- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 27 Jan 2010 23:07:01 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv8907
Modified Files:
Overview.html
Log Message:
Block pushState() and replaceState() from changing URLs when used by text/html-sandboxed content, to prevent them from spoofing other pages on the same origin. (whatwg r4630)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3690
retrieving revision 1.3691
diff -u -d -r1.3690 -r1.3691
--- Overview.html 27 Jan 2010 22:34:23 -0000 1.3690
+++ Overview.html 27 Jan 2010 23:06:57 -0000 1.3691
@@ -43470,7 +43470,16 @@
raise a <code><a href="#security_err">SECURITY_ERR</a></code> exception and abort these
steps.</li>
- </ol><p>For the purposes of the comparison in the above substeps, the
+ <li>If the <a href="#origin">origin</a> of the resulting <a href="#absolute-url">absolute
+ URL</a> is not the same as the <a href="#origin">origin</a> of the
+ <a href="#entry-script">entry script</a>'s <code title="script's browsing
+ context"><a href="#script-s-browsing-context">browsing context, and either the <span title="url-path"><path></span> or <span title="url-query"><query></span> components of the two
+ <span title="URL">URLs</span> comparedi in the previous step
+ differ, raise a <code>SECURITY_ERR</code> exception and abort
+ these steps. (This prevents sandboxed content from spoofing other
+ pages on the same origin.)</a></code></li>
+
+ </ol><p>For the purposes of the comparisons in the above substeps, the
<a href="#url-path" title="url-path"><path></a> and <a href="#url-query" title="url-query"><query></a> components can only be the
same if the URLs use a hierarchical <a href="#url-scheme" title="url-scheme"><scheme></a>.</p>
Received on Wednesday, 27 January 2010 23:07:02 UTC