W3C home > Mailing lists > Public > public-secondscreen@w3.org > February 2017

Re: [presentation-api] Receiving browsing context needs additional flags set

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Mon, 27 Feb 2017 13:12:31 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-282716160-1488201149-sysbot+gh@w3.org>
Setting _sandboxed top-level navigation browsing context flag_ is 
indeed required to ensure integrity. The presentation is effectively a
 single-page application that must not be able to navigate. This 
should have been caught up in the security review, but better late 
than never. Good catch!

Looking at the _sandboxed modals flag_, it prevents content from using
 the following:

* window.alert()
* window.confirm()
* window.print()
* window.prompt()

Also the following, but IIUC, not relevant here:

* window.showModalDialog() - This is already disallowed by the 
_sandboxed auxiliary navigation browsing context flag_ we set, and 
also not anymore in the _sandboxed modals flag_ list in HTML LS, so 
probably a spec bug in 5.1).

* the beforeunload event - In _terminate a presentation in a receiving
 browsing context_ we _unload a document_, thus this event is never 
fired when a presentation is terminated (the beforeunload event is 
only fired when a user agent is to _prompt to unload a document_).

@mfoltzgoogle @schien How do your implementations handle alert(), 
confirm, print(), or prompt()? How about we specify the implemented 
behaviour if it is consistent among known implementations.

GitHub Notification of comment by anssiko
Please view or discuss this issue at 
 using your GitHub account
Received on Monday, 27 February 2017 13:12:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:19:02 UTC