- From: poot <cvsmail@w3.org>
- Date: Sat, 14 Feb 2009 08:22:28 +0900 (JST)
- To: public-html-diffs@w3.org
Clarify that sandbox's origin features only take effect at navigation.
(whatwg r2824)
5.4 Origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#origin
allow-same-origin
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#attr-iframe-sandbox-allow-same-origin
On getting, if the document is not associated with a browsing context then the user agent must raise an INVALID_STATE_ERR exception. Otherwise, if the sandboxed origin browsing context flag was set on the browsing context of the Document when the Document was created, the user agent must raise a SECURITY_ERR exception. Otherwise, if the document's address does not use a server-based naming authority, it must return the empty string. Otherwise, it must return the same string as the value of the Cookie HTTP header it would include if fetching the resource indicated by the document's address over HTTP, as per RFC 2109 section 4.3.4 or later specifications, excluding HTTP-only cookies. [RFC2109] [RFC2965]
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#sandboxCookies
If a Document is in a browsing context whose sandboxed origin browsing context flag was set when the Document was created
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1995.html#sandboxOrigin
http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1994&r2=1.1995&f=h
http://html5.org/tools/web-apps-tracker?from=2823&to=2824
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1994
retrieving revision 1.1995
diff -u -d -r1.1994 -r1.1995
--- Overview.html 13 Feb 2009 23:13:29 -0000 1.1994
+++ Overview.html 13 Feb 2009 23:18:45 -0000 1.1995
@@ -5370,9 +5370,10 @@
attribute represents the cookies of the resource.<p id=sandboxCookies>On getting, if the document is not associated
with a <a href=#browsing-context>browsing context</a> then the user agent must raise
an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
- <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
- <a href=#browsing-context>browsing context</a> of the document, the user agent must
- raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
+ <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
+ <a href=#browsing-context>browsing context</a> of the <code>Document</code> when the
+ <code>Document</code> was created, the user agent must raise a
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
document's address</a> does not use a server-based naming
authority, it must return the empty string. Otherwise, it must
return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the
@@ -5380,9 +5381,10 @@
or later specifications, excluding HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
<a href=#browsing-context>browsing context</a> then the user agent must raise an
<code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
- <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
- <a href=#browsing-context>browsing context</a> of the document, the user agent must
- raise a <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
+ <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> was set on the
+ <a href=#browsing-context>browsing context</a> of the <code>Document</code> when the
+ <code>Document</code> was created, the user agent must raise a
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception. Otherwise, if <a href=#the-document-s-address>the
document's address</a> does not use a server-based naming
authority, it must do nothing. Otherwise, the user agent must act as
it would when processing cookies if it had just attempted to
@@ -13715,6 +13717,10 @@
</div>
+ <p class=warning>This flag only takes effect when the
+ <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code> is
+ <a href=#navigate title=navigate>navigated</a>.</p>
+
</dd>
@@ -28669,7 +28675,8 @@
<dl class=switch><dt id=sandboxOrigin>If a <code>Document</code> is in a
<a href=#browsing-context>browsing context</a> whose <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
- browsing context flag</a> is set</dt>
+ browsing context flag</a> was set when the
+ <code>Document</code> was created</dt>
<dd>The <a href=#origin-0>origin</a> is a globally unique identifier
assigned when the <code>Document</code> is created.</dd>
Received on Friday, 13 February 2009 23:23:05 UTC