- From: poot <cvsmail@w3.org>
- Date: Fri, 13 Apr 2012 19:10:24 -0400
- To: public-html-diffs@w3.org
hixie: Refactor the sandboxing flags further to make it even easier to
hook into for CSP. (whatwg r7053)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5623&r2=1.5624&f=h
http://html5.org/tools/web-apps-tracker?from=7052&to=7053
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5623
retrieving revision 1.5624
diff -u -d -r1.5623 -r1.5624
--- Overview.html 13 Apr 2012 22:55:52 -0000 1.5623
+++ Overview.html 13 Apr 2012 23:10:08 -0000 1.5624
@@ -24139,80 +24139,12 @@
<p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
- attribute is specified, the <code><a href="#the-iframe-element">iframe</a></code> element's
- <a href="#nested-browsing-context">nested browsing context</a>'s <a href="#iframe-sandboxing-flag-set"><code>iframe</code>
- sandboxing flag set</a> must have the flags given in the
- following list set.</p>
-
- <ul><li><p>The <a href="#sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</a></li>
-
- <li><p>The <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
- flag</a>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
- <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
- found to have the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
- keyword set</li>
-
- <li><p>The <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a></li>
-
- <li><p>The <a href="#sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</a></li>
-
- <li>
-
- <p>The <a href="#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>, unless
- the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
- value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
- spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-same-origin" title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
- keyword set</p>
-
- <div class="note">
-
- <p>The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
- keyword is intended for two cases.</p>
-
- <p>First, it can be used to allow content from the same site to
- be sandboxed to disable scripting, while still allowing access to
- the DOM of the sandboxed content.</p>
-
- <p>Second, it can be used to embed content from a third-party
- site, sandboxed to prevent that site from opening popup windows,
- etc, without preventing the embedded page from communicating back
- to its originating site, using the database APIs to store data,
- etc.</p>
-
- </div>
-
- </li>
-
- <li><p>The <a href="#sandboxed-forms-browsing-context-flag">sandboxed forms browsing context flag</a>, unless
- the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
- value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
- spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-forms" title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
- keyword set</li>
-
- <li><p>The <a href="#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>, unless
- the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
- value, when <a href="#split-a-string-on-spaces" title="split a string on spaces">split on
- spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
- keyword set</li>
-
- <li>
-
- <p>The <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
- flag</a>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
- <a href="#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
- found to have the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
- keyword (defined above) set</p>
-
- <p class="note">This flag is relaxed by the same flag as
- scripts, because when scripts are enabled these features are
- trivially possible anyway, and it would be unfortunate to force
- authors to use script to do them when sandboxed rather than
- allowing them to use the declarative features.</p>
-
- </li>
-
- </ul><p>These flags must not be set unless the conditions listed above
- define them as being set.</p>
+ attribute is set or changed, the user agent must <a href="#parse-a-sandboxing-directive" title="parse
+ a sandboxing directive">parse the sandboxing directive</a> using
+ the attribute's value as the <var title="">input</var> and the
+ <code><a href="#the-iframe-element">iframe</a></code> element's <a href="#nested-browsing-context">nested browsing context</a>'s
+ <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</a> as the
+ output.</p>
<p class="warning">These flags only take effect when the
<a href="#nested-browsing-context">nested browsing context</a> of the <code><a href="#the-iframe-element">iframe</a></code> is
@@ -54063,7 +53995,80 @@
</dd>
- </dl><p>Every <a href="#nested-browsing-context">nested browsing context</a> has an
+ </dl><p>When the user agent is to <dfn id="parse-a-sandboxing-directive">parse a sandboxing
+ directive</dfn>, given a string <var title="">input</var> and a
+ <a href="#sandboxing-flag-set">sandboxing flag set</a> <var title="">output</var>, it must
+ run the following steps:</p>
+
+ <ol><li><p><a href="#split-a-string-on-spaces" title="split a string on spaces">Split <var title="">input</var> on spaces</a>, to obtain <var title="">tokens</var>.</li>
+
+ <li><p>Let <var title="">output</var> be empty.</li>
+
+ <li>
+
+ <p>Add the following flags to <var title="">output</var>:</p>
+
+ <ul><li><p>The <a href="#sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</a></li>
+
+ <li><p>The <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
+ flag</a>, unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
+ keyword</li>
+
+ <li><p>The <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a></li>
+
+ <li><p>The <a href="#sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</a></li>
+
+ <li>
+
+ <p>The <a href="#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>,
+ unless the <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-same-origin" title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
+ keyword</p>
+
+ <div class="note">
+
+ <p>The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+ keyword is intended for two cases.</p>
+
+ <p>First, it can be used to allow content from the same site to
+ be sandboxed to disable scripting, while still allowing access to
+ the DOM of the sandboxed content.</p>
+
+ <p>Second, it can be used to embed content from a third-party
+ site, sandboxed to prevent that site from opening popup windows,
+ etc, without preventing the embedded page from communicating back
+ to its originating site, using the database APIs to store data,
+ etc.</p>
+
+ </div>
+
+ </li>
+
+ <li><p>The <a href="#sandboxed-forms-browsing-context-flag">sandboxed forms browsing context flag</a>,
+ unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-forms" title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
+ keyword</li>
+
+ <li><p>The <a href="#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>,
+ unless <var title="">tokens</var> contains the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
+ keyword</li>
+
+ <li>
+
+ <p>The <a href="#sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
+ flag</a>, unless <var title="">tokens</var> contains the
+ <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
+ keyword (defined above)</p>
+
+ <p class="note">This flag is relaxed by the same keyword as
+ scripts, because when scripts are enabled these features are
+ trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than
+ allowing them to use the declarative features.</p>
+
+ </li>
+
+ </ul></li>
+
+ </ol><hr><p>Every <a href="#nested-browsing-context">nested browsing context</a> has an
<dfn id="iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag set</dfn>, which is a
<a href="#sandboxing-flag-set">sandboxing flag set</a>. Which flags in a <a href="#nested-browsing-context">nested
browsing context</a>'s <a href="#iframe-sandboxing-flag-set"><code>iframe</code> sandboxing flag
Received on Friday, 13 April 2012 23:10:28 UTC