[presentation-api] Pull Request: Clarifies restrictions on navigation in receiving browsing contexts. from Google on 2017-09-05 (public-secondscreen@w3.org from September 2017)

From: Google <sysbot+gh@w3.org>
Date: Tue, 05 Sep 2017 22:30:34 +0000
To: public-secondscreen@w3.org
Message-ID: <pull_request.opened-139435283-1504650625-sysbot+gh@w3.org>

mfoltzgoogle has just submitted a new pull request for https://github.com/w3c/presentation-api:

== Clarifies restrictions on navigation in receiving browsing contexts. ==
Addresses Issue #434: In receiver page, sandboxing flags do not fully block top-level navigation.

This adds two more specific requirements:
- Top level browsing context can't navigate itself to a different URL, except for fragment navigation.
- Nested browsing contexts can't navigate the top level browsing context by setting the _sandboxed top-level navigation browsing context flag_.

There might still be work to do here.  For example, this doesn't directly address server initiated navigation (HTTP redirects).  If we really want to restrict the scope of where the top level document can go, we may want to see if there are applicable mechanisms from Content Security Policy instead of (or in addition to) this language.


See https://github.com/w3c/presentation-api/pull/436

Received on Tuesday, 5 September 2017 22:30:34 UTC