W3C home > Mailing lists > Public > public-html-diffs@w3.org > February 2009

spec/Overview.html 1.1994 2823 Scripting being disabled didn't always b

From: poot <cvsmail@w3.org>
Date: Sat, 14 Feb 2009 08:17:09 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090213231710.00F132BC14@toro.w3.mag.keio.ac.jp>

Scripting being disabled didn't always block all scripts from being
compiled. (whatwg r2823)

allow-scripts
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#attr-iframe-sandbox-allow-scripts
frameset-ok flag
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#frameset-ok-flag
5.5.5 The javascript: protocol
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#javascript-protocol
5.5.3.3 Creating scripts
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#creating-scripts
form element pointer
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#form-element-pointer
8.2.4 Tokenization
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#tokenization
5.5.6 Events
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#events
8.2.3.5 Other parsing state flags
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#other-parsing-state-flags
Event handler content attributes
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1994.html#event-handler-content-attributes

http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1993&r2=1.1994&f=h
http://html5.org/tools/web-apps-tracker?from=2822&to=2823

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1993
retrieving revision 1.1994
diff -u -d -r1.1993 -r1.1994
--- Overview.html	13 Feb 2009 21:12:34 -0000	1.1993
+++ Overview.html	13 Feb 2009 23:13:29 -0000	1.1994
@@ -13743,6 +13743,14 @@
     <p>This flag <a href=#sandboxScriptBlocked>blocks script
     execution</a>.</p>
 
+    <p class=warning>If the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
+    dynamically added after the <code><a href=#the-iframe-element>iframe</a></code> has loaded a page,
+    scripts already compiled by that page (whether in
+    <code><a href=#script>script</a></code> elements, or in <a href=#event-handler-attributes-0>event handler
+    attributes</a>, or elsewhere) will continue to run. Only
+    <em>new</em> scripts will be prevented from executing by this
+    flag.</p>
+
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above
@@ -29074,7 +29082,12 @@
   </ol><p>This algorithm is not invoked by one script calling another.<h5 id=creating-scripts><span class=secno>5.5.3.3 </span>Creating scripts</h5><p>When the specification says that a <a href=#concept-script title=concept-script>script</a> is to be <dfn id=create-a-script title="create a
   script">created</dfn>, given some script source, its scripting
   language, a global object, a browsing context, a character encoding,
-  and a base URL, the user agent must run the following steps:<ol><li><p>Set up a <a href=#script-execution-environment>script execution environment</a> as
+  and a base URL, the user agent must run the following steps:<ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
+   disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
+   algorithm, then abort these steps, as if the script did nothing but
+   return void.</p>
+
+   <li><p>Set up a <a href=#script-execution-environment>script execution environment</a> as
    appropriate for the scripting language.</li>
 
    <li><p>Parse/compile/initialize the source of the script using the
@@ -29313,7 +29326,8 @@
 
       <p>Let <var title="">result</var> be the return value of the
       <i><a href=#initial-code-entry-point>initial code entry-point</a></i> of this <a href=#concept-script title=concept-script>script</a>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
 
       <p>When it comes time to <a href=#set-the-document-s-address>set the document's address</a>
       in the <a href=#navigate title=navigate>navigation algorithm</a>, use
@@ -29336,7 +29350,8 @@
 
       <p>Let <var title="">result</var> be the return value of the
       <i><a href=#initial-code-entry-point>initial code entry-point</a></i> of this <a href=#concept-script title=concept-script>script</a>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
 
      </dd>
 
@@ -29384,10 +29399,7 @@
    <a href=#browsing-context>browsing context</a>'s document, thus changing the
    variables visible in that <a href=#browsing-context>browsing context</a>.</p>
 
-  </div><p class=note>The rules for <a href=#create-a-script title="create a script">creating
-  a script</a> include making the script not execute (and just
-  return void) in certain cases, e.g. in a sandbox or when the user
-  has disabled scripting altogether.<h4 id=events><span class=secno>5.5.6 </span>Events</h4><h5 id=event-handler-attributes><span class=secno>5.5.6.1 </span>Event handler attributes</h5><!--test: <a href="http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A...%3Cscript%3E%0Aw(a%3Ddocument.implementation.createDocument(null%2C%20null%2C%20null))%3B%0Aw(a.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'html')))%3B%0Aw(b%3Da.firstChild.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'body')))%3B%0Aw(b.test%20%3D%20w)%3B%0Aw(b.setAttribute('onclick'%2C%20'test(%22fire%3A%20%22%20%2B%20event)'))%3B%0Aw(b.onclick)%3B%0Aw(e%3Da.createEvent('Event'))%3B%0Aw(e.initEvent('click'%2C%20false%2C%20false))%3B%0Aw(b.dispatchEvent(e))%3B%0A%3C%2Fscript%3E">test</a>--><p>Many objects can have <dfn id=event-handler-attributes-0>event handler attributes</dfn>
+  </div><h4 id=events><span class=secno>5.5.6 </span>Events</h4><h5 id=event-handler-attributes><span class=secno>5.5.6.1 </span>Event handler attributes</h5><!--test: <a href="http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A...%3Cscript%3E%0Aw(a%3Ddocument.implementation.createDocument(null%2C%20null%2C%20null))%3B%0Aw(a.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'html')))%3B%0Aw(b%3Da.firstChild.appendChild(a.createElementNS('http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%2C%20'body')))%3B%0Aw(b.test%20%3D%20w)%3B%0Aw(b.setAttribute('onclick'%2C%20'test(%22fire%3A%20%22%20%2B%20event)'))%3B%0Aw(b.onclick)%3B%0Aw(e%3Da.createEvent('Event'))%3B%0Aw(e.initEvent('click'%2C%20false%2C%20false))%3B%0Aw(b.dispatchEvent(e))%3B%0A%3C%2Fscript%3E">test</a>--><p>Many objects can have <dfn id=event-handler-attributes-0>event handler attributes</dfn>
   specified. These act as bubbling event listeners for the element on
   which they are specified.<p>An <a href=#event-handler-attributes-0 title="event handler attributes">event handler
   attribute</a>, unless otherwise specified, can either have the
@@ -29406,9 +29418,10 @@
   <code><a href=#messageport>MessagePort</a></code> objects.</p><hr><p><dfn id=event-handler-content-attributes>Event handler content attributes</dfn>, when specified, must
   contain valid ECMAScript code matching the ECMAScript <code title="">FunctionBody</code> production. <a href=#references>[ECMA262]</a></p><!-- SCRIPT EXEC --><p>When an event handler content attribute is set, if the element is
   owned by a <code>Document</code> that is in a <a href=#browsing-context>browsing
-  context</a>, the user agent must run the following steps to
-  create a <a href=#concept-script title=concept-script>script</a> after setting
-  the content attribute to its new value:<ol><li><p>Set up a <a href=#script-execution-environment>script execution environment</a> for
+  context</a>, and <a href=#concept-bc-script title=concept-bc-script>scripting is
+  enabled</a> for that <a href=#browsing-context>browsing context</a>, the user
+  agent must run the following steps to create a <a href=#concept-script title=concept-script>script</a> after setting the content
+  attribute to its new value:<ol><li><p>Set up a <a href=#script-execution-environment>script execution environment</a> for
    JavaScript.</li>
 
    <li>
@@ -39731,7 +39744,7 @@
   points to the last <code><a href=#the-form-element>form</a></code> element that was opened and
   whose end tag has not yet been seen. It is used to make form
   controls associate with forms in the face of dramatically bad
-  markup, for historical reasons.<h5 id=other-parsing-state-flags><span class=secno>8.2.3.5 </span>Other parsing state flags</h5><p>The <dfn id=scripting-flag>scripting flag</dfn> is set to "enabled" if the <a href=#concept-n-script title=concept-n-script>scripting was enabled</a> for the
+  markup, for historical reasons.<h5 id=other-parsing-state-flags><span class=secno>8.2.3.5 </span>Other parsing state flags</h5><p>The <dfn id=scripting-flag>scripting flag</dfn> is set to "enabled" if <a href=#concept-n-script title=concept-n-script>scripting was enabled</a> for the
   <code>Document</code> with which the parser is associated when the
   parser was created, and "disabled" otherwise.<p>The <dfn id=frameset-ok-flag>frameset-ok flag</dfn> is set to "ok" when the parser is
   created. It is set to "not ok" after certain tokens are seen.<h4 id=tokenization><span class=secno>8.2.4 </span><dfn>Tokenization</dfn></h4><p>Implementations must act as if they used the following state
Received on Friday, 13 February 2009 23:17:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:13:58 GMT