html5/spec Overview.html,1.3652,1.3653

• From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
• Date: Tue, 12 Jan 2010 02:41:46 +0000
• To: public-html-commits@w3.org
• Message-Id: <E1NUWhW-00022c-54@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv7827

Modified Files:
	Overview.html 
Log Message:
Make sandbox='' disallow using both allow-same-origin and allow-scripts (and make same-origin win). (whatwg r4577)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3652
retrieving revision 1.3653
diff -u -d -r1.3652 -r1.3653
--- Overview.html	11 Jan 2010 11:25:19 -0000	1.3652
+++ Overview.html	12 Jan 2010 02:41:42 -0000	1.3653
@@ -262,7 +262,7 @@
    <h1>HTML5</h1>
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
 
-   <h2 class="no-num no-toc" id="editor-s-draft-11-january-2010">Editor's Draft 11 January 2010</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-12-january-2010">Editor's Draft 12 January 2010</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -361,7 +361,7 @@
   specification's progress along the W3C Recommendation
   track.
 
-  This specification is the 11 January 2010 Editor's Draft.
+  This specification is the 12 January 2010 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><!-- relationship to other work (required) --><p>This specification is part of <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/">a
   larger specification</a> being produced by the <a href="http://www.whatwg.org/">WHATWG</a>.
   <!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST -->
@@ -16846,10 +16846,12 @@
   prevented from targeting other <a href="#browsing-context" title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
-  still prevented from creating popups).<div class="impl">
+  keywords re-enable forms and scripts respectively (though scripts are
+  still prevented from creating popups).<p>The <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> keyword
+  must not be specified if the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+  keyword is specified.<div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
        - disallow cross-origin loads of any kind (networking
@@ -16968,6 +16970,7 @@
    the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
    value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
    spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
+   keyword set and <em>not </em> to have the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
    keyword set</dt>
 
    <dd>
@@ -16982,6 +16985,9 @@
     or elsewhere) will continue to run. Only <em>new</em> scripts will
     be prevented from executing by this flag.</p>
 
+    <p>This keyword is ignored if the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+    keyword is set.</p>
+
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above

Received on Tuesday, 12 January 2010 02:41:47 UTC