- From: poot <cvsmail@w3.org>
- Date: Tue, 11 Jan 2011 21:44:03 -0500
- To: public-html-diffs@w3.org
hixie: Ensure that sandbox='allow-same-origin allow-top-navigation'
doesn't allow sandboxed pages to run scripts 'by proxy' (through the
top-level browsing context) (whatwg r5756)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4616&r2=1.4617&f=h
http://html5.org/tools/web-apps-tracker?from=5755&to=5756
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4616
retrieving revision 1.4617
diff -u -d -r1.4616 -r1.4617
--- Overview.html 10 Jan 2011 22:08:27 -0000 1.4616
+++ Overview.html 10 Jan 2011 22:34:08 -0000 1.4617
@@ -47949,6 +47949,16 @@
<p>Use the appropriate step from the following list:</p>
<dl><dt>If a <a href="#browsing-context">browsing context</a> is being <a href="#navigate" title="navigate">navigated</a> to a <code>javascript:</code>
+ URL, and the <a href="#source-browsing-context">source browsing context</a> for that
+ navigation, if any, has <a href="#concept-bc-noscript" title="concept-bc-noscript">scripting disabled</a></dt>
+
+ <dd>
+
+ <p>Let <var title="">result</var> be void.</p>
+
+ </dd>
+
+ <dt>If a <a href="#browsing-context">browsing context</a> is being <a href="#navigate" title="navigate">navigated</a> to a <code>javascript:</code>
URL, and the <a href="#active-document">active document</a> of that browsing
context has the <a href="#same-origin">same origin</a> as the script given by
that URL</dt>
Received on Wednesday, 12 January 2011 02:44:05 UTC