W3C home > Mailing lists > Public > public-secondscreen@w3.org > February 2017

Re: [presentation-api] Receiving browsing context needs additional flags set

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Mon, 27 Feb 2017 13:12:31 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-282716160-1488201149-sysbot+gh@w3.org>
Setting _sandboxed top-level navigation browsing context flag_ is 
indeed required to ensure integrity. The presentation is effectively a
 single-page application that must not be able to navigate. This 
should have been caught up in the security review, but better late 
than never. Good catch!

Looking at the _sandboxed modals flag_, it prevents content from using
 the following:

* window.alert()
* window.confirm()
* window.print()
* window.prompt()

Also the following, but IIUC, not relevant here:

* window.showModalDialog() - This is already disallowed by the 
_sandboxed auxiliary navigation browsing context flag_ we set, and 
also not anymore in the _sandboxed modals flag_ list in HTML LS, so 
probably a spec bug in 5.1).

* the beforeunload event - In _terminate a presentation in a receiving
 browsing context_ we _unload a document_, thus this event is never 
fired when a presentation is terminated (the beforeunload event is 
only fired when a user agent is to _prompt to unload a document_).

@mfoltzgoogle @schien How do your implementations handle alert(), 
confirm, print(), or prompt()? How about we specify the implemented 
behaviour if it is consistent among known implementations.

-- 
GitHub Notification of comment by anssiko
Please view or discuss this issue at 
https://github.com/w3c/presentation-api/issues/414#issuecomment-282716160
 using your GitHub account
Received on Monday, 27 February 2017 13:12:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 27 February 2017 13:12:38 UTC