W3C home > Mailing lists > Public > public-html-diffs@w3.org > February 2009

spec/Overview.html 1.1995 2824 Clarify that sandbox's origin features o

From: poot <cvsmail@w3.org>
Date: Sat, 14 Feb 2009 08:22:28 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090213232228.D051A2BC4B@toro.w3.mag.keio.ac.jp>

Clarify that sandbox's origin features only take effect at navigation.
(whatwg r2824)

5.4 Origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#origin
allow-same-origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#attr-iframe-sandbox-allow-same-origin
On getting, if the document is not associated with a browsing context then the user agent must raise an INVALID_STATE_ERR exception. Otherwise, if the sandboxed origin browsing context flag was set on the browsing context of the Document when the Document was created, the user agent must raise a SECURITY_ERR exception. Otherwise, if the document's address does not use a server-based naming authority, it must return the empty string. Otherwise, it must return the same string as the value of the Cookie HTTP header it would include if fetching the resource indicated by the document's address over HTTP, as per RFC 2109 section 4.3.4 or later specifications, excluding HTTP-only cookies. [RFC2109] [RFC2965]
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#sandboxCookies
If a Document is in a browsing context whose sandboxed origin browsing context flag was set when the Document was created
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#sandboxOrigin

http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1994&r2=1.1995&f=h
http://html5.org/tools/web-apps-tracker?from=2823&to=2824

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1994
retrieving revision 1.1995
diff -u -d -r1.1994 -r1.1995
--- Overview.html	13 Feb 2009 23:13:29 -0000	1.1994
+++ Overview.html	13 Feb 2009 23:18:45 -0000	1.1995
@@ -5370,9 +5370,10 @@
   attribute represents the cookies of the resource.<p id=sandboxCookies>On getting, if the document is not associated
   with a <a href=#browsing-context>browsing context</a> then the user agent must raise
   an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
-  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
-  <a href=#browsing-context>browsing context</a> of the document, the user agent must
-  raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
+  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
+  <a href=#browsing-context>browsing context</a> of the <code>Document</code> when the
+  <code>Document</code> was created, the user agent must raise a
+  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
   document's address</a> does not use a server-based naming
   authority, it must return the empty string. Otherwise, it must
   return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the
@@ -5380,9 +5381,10 @@
   or later specifications, excluding HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
   <a href=#browsing-context>browsing context</a> then the user agent must raise an
   <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
-  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
-  <a href=#browsing-context>browsing context</a> of the document, the user agent must
-  raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
+  <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
+  <a href=#browsing-context>browsing context</a> of the <code>Document</code> when the
+  <code>Document</code> was created, the user agent must raise a
+  <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
   document's address</a> does not use a server-based naming
   authority, it must do nothing. Otherwise, the user agent must act as
   it would when processing cookies if it had just attempted to
@@ -13715,6 +13717,10 @@
 
     </div>
 
+    <p class=warning>This flag only takes effect when the
+    <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code> is
+    <a href=#navigate title=navigate>navigated</a>.</p>
+
    </dd>
 
 
@@ -28669,7 +28675,8 @@
 
     <dl class=switch><dt id=sandboxOrigin>If a <code>Document</code> is in a
      <a href=#browsing-context>browsing context</a> whose <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
-     browsing context flag</a> is set</dt>
+     browsing context flag</a> was set when the
+     <code>Document</code> was created</dt>
 
      <dd>The <a href=#origin-0>origin</a> is a globally unique identifier
      assigned when the <code>Document</code> is created.</dd>
Received on Friday, 13 February 2009 23:23:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:13:58 GMT