[html5] r1651 - /

whatwg at whatwg.org whatwg at whatwg.org
Tue May 20 20:51:21 PDT 2008


Author: ianh
Date: 2008-05-20 20:51:21 -0700 (Tue, 20 May 2008)
New Revision: 1651

Modified:
   index
   source
Log:
[] (0) Block document.cookies if the page is sandboxed. Add an example of sandboxing.

Modified: index
===================================================================
--- index	2008-05-21 03:16:01 UTC (rev 1650)
+++ index	2008-05-21 03:51:21 UTC (rev 1651)
@@ -2777,17 +2777,25 @@
    page to an <code title="">http:</code> page).
 
   <p>The <dfn id=cookie0 title=dom-document-cookie><code>cookie</code></dfn>
-   attribute must, on getting, return the same string as the value of the
-   <code title="">Cookie</code> HTTP header it would include if fetching the
+   attribute represents the cookies of the resource.
+
+  <p id=sandboxCookies>On getting, if the <a href="#sandboxed1">sandboxed
+   origin browsing context flag</a> is set on the <a
+   href="#browsing1">browsing context</a> of the document, the user agent
+   must raise a <a href="#security9">security exception</a>. Otherwise, it
+   must return the same string as the value of the <code
+   title="">Cookie</code> HTTP header it would include if fetching the
    resource indicated by <span>the document's address</span> over HTTP, as
    per RFC 2109 section 4.3.4. <a href="#refsRFC2109">[RFC2109]</a>
 
-  <p>On setting, the <code title=dom-document-cookie><a
-   href="#cookie0">cookie</a></code> attribute must cause the user agent to
-   act as it would when processing cookies if it had just attempted to fetch
-   <span>the document's address</span> over HTTP, and had received a response
-   with a <code>Set-Cookie</code> header whose value was the specified value,
-   as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
+  <p>On setting, if the <a href="#sandboxed1">sandboxed origin browsing
+   context flag</a> is set on the <a href="#browsing1">browsing context</a>
+   of the document, the user agent must raise a <a href="#security9">security
+   exception</a>. Otherwise, the user agent must act as it would when
+   processing cookies if it had just attempted to fetch <span>the document's
+   address</span> over HTTP, and had received a response with a
+   <code>Set-Cookie</code> header whose value was the specified value, as per
+   RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
    href="#refsRFC2109">[RFC2109]</a>
 
   <p class=note>Since the <code title=dom-document-cookie><a
@@ -14300,6 +14308,10 @@
      attribute or the <code title=dom-open><a
      href="#open2">window.open()</a></code> method.</p>
 
+    <p>Finally, this flag <a href="#sandboxCookies">prevents script from
+     reading the <code title=dom-document-cookies>document.cookies</code> DOM
+     attribute</a>.</p>
+
    <dt>The <dfn id=sandboxed0>sandboxed plugins browsing context flag</dfn>
 
    <dd>
@@ -14307,8 +14319,8 @@
      title=plugin>plugins</a>, whether using <a
      href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
      href="#sandboxPluginObject">the <code>object</code> element</a>, <a
-     href="#sandboxPluginApplet">the <code>applet</code> element</a>, or <a
-     href="#sandboxPluginNavigate">through navigation</a> of a <a
+     href="#sandboxPluginApplet">the <code>applet</code> element</a>, or
+     through <a href="#sandboxPluginNavigate">navigation</a> of a <a
      href="#nested0">nested browsing context</a>.</p>
 
    <dt>The <dfn id=sandboxed1>sandboxed origin browsing context flag</dfn>,
@@ -14365,6 +14377,25 @@
   <p>These flags must not be set unless the conditions listed above define
    them as being set.
 
+  <div class=example>
+   <p>In this example, some completely-unknown, potentially hostile,
+    user-provided HTML content is embedded in a page. Because it is
+    sandboxed, it is treated by the user agent as being from a unique origin,
+    despite the content being served from the same site. Thus it is affected
+    by all the normal cross-site restrictions. In addition, the embedded page
+    has scripting disabled, plugins disabled, forms disabled, and it cannot
+    navigate any frames or windows other than itself (or any frames or
+    windows it itself embeds).</p>
+
+   <pre><p>We're not scared of you! Here is your content, unedited:</p>
+<iframe src="getusercontent.cgi?id=12193"></iframe></pre>
+
+   <p>Note that cookies are still send to the server in the <code
+    title="">getusercontent.cgi</code> request, though they are not visible
+    in the <code title=dom-document-cookies>document.cookies</code> DOM
+    attribute.</p>
+  </div>
+
   <hr>
 
   <p>The <dfn id=seamless

Modified: source
===================================================================
--- source	2008-05-21 03:16:01 UTC (rev 1650)
+++ source	2008-05-21 03:51:21 UTC (rev 1651)
@@ -1058,15 +1058,22 @@
 
 
   <p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
-  attribute must, on getting, return the same string as the value of
-  the <code title="">Cookie</code> HTTP header it would include if
-  fetching the resource indicated by <span>the document's
-  address</span> over HTTP, as per RFC 2109 section 4.3.4. <a
-  href="#refsRFC2109">[RFC2109]</a></p>
+  attribute represents the cookies of the resource.</p>
 
-  <p>On setting, the <code title="dom-document-cookie">cookie</code>
-  attribute must cause the user agent to act as it would when
-  processing cookies if it had just attempted to fetch <span>the
+  <p id="sandboxCookies">On getting, if the <span>sandboxed origin
+  browsing context flag</span> is set on the <span>browsing
+  context</span> of the document, the user agent must raise a
+  <span>security exception</span>. Otherwise, it must return the same
+  string as the value of the <code title="">Cookie</code> HTTP header
+  it would include if fetching the resource indicated by <span>the
+  document's address</span> over HTTP, as per RFC 2109 section
+  4.3.4. <a href="#refsRFC2109">[RFC2109]</a></p>
+
+  <p>On setting, if the <span>sandboxed origin browsing context
+  flag</span> is set on the <span>browsing context</span> of the
+  document, the user agent must raise a <span>security
+  exception</span>. Otherwise, the user agent must act as it would
+  when processing cookies if it had just attempted to fetch <span>the
   document's address</span> over HTTP, and had received a response
   with a <code>Set-Cookie</code> header whose value was the specified
   value, as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
@@ -12280,8 +12287,12 @@
   title="navigate">navigated</span>, that will further <span>delay the
   <code title="event-load">load</code> event</span>.</p>
 
+
+
   <hr>
 
+
+
   <p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn>
   attribute, when specified, enables a set of extra restrictions on
   any content hosted by the <code>iframe</code>. Its value must be an
@@ -12316,6 +12327,11 @@
     <code title="attr-hyperlink-target">target</code> attribute or the
     <code title="dom-open">window.open()</code> method.</p>
 
+    <p>Finally, this flag <a href="#sandboxCookies">prevents script
+    from reading the <code
+    title="dom-document-cookies">document.cookies</code> DOM
+    attribute</a>.</p>
+
    </dd>
 
 
@@ -12328,8 +12344,9 @@
     href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
     href="#sandboxPluginObject">the <code>object</code> element</a>,
     <a href="#sandboxPluginApplet">the <code>applet</code>
-    element</a>, or <a href="#sandboxPluginNavigate">through
-    navigation</a> of a <span>nested browsing context</span>.</p>
+    element</a>, or through <a
+    href="#sandboxPluginNavigate">navigation</a> of a <span>nested
+    browsing context</span>.</p>
 
    </dd>
 
@@ -12402,8 +12419,35 @@
   <p>These flags must not be set unless the conditions listed above
   define them as being set.</p>
 
+  <div class="example">
+
+   <p>In this example, some completely-unknown, potentially hostile,
+   user-provided HTML content is embedded in a page. Because it is
+   sandboxed, it is treated by the user agent as being from a unique
+   origin, despite the content being served from the same site. Thus
+   it is affected by all the normal cross-site restrictions. In
+   addition, the embedded page has scripting disabled, plugins
+   disabled, forms disabled, and it cannot navigate any frames or
+   windows other than itself (or any frames or windows it itself
+   embeds).</p>
+
+   <pre><p>We're not scared of you! Here is your content, unedited:</p>
+<iframe src="getusercontent.cgi?id=12193"></iframe></pre>
+
+   <p>Note that cookies are still send to the server in the <code
+   title="">getusercontent.cgi</code> request, though they are not
+   visible in the <code
+   title="dom-document-cookies">document.cookies</code> DOM
+   attribute.</p>
+
+  </div>
+
+
+
   <hr>
 
+
+
   <p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn>
   attribute is a boolean attribute. When specified, it indicates that
   the <code>iframe</code> element's <span>browsing context</span> is




More information about the Commit-Watchers mailing list