[html5] r2823 - [] (0) Scripting being disabled didn't always block all scripts from being compiled.

whatwg at whatwg.org whatwg at whatwg.org
Fri Feb 13 15:13:24 PST 2009
Previous message: [html5] r2822 - [e] (0) Some of us are just in this for the fame. :-P
Next message: [html5] r2824 - [] (0) Clarify that sandbox's origin features only take effect at navigation.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Author: ianh
Date: 2009-02-13 15:13:23 -0800 (Fri, 13 Feb 2009)
New Revision: 2823

Modified:
   index
   source
Log:
[] (0) Scripting being disabled didn't always block all scripts from being compiled.

Modified: index
===================================================================
--- index	2009-02-13 21:12:29 UTC (rev 2822)
+++ index	2009-02-13 23:13:23 UTC (rev 2823)
@@ -16780,6 +16780,14 @@
     <p>This flag <a href=#sandboxScriptBlocked>blocks script
     execution</a>.</p>
 
+    <p class=warning>If the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
+    dynamically added after the <code><a href=#the-iframe-element>iframe</a></code> has loaded a page,
+    scripts already compiled by that page (whether in
+    <code><a href=#script>script</a></code> elements, or in <a href=#event-handler-attributes-0>event handler
+    attributes</a>, or elsewhere) will continue to run. Only
+    <em>new</em> scripts will be prevented from executing by this
+    flag.</p>
+
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above
@@ -16821,7 +16829,6 @@
   </div>
 
 
-
   <hr><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn>
   attribute is a boolean attribute. When specified, it indicates that
   the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#browsing-context>browsing context</a> is
@@ -35471,7 +35478,12 @@
   language, a global object, a browsing context, a character encoding,
   and a base URL, the user agent must run the following steps:</p>
 
-  <ol><li><p>Set up a <a href=#script-execution-environment>script execution environment</a> as
+  <ol><li><p>If <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is
+   disabled</a> for <a href=#browsing-context>browsing context</a> passed to this
+   algorithm, then abort these steps, as if the script did nothing but
+   return void.</p>
+
+   <li><p>Set up a <a href=#script-execution-environment>script execution environment</a> as
    appropriate for the scripting language.</li>
 
    <li><p>Parse/compile/initialize the source of the script using the
@@ -35755,7 +35767,8 @@
 
       <p>Let <var title="">result</var> be the return value of the
       <i><a href=#initial-code-entry-point>initial code entry-point</a></i> of this <a href=#concept-script title=concept-script>script</a>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
 
       <p>When it comes time to <a href="#set-the-document's-address">set the document's address</a>
       in the <a href=#navigate title=navigate>navigation algorithm</a>, use
@@ -35778,7 +35791,8 @@
 
       <p>Let <var title="">result</var> be the return value of the
       <i><a href=#initial-code-entry-point>initial code entry-point</a></i> of this <a href=#concept-script title=concept-script>script</a>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <a href=#concept-bc-noscript title=concept-bc-noscript>scripting is disabled</a>.)</p>
 
      </dd>
 
@@ -35828,12 +35842,7 @@
 
   </div>
 
-  <p class=note>The rules for <a href=#create-a-script title="create a script">creating
-  a script</a> include making the script not execute (and just
-  return void) in certain cases, e.g. in a sandbox or when the user
-  has disabled scripting altogether.</p>
 
-
   <h4 id=events><span class=secno>5.5.6 </span>Events</h4>
 
 
@@ -35877,9 +35886,10 @@
   <!-- SCRIPT EXEC -->
   <p>When an event handler content attribute is set, if the element is
   owned by a <code>Document</code> that is in a <a href=#browsing-context>browsing
-  context</a>, the user agent must run the following steps to
-  create a <a href=#concept-script title=concept-script>script</a> after setting
-  the content attribute to its new value:</p>
+  context</a>, and <a href=#concept-bc-script title=concept-bc-script>scripting is
+  enabled</a> for that <a href=#browsing-context>browsing context</a>, the user
+  agent must run the following steps to create a <a href=#concept-script title=concept-script>script</a> after setting the content
+  attribute to its new value:</p>
 
   <ol><li><p>Set up a <a href=#script-execution-environment>script execution environment</a> for
    JavaScript.</li>
@@ -48958,7 +48968,7 @@
 
   <h5 id=other-parsing-state-flags><span class=secno>8.2.3.5 </span>Other parsing state flags</h5>
 
-  <p>The <dfn id=scripting-flag>scripting flag</dfn> is set to "enabled" if the <a href=#concept-n-script title=concept-n-script>scripting was enabled</a> for the
+  <p>The <dfn id=scripting-flag>scripting flag</dfn> is set to "enabled" if <a href=#concept-n-script title=concept-n-script>scripting was enabled</a> for the
   <code>Document</code> with which the parser is associated when the
   parser was created, and "disabled" otherwise.</p>
 

Modified: source
===================================================================
--- source	2009-02-13 21:12:29 UTC (rev 2822)
+++ source	2009-02-13 23:13:23 UTC (rev 2823)
@@ -17906,6 +17906,15 @@
     <p>This flag <a href="#sandboxScriptBlocked">blocks script
     execution</a>.</p>
 
+    <p class="warning">If the <code
+    title="attr-iframe-sandbox">sandbox</code> attribute is
+    dynamically added after the <code>iframe</code> has loaded a page,
+    scripts already compiled by that page (whether in
+    <code>script</code> elements, or in <span>event handler
+    attributes</span>, or elsewhere) will continue to run. Only
+    <em>new</em> scripts will be prevented from executing by this
+    flag.</p>
+
    </dd>
 
   </dl>
@@ -17951,7 +17960,6 @@
   </div>
 
 
-
   <hr>
 
 
@@ -40316,6 +40324,11 @@
 
   <ol>
 
+   <li><p>If <span title="concept-bc-noscript">scripting is
+   disabled</span> for <span>browsing context</span> passed to this
+   algorithm, then abort these steps, as if the script did nothing but
+   return void.</p>
+
    <li><p>Set up a <span>script execution environment</span> as
    appropriate for the scripting language.</p></li>
 
@@ -40650,7 +40663,9 @@
       <p>Let <var title="">result</var> be the return value of the
       <i>initial code entry-point</i> of this <span
       title="concept-script">script</span>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <span
+      title="concept-bc-noscript">scripting is disabled</span>.)</p>
 
       <p>When it comes time to <span>set the document's address</span>
       in the <span title="navigate">navigation algorithm</span>, use
@@ -40674,7 +40689,9 @@
       <p>Let <var title="">result</var> be the return value of the
       <i>initial code entry-point</i> of this <span
       title="concept-script">script</span>. If an exception was
-      raised, let <var title="">result</var> be void instead.</p>
+      raised, let <var title="">result</var> be void instead. (The
+      result will be void also if <span
+      title="concept-bc-noscript">scripting is disabled</span>.)</p>
 
      </dd>
 
@@ -40732,12 +40749,7 @@
 
   </div>
 
-  <p class="note">The rules for <span title="create a script">creating
-  a script</span> include making the script not execute (and just
-  return void) in certain cases, e.g. in a sandbox or when the user
-  has disabled scripting altogether.</p>
 
-
   <h4>Events</h4>
 
 
@@ -40788,9 +40800,11 @@
   <!-- SCRIPT EXEC -->
   <p>When an event handler content attribute is set, if the element is
   owned by a <code>Document</code> that is in a <span>browsing
-  context</span>, the user agent must run the following steps to
-  create a <span title="concept-script">script</span> after setting
-  the content attribute to its new value:</p>
+  context</span>, and <span title="concept-bc-script">scripting is
+  enabled</span> for that <span>browsing context</span>, the user
+  agent must run the following steps to create a <span
+  title="concept-script">script</span> after setting the content
+  attribute to its new value:</p>
 
   <ol>
 
@@ -55961,7 +55975,7 @@
 
   <h5>Other parsing state flags</h5>
 
-  <p>The <dfn>scripting flag</dfn> is set to "enabled" if the <span
+  <p>The <dfn>scripting flag</dfn> is set to "enabled" if <span
   title="concept-n-script">scripting was enabled</span> for the
   <code>Document</code> with which the parser is associated when the
   parser was created, and "disabled" otherwise.</p>
Previous message: [html5] r2822 - [e] (0) Some of us are just in this for the fame. :-P
Next message: [html5] r2824 - [] (0) Clarify that sandbox's origin features only take effect at navigation.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Commit-Watchers mailing list