, even if the user is tricked into visiting those pages
- directly, without the protection of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
- attribute.</p>
-
- <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts"><a href="textFieldSelection.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
- keyword is set along with <code title="attr-iframe-sandbox-allow-same-origin"><a href="textFieldSelection.html#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> keyword, and the file is
- from the <a href="textFieldSelection.html#same-origin">same origin</a> as the <code><a href="#the-iframe-element">iframe</a></code>'s <code><a href="dom.html#document">Document</a></code>, then a
- script in the "sandboxed" iframe could just reach out, remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, and then reload itself, effectively breaking
- out of the sandbox altogether.</p>
-
-
<hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id="attr-iframe-seamless" title="attr-iframe-seamless"><code>seamless</code></dfn> attribute is a <a href="common-microsyntaxes.html#boolean-attribute">boolean
attribute</a>. When specified, it indicates that the <code><a href="#the-iframe-element">iframe</a></code> element's
Index: textFieldSelection.html
===================================================================
RCS file: /sources/public/html5/spec/textFieldSelection.html,v
retrieving revision 1.206
retrieving revision 1.207
diff -u -d -r1.206 -r1.207
--- textFieldSelection.html 14 Oct 2012 12:14:45 -0000 1.206
+++ textFieldSelection.html 14 Oct 2012 13:44:49 -0000 1.207
@@ -6529,14 +6529,15 @@
<div class="impl">
- <p>When a <a href="#browsing-context">browsing context</a> is first created, it must be
- created with a single <code><a href="dom.html#document">Document</a></code> in its session history,
- whose <a href="dom.html#the-document's-address" title="the document's address">address</a> is
- <code><a href="urls.html#about:blank">about:blank</a></code>, which is marked as being an <a href="infrastructure.html#html-documents" title="HTML documents">HTML document</a>, whose <a href="infrastructure.html#document's-character-encoding" title="document's character encoding">character encoding</a> is
- UTF-8, and which is both <a href="#ready-for-post-load-tasks">ready for post-load tasks</a> and
- <a href="#completely-loaded">completely loaded</a> immediately. The
- <code><a href="dom.html#document">Document</a></code> must have a single child <code><a href="the-html-element.html#the-html-element">html</a></code>
- node, which itself has a single child <code><a href="the-body-element.html#the-body-element">body</a></code> node.</p>
+ <p>When a <a href="#browsing-context">browsing context</a> is first created, it must be created with a single
+ <code><a href="dom.html#document">Document</a></code> in its session history, whose <a href="dom.html#the-document's-address" title="the document's
+ address">address</a> is <code><a href="urls.html#about:blank">about:blank</a></code>, which is marked as being an <a href="infrastructure.html#html-documents" title="HTML
+ documents">HTML document</a>, whose <a href="infrastructure.html#document's-character-encoding" title="document's character encoding">character
+ encoding</a> is UTF-8, and which is both <a href="#ready-for-post-load-tasks">ready for post-load tasks</a> and
+ <a href="#completely-loaded">completely loaded</a> immediately. The <code><a href="dom.html#document">Document</a></code> must have a single child
+ <code><a href="the-html-element.html#the-html-element">html</a></code> node, which itself has a single child <code><a href="the-body-element.html#the-body-element">body</a></code> node. As soon as this
+ <code><a href="dom.html#document">Document</a></code> is created, the user agent must <a href="#implement-the-sandboxing">implement the sandboxing</a> for
+ it.</p>
<p class="note">If the <a href="#browsing-context">browsing context</a> is created
specifically to be immediately navigated, then that initial
@@ -8883,9 +8884,37 @@
<code><a href="dom.html#document">Document</a></code> is created, its <a href="#active-sandboxing-flag-set">active sandboxing flag
set</a> must be empty. It is populated by the <a href="#navigate" title="navigate">navigation algorithm</a>.</p>
+ <p>Every resource that is obtained by the <a href="#navigate" title="navigate">navigation algorithm</a> has a <dfn id="forced-sandboxing-flag-set">forced
+ sandboxing flag set</dfn>, which is a <a href="#sandboxing-flag-set">sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href="#forced-sandboxing-flag-set">forced sandboxing flag set</a>, but other
+ specifications can define that certain flags are set.</p>
+ <p class="note">In particular, the <a href="#forced-sandboxing-flag-set">forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href="#refsCSP">[CSP]</a></p>
- <h3 id="history"><span class="secno">5.5 </span>Session history and navigation</h3>
+ <hr><p>When a user agent is to <dfn id="implement-the-sandboxing">implement the sandboxing</dfn> for a <code><a href="dom.html#document">Document</a></code>, it
+ must populate <code><a href="dom.html#document">Document</a></code>'s <a href="#active-sandboxing-flag-set">active sandboxing flag set</a> with the union of
+ the flags that are present in the following <a href="#sandboxing-flag-set" title="sandboxing flag set">sandboxing flag
+ sets</a> at the time the <code><a href="dom.html#document">Document</a></code> object is created:</p>
+
+ <ul><li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#top-level-browsing-context">top-level browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#popup-sandboxing-flag-set">popup sandboxing
+ flag set</a>.</p></li>
+
+ <li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#nested-browsing-context">nested browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s
+ <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a>.</p></li>
+
+ <li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> is a <a href="#nested-browsing-context">nested browsing
+ context</a>, then: the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#parent-browsing-context">parent browsing
+ context</a>'s <a href="#active-document">active document</a>'s <a href="#active-sandboxing-flag-set">active sandboxing flag set</a>.</p></li>
+
+ <li><p>The flags set on the <code><a href="dom.html#document">Document</a></code>'s resource's <a href="#forced-sandboxing-flag-set">forced sandboxing flag
+ set</a>, if it has one.</p></li>
+
+ </ul><h3 id="history"><span class="secno">5.5 </span>Session history and navigation</h3>
<h4 id="the-session-history-of-browsing-contexts"><span class="secno">5.5.1 </span>The session history of browsing contexts</h4>
@@ -10176,44 +10205,7 @@
<code><a href="#window">Window</a></code> object to point to the new
<code><a href="dom.html#document">Document</a></code>.</p>
- </li><li>
-
- <p>Populate <code><a href="dom.html#document">Document</a></code>'s <a href="#active-sandboxing-flag-set">active sandboxing flag
- set</a> with the union of the flags that are present in the
- following <a href="#sandboxing-flag-set" title="sandboxing flag set">sandboxing flag
- sets</a> at the time the <code><a href="dom.html#document">Document</a></code> object is
- created:</p>
-
- <ul><li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#top-level-browsing-context">top-level browsing context</a>,
- then: the flags set on the <a href="#browsing-context">browsing context</a>'s
- <a href="#popup-sandboxing-flag-set">popup sandboxing flag set</a>.</p></li>
-
- <li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#nested-browsing-context">nested browsing context</a>, then:
- the flags set on the <a href="#browsing-context">browsing context</a>'s
- <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a>.</p></li>
-
- <li><p>If the <code><a href="dom.html#document">Document</a></code>'s <a href="#browsing-context">browsing
- context</a> is a <a href="#nested-browsing-context">nested browsing context</a>, then:
- the flags set on the <a href="#browsing-context">browsing context</a>'s <a href="#parent-browsing-context">parent
- browsing context</a>'s <a href="#active-document">active document</a>'s
- <a href="#active-sandboxing-flag-set">active sandboxing flag set</a>.</p></li>
-
- <li><p>The flags set on the resource's <a href="#forced-sandboxing-flag-set">forced sandboxing
- flag set</a>.</p></li>
-
- </ul><p>Each resource obtained by this <a href="#navigate" title="navigate">navigation algorithm</a> has a <dfn id="forced-sandboxing-flag-set">forced
- sandboxing flag set</dfn>, which is a <a href="#sandboxing-flag-set">sandboxing flag
- set</a>. A resource by default has no flags set in its
- <a href="#forced-sandboxing-flag-set">forced sandboxing flag set</a>, but other
- specifications can define that certain flags are set.</p>
-
- <p class="note">In particular, the <a href="#forced-sandboxing-flag-set">forced sandboxing flag
- set</a> is used by the Content Security Policy specification.
- <a href="#refsCSP">[CSP]</a></p>
-
- </li>
+ </li><li><p><a href="#implement-the-sandboxing">Implement the sandboxing</a> for the <code><a href="dom.html#document">Document</a></code>.</p></li>
</ol></li>
Received on Sunday, 14 October 2012 13:44:54 UTC