[presentation-api] In receiver page, sandboxing flags do not fully block top-level navigation. from Google on 2017-08-09 (public-secondscreen@w3.org from August 2017)

From: Google <sysbot+gh@w3.org>
Date: Wed, 09 Aug 2017 00:21:09 +0000
To: public-secondscreen@w3.org
Message-ID: <issues.opened-248883314-1502238067-sysbot+gh@w3.org>

mfoltzgoogle has just created a new issue for https://github.com/w3c/presentation-api:

== In receiver page, sandboxing flags do not fully block top-level navigation. ==
The steps to create a receiving browsing context set the _sandboxed top-level navigation browsing context flag_ [1].  According to the HTML 5.1 navigation algorithm [1], this only applies when nested browsing contexts attempt to navigate their top browsing context, so it does not make sense for the original receiving browsing context (only, possibly, nested browsing contexts inside it).

We could also set the _sandboxed navigation browsing context flag_, which would block navigation for browsing contexts _other_ than the receiving browsing context.  But I don't see a way to block a top-level browsing context from navigating itself - at least through the sandboxing flags defined in HTML.

I would suggest removing the _sandboxed top-level navigation browsing context flag_  and adding a normative note that the receiving user agent should block top-level navigation that is not same-document, which should cover both navigation from top-level contexts and nested contexts.

[1] https://www.w3.org/TR/html51/browsers.html#sandboxing
[2] https://www.w3.org/TR/html51/browsers.html#allowed-to-navigate

Please view or discuss this issue at https://github.com/w3c/presentation-api/issues/434 using your GitHub account

Received on Wednesday, 9 August 2017 00:21:14 UTC