hixie: Make <iframe sandbox> also block autoplay, autofocus, and meta refresh. (whatwg r4982)

hixie: Make <iframe sandbox> also block autoplay, autofocus, and meta
refresh. (whatwg r4982)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4002&r2=1.4003&f=h
http://html5.org/tools/web-apps-tracker?from=4981&to=4982

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4002
retrieving revision 1.4003
diff -u -d -r1.4002 -r1.4003
--- Overview.html 6 Apr 2010 09:01:50 -0000 1.4002
+++ Overview.html 7 Apr 2010 05:10:32 -0000 1.4003
@@ -285,7 +285,7 @@
    <h1>HTML5</h1>
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
 
-   <h2 class="no-num no-toc" id="editor-s-draft-6-april-2010">Editor's Draft 6 April 2010</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-7-april-2010">Editor's Draft 7 April 2010</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -392,7 +392,7 @@
   specification's progress along the W3C Recommendation
   track.
 
-  This specification is the 6 April 2010 Editor's Draft.
+  This specification is the 7 April 2010 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><!-- relationship to other work (required) --><p>The contents of this specification are also part of <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/">a
   specification</a> published by the <a href="http://www.whatwg.org/">WHATWG</a>, which is available under a
   license that permits reuse of the specification text.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><!-- required patent boilerplate --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -11112,9 +11112,14 @@
 
       <ul><li><p>Set a timer so that in <var title="">time</var> seconds,
        adjusted to take into account user or user agent preferences,
-       if the user has not canceled the redirect, the user agent <a href="#navigate" title="navigate">navigates</a> the document's browsing
-       context to <var title="">url</var>, with <a href="#replacement-enabled">replacement
-       enabled</a>, and with the document's browsing context as the
+       if the user has not canceled the redirect and if the
+       <code><a href="#meta">meta</a></code> element's <code><a href="#document">Document</a></code>'s
+       <a href="#browsing-context">browsing context</a> did not have the <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed
+       automatic features browsing context flag</a> set when the
+       <code><a href="#document">Document</a></code> was created, the user agent <a href="#navigate" title="navigate">navigates</a> the <code><a href="#document">Document</a></code>'s
+       <a href="#browsing-context">browsing context</a> to <var title="">url</var>, with
+       <a href="#replacement-enabled">replacement enabled</a>, and with the
+       <code><a href="#document">Document</a></code>'s <a href="#browsing-context">browsing context</a> as the
        <a href="#source-browsing-context">source browsing context</a>.</li>
 
        <li><p>Provide the user with an interface that, when selected,
@@ -18356,6 +18361,26 @@
 
    </dd>
 
+
+   <dt>The <dfn id="sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
+   flag</dfn>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
+   <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
+   found to have the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
+   keyword (defined above) set</dt>
+
+   <dd>
+
+    <p>This flag blocks features that trigger automatically, such as
+    <a href="#attr-media-autoplay" title="attr-media-autoplay">automatically playing a
+    video</a> or <a href="#attr-fe-autofocus" title="attr-fe-autofocus">automatically
+    focusing a form control</a>. It is relaxed by the same flag as
+    scripts, because when scripts are enabled these features are
+    trivially possible anyway, and it would be unfortunate to force
+    authors to use script to do them when sandboxed rather than
+    allowing them to use the declarative features.</p>
+
+   </dd>
+
   </dl><p>These flags must not be set unless the conditions listed above
   define them as being set.</p>
 
@@ -21426,10 +21451,14 @@
 
     <p>If the <a href="#autoplaying-flag">autoplaying flag</a> is true, and the <code title="dom-media-paused"><a href="#dom-media-paused">paused</a></code> attribute is true, and the
     <a href="#media-element">media element</a> has an <code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code> attribute specified,
-    then the user agent may also set the <code title="dom-media-paused"><a href="#dom-media-paused">paused</a></code> attribute to false,
+    and the <a href="#media-element">media element</a> is in a <code><a href="#document">Document</a></code>
+    whose <a href="#browsing-context">browsing context</a> did not have the
+    <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context flag</a>
+    set when the <code><a href="#document">Document</a></code> was created, then the user
+    agent may also set the <code title="dom-media-paused"><a href="#dom-media-paused">paused</a></code> attribute to false,
     <a href="#queue-a-task">queue a task</a> to <a href="#fire-a-simple-event">fire a simple event</a>
-    named <code title="event-media-play"><a href="#event-media-play">play</a></code>, and <a href="#queue-a-task">queue a
-    task</a> to <a href="#fire-a-simple-event">fire a simple event</a> named <code title="event-media-playing"><a href="#event-media-playing">playing</a></code>.</p>
+    named <code title="event-media-play"><a href="#event-media-play">play</a></code>, and <a href="#queue-a-task">queue
+    a task</a> to <a href="#fire-a-simple-event">fire a simple event</a> named <code title="event-media-playing"><a href="#event-media-playing">playing</a></code>.</p>
 
     <p class="note">User agents are not required to autoplay, and it
     is suggested that user agents honor user preferences on the
@@ -33257,13 +33286,16 @@
 
   <p>Whenever an element with the <code title="attr-fe-autofocus"><a href="#attr-fe-autofocus">autofocus</a></code> attribute specified is
   <a href="#insert-an-element-into-a-document" title="insert an element into a document">inserted into a
-  document</a>, the user agent should <a href="#queue-a-task">queue a task</a>
-  that checks to see if the element is <a href="#focusable">focusable</a>, and if
-  so, runs the <a href="#focusing-steps">focusing steps</a> for that element. User
-  agents may also change the scrolling position of the document, or
-  perform some other action that brings the element to the user's
-  attention. The <a href="#task-source">task source</a> for this task is the
-  <a href="#dom-manipulation-task-source">DOM manipulation task source</a>.</p>
+  document</a> whose <a href="#browsing-context">browsing context</a> did not have the
+  <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context flag</a> set
+  when the <code><a href="#document">Document</a></code> was created, the user agent should
+  <a href="#queue-a-task">queue a task</a> that checks to see if the element is
+  <a href="#focusable">focusable</a>, and if so, runs the <a href="#focusing-steps">focusing
+  steps</a> for that element. User agents may also change the
+  scrolling position of the document, or perform some other action
+  that brings the element to the user's attention. The <a href="#task-source">task
+  source</a> for this task is the <a href="#dom-manipulation-task-source">DOM manipulation task
+  source</a>.</p>
 
   <p>User agents may ignore this attribute if the user has indicated
   (for example, by starting to type in a form control) that he does

Received on Wednesday, 7 April 2010 05:11:17 UTC