W3C home > Mailing lists > Public > public-html-diffs@w3.org > March 2010

hixie: Add a value for 'sandbox' that enables top-level navigation. (whatwg r4862)

From: poot <cvsmail@w3.org>
Date: Wed, 24 Mar 2010 17:48:25 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20100324084825.7A75D2BC38@toro.w3.mag.keio.ac.jp>
hixie: Add a value for 'sandbox' that enables top-level navigation.
(whatwg r4862)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3894&r2=1.3895&f=h
http://html5.org/tools/web-apps-tracker?from=4861&to=4862

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3894
retrieving revision 1.3895
diff -u -d -r1.3894 -r1.3895
--- Overview.html	23 Mar 2010 08:46:28 -0000	1.3894
+++ Overview.html	24 Mar 2010 08:48:11 -0000	1.3895
@@ -17336,6 +17336,7 @@
   any content hosted by the <code><a href="#the-iframe-element">iframe</a></code>. Its value must be an
   <a href="#unordered-set-of-unique-space-separated-tokens">unordered set of unique space-separated tokens</a>. The
   allowed values are <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>,
+  <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>,
   <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code>,
   and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>. When
   the attribute is set, the content is treated as being from a unique
@@ -17343,10 +17344,12 @@
   prevented from targeting other <a href="#browsing-context" title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
-  keyword allows the content to be treated as being from the same origin
-  instead of forcing it into a unique origin, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
-  keywords re-enable forms and scripts respectively (though scripts are
-  still prevented from creating popups).<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and
+  keyword allows the content to be treated as being from the same
+  origin instead of forcing it into a unique origin, the <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
+  keyword allows the content to <a href="#navigate">navigate</a> its
+  <a href="#top-level-browsing-context">top-level browsing context</a>, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
+  keywords re-enable forms and scripts respectively (though scripts
+  are still prevented from creating popups).<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
   keywords together when the embedded page has the <a href="#same-origin">same
   origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code> allows
@@ -17379,7 +17382,9 @@
     <p>This flag <a href="#sandboxLinks">prevents content from
     navigating browsing contexts other than the sandboxed browsing
     context itself</a> (or browsing contexts further nested inside
-    it).</p>
+    it), and the <a href="#top-level-browsing-context">top-level browsing context</a> (which is
+    protected by the <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing
+    context flag</a> defined next).</p>
 
     <p>This flag also <a href="#sandboxWindowOpen">prevents content
     from creating new auxiliary browsing contexts</a>, e.g. using the
@@ -17389,6 +17394,26 @@
    </dd>
 
 
+   <dt>The <dfn id="sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
+   flag</dfn>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
+   <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
+   found to have the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxLinks">prevents content from
+    navigating their <span>top-level browsing context</span></a>.</p>
+
+    <p>When the <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
+    is set, content can navigate its <a href="#top-level-browsing-context">top-level browsing
+    context</a>, but other <a href="#browsing-context" title="browsing context">browsing
+    contexts</a> are still protected by the <a href="#sandboxed-navigation-browsing-context-flag">sandboxed
+    navigation browsing context flag</a> defined above.</p>
+
+   </dd>
+
+
    <dt>The <dfn id="sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</dfn></dt>
 
    <dd>
@@ -41549,21 +41574,38 @@
 
   <ol><li><p>Release the <a href="#storage-mutex">storage mutex</a>.</li>
 
-   <li id="sandboxLinks"><p>If the <a href="#source-browsing-context">source browsing
-   context</a> is not the same as the <a href="#browsing-context">browsing context</a>
-   being navigated, and the <a href="#source-browsing-context">source browsing context</a> is
-   not one of the <a href="#ancestor-browsing-context" title="ancestor browsing context">ancestor
-   browsing contexts</a> of the <a href="#browsing-context">browsing context</a> being
-   navigated, and the <a href="#source-browsing-context">source browsing context</a> had its
-   <a href="#sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</a> set when
-   its <a href="#active-document">active document</a> was created, then abort these
-   steps. The user agent may offer to open the new resource in a new
-   <a href="#top-level-browsing-context">top-level browsing context</a> or in the <a href="#top-level-browsing-context">top-level
-   browsing context</a> of the <a href="#source-browsing-context">source browsing
-   context</a>, at the user's option, in which case the user agent
-   must <a href="#navigate">navigate</a> that designated <a href="#top-level-browsing-context">top-level browsing
-   context</a> to the new resource as if the user had requested it
-   independently.</li>
+   <li id="sandboxLinks">
+
+    <p>If the <a href="#source-browsing-context">source browsing context</a> is not the same as
+    the <a href="#browsing-context">browsing context</a> being navigated, and the
+    <a href="#source-browsing-context">source browsing context</a> is not one of the <a href="#ancestor-browsing-context" title="ancestor browsing context">ancestor browsing
+    contexts</a> of the <a href="#browsing-context">browsing context</a> being
+    navigated, and the <a href="#browsing-context">browsing context</a> being navigated is
+    not both a <a href="#top-level-browsing-context">top-level browsing context</a> and one of the
+    <a href="#ancestor-browsing-context" title="ancestor browsing context">ancestor browsing
+    contexts</a> of the <a href="#source-browsing-context">source browsing context</a>, and
+    the <a href="#source-browsing-context">source browsing context</a> had its <a href="#sandboxed-navigation-browsing-context-flag">sandboxed
+    navigation browsing context flag</a> set when its <a href="#active-document">active
+    document</a> was created, then abort these steps.</p>
+
+    <p>Otherwise, if the <a href="#browsing-context">browsing context</a> being navigated
+    is a <a href="#top-level-browsing-context">top-level browsing context</a>, and is one of the
+    <a href="#ancestor-browsing-context" title="ancestor browsing context">ancestor browsing
+    contexts</a> of the <a href="#source-browsing-context">source browsing context</a>, and
+    the <a href="#source-browsing-context">source browsing context</a> had its <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed
+    top-level navigation browsing context flag</a> set when its
+    <a href="#active-document">active document</a> was created, then abort these
+    steps.</p>
+
+    <p>In both cases, the user agent may additionally offer to open
+    the new resource in a new <a href="#top-level-browsing-context">top-level browsing context</a>
+    or in the <a href="#top-level-browsing-context">top-level browsing context</a> of the
+    <a href="#source-browsing-context">source browsing context</a>, at the user's option, in
+    which case the user agent must <a href="#navigate">navigate</a> that
+    designated <a href="#top-level-browsing-context">top-level browsing context</a> to the new
+    resource as if the user had requested it independently.</p>
+
+   </li>
 
    <li id="seamlessLinks"><p>If the <a href="#source-browsing-context">source browsing
    context</a> is the same as the <a href="#browsing-context">browsing context</a>
Received on Wednesday, 24 March 2010 08:48:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:14:18 GMT