[Bug 22318] New: Should window.close() be affected by sandboxing restrictions. from bugzilla@jessica.w3.org on 2013-06-10 (public-html-admin@w3.org from June 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 10 Jun 2013 18:02:36 +0000
To: public-html-admin@w3.org
Message-ID: <bug-22318-2495@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22318

            Bug ID: 22318
           Summary: Should window.close() be affected by sandboxing
                    restrictions.
    Classification: Unclassified
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec
          Assignee: dave.null@w3.org
          Reporter: bobowencode@gmail.com
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-admin@w3.org,
                    public-html-wg-issue-tracking@w3.org

Created attachment 1370
  --> https://www.w3.org/Bugs/Public/attachment.cgi?id=1370&action=edit
Test window.close() from sandbox - closeTestOpener.html starts the test.

As part of discussions on bug 20939, I've been asked to raise this bug.
The purpose is to look at whether window.close() should be affected by
sandboxing rules.

In the specification at
http://www.w3.org/html/wg/drafts/html/master/browsers.html#dom-window-close, it
states:

"The close() method on Window objects should, if the corresponding browsing
context A is script-closable and the browsing context of the script that
invokes the method is allowed to navigate the browsing context A, close the
browsing context A."

The "allowed to navigate" rules at
http://www.w3.org/html/wg/drafts/html/master/browsers.html#allowed-to-navigate,
don't include the sandboxing rules, but sandboxing could actually affect
whether navigation takes place.
So the question is, if navigation of a browsing context is blocked by
sandboxing rules, should window.close() also be blocked.

I believe it should, as (for example) it seems wrong that a sandboxed browsing
context is not allowed to navigate top, but is allowed to close it.

I did a quick test to see what happens in a sandbox with allow-scripts, but not
allow-top-navigation.
closeTestOpener.html starts the test.
(This test was done in early May, I'm sorry I don't have the versions that were
used.)

Firefox, IE10, Chrome and Opera all seem to block the direct navigation of top
with window.open(..., "_top").

Only Chrome stops the window.top.close().  It gives the same error as for the
navigation, which complains that you are trying to navigate top without
allow-top-navigation.

As I have said, Chrome's behaviour seems correct to me.

Thanks,
Bob

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 10 June 2013 18:02:37 UTC