[html5] r4586 - [giow] (1) Freeze the sandbox flags and propagate them to nested browsing contexts.

whatwg at whatwg.org whatwg at whatwg.org
Tue Jan 12 23:06:04 PST 2010 

Author: ianh
Date: 2010-01-12 23:06:01 -0800 (Tue, 12 Jan 2010)
New Revision: 4586

Modified:
   complete.html
   index
   source
Log:
[giow] (1) Freeze the sandbox flags and propagate them to nested browsing contexts.

Modified: complete.html
===================================================================
--- complete.html	2010-01-13 03:30:28 UTC (rev 4585)
+++ complete.html	2010-01-13 07:06:01 UTC (rev 4586)
@@ -19684,10 +19684,12 @@
 
   <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
   attribute is specified, the <code><a href=#the-iframe-element>iframe</a></code> element's
-  <a href=#nested-browsing-context>nested browsing context</a>, and all the browsing contexts
-  <a href=#nested-browsing-context title="nested browsing context">nested</a> within it
-  (either directly or indirectly through other nested browsing
-  contexts) must have the following flags set:</p>
+  <a href=#nested-browsing-context>nested browsing context</a> must have the flags given in
+  the following list set.  In addition, any browsing contexts <a href=#nested-browsing-context title="nested browsing context">nested</a> within an
+  <code><a href=#the-iframe-element>iframe</a></code>, either directly or indirectly, must have all
+  the flags set on them as were set on the <code><a href=#the-iframe-element>iframe</a></code>'s
+  <code>Document</code>'s <a href=#browsing-context>browsing context</a> when the
+  <code>iframe<code>'s <code>Document</code> was created.</code></code></p>
 
   <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
 
@@ -19843,6 +19845,46 @@
 
   </div>
 
+  <div class=example>
+
+   <p>Suppose a file A contained the following fragment:</p>
+
+   <pre><iframe sandbox="allow-same-origin allow-forms" src=B></iframe></pre>
+
+   <p>Suppose that file B contained an iframe also:</p>
+
+   <pre><iframe sandbox="allow-scripts" src=C></iframe></pre>
+
+   <p>Further, suppose that file C contained a link:</p>
+
+   <pre><a href=D>Link</a></pre>
+
+   <p>For this example, suppose all the files were served as
+   <code><a href=#text/html>text/html</a></code>.</p>
+
+   <p>Page C in this scenario has all the sandboxing flags
+   set. Scripts are disabled, because the <code><a href=#the-iframe-element>iframe</a></code> in A has
+   scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+   keyword set on the <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also
+   disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B) does not
+   have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
+   set.</p>
+
+   <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A and
+   B. This would change nothing immediately. If the user clicked the
+   link in C, loading page D into the <code><a href=#the-iframe-element>iframe</a></code> in B, page D
+   would now act as if the <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+   and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords
+   set, because that was the state of the <a href=#nested-browsing-context>nested browsing
+   context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
+   loaded.</p>
+
+   <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
+   ill-advised, because it can make it quite hard to reason about what
+   will be allowed and what will not.</p>
+
+  </div>
+
   <p class=note>Potentially hostile files can be served from the
   same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
   by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of

Modified: index
===================================================================
--- index	2010-01-13 03:30:28 UTC (rev 4585)
+++ index	2010-01-13 07:06:01 UTC (rev 4586)
@@ -19584,10 +19584,12 @@
 
   <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
   attribute is specified, the <code><a href=#the-iframe-element>iframe</a></code> element's
-  <a href=#nested-browsing-context>nested browsing context</a>, and all the browsing contexts
-  <a href=#nested-browsing-context title="nested browsing context">nested</a> within it
-  (either directly or indirectly through other nested browsing
-  contexts) must have the following flags set:</p>
+  <a href=#nested-browsing-context>nested browsing context</a> must have the flags given in
+  the following list set.  In addition, any browsing contexts <a href=#nested-browsing-context title="nested browsing context">nested</a> within an
+  <code><a href=#the-iframe-element>iframe</a></code>, either directly or indirectly, must have all
+  the flags set on them as were set on the <code><a href=#the-iframe-element>iframe</a></code>'s
+  <code>Document</code>'s <a href=#browsing-context>browsing context</a> when the
+  <code>iframe<code>'s <code>Document</code> was created.</code></code></p>
 
   <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
 
@@ -19743,6 +19745,46 @@
 
   </div>
 
+  <div class=example>
+
+   <p>Suppose a file A contained the following fragment:</p>
+
+   <pre><iframe sandbox="allow-same-origin allow-forms" src=B></iframe></pre>
+
+   <p>Suppose that file B contained an iframe also:</p>
+
+   <pre><iframe sandbox="allow-scripts" src=C></iframe></pre>
+
+   <p>Further, suppose that file C contained a link:</p>
+
+   <pre><a href=D>Link</a></pre>
+
+   <p>For this example, suppose all the files were served as
+   <code><a href=#text/html>text/html</a></code>.</p>
+
+   <p>Page C in this scenario has all the sandboxing flags
+   set. Scripts are disabled, because the <code><a href=#the-iframe-element>iframe</a></code> in A has
+   scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+   keyword set on the <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also
+   disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B) does not
+   have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
+   set.</p>
+
+   <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A and
+   B. This would change nothing immediately. If the user clicked the
+   link in C, loading page D into the <code><a href=#the-iframe-element>iframe</a></code> in B, page D
+   would now act as if the <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+   and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords
+   set, because that was the state of the <a href=#nested-browsing-context>nested browsing
+   context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
+   loaded.</p>
+
+   <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
+   ill-advised, because it can make it quite hard to reason about what
+   will be allowed and what will not.</p>
+
+  </div>
+
   <p class=note>Potentially hostile files can be served from the
   same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
   by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of

Modified: source
===================================================================
--- source	2010-01-13 03:30:28 UTC (rev 4585)
+++ source	2010-01-13 07:06:01 UTC (rev 4586)
@@ -20942,10 +20942,13 @@
 
   <p>While the <code title="attr-iframe-sandbox">sandbox</code>
   attribute is specified, the <code>iframe</code> element's
-  <span>nested browsing context</span>, and all the browsing contexts
-  <span title="nested browsing context">nested</span> within it
-  (either directly or indirectly through other nested browsing
-  contexts) must have the following flags set:</p>
+  <span>nested browsing context</span> must have the flags given in
+  the following list set.  In addition, any browsing contexts <span
+  title="nested browsing context">nested</span> within an
+  <code>iframe</code>, either directly or indirectly, must have all
+  the flags set on them as were set on the <code>iframe</code>'s
+  <code>Document</code>'s <span>browsing context</span> when the
+  <code>iframe<code>'s <code>Document</code> was created.</p>
 
   <dl>
 
@@ -21121,6 +21124,52 @@
 
   </div>
 
+  <div class="example">
+
+   <p>Suppose a file A contained the following fragment:</p>
+
+   <pre><iframe sandbox="allow-same-origin allow-forms" src=B></iframe></pre>
+
+   <p>Suppose that file B contained an iframe also:</p>
+
+   <pre><iframe sandbox="allow-scripts" src=C></iframe></pre>
+
+   <p>Further, suppose that file C contained a link:</p>
+
+   <pre><a href=D>Link</a></pre>
+
+   <p>For this example, suppose all the files were served as
+   <code>text/html</code>.</p>
+
+   <p>Page C in this scenario has all the sandboxing flags
+   set. Scripts are disabled, because the <code>iframe</code> in A has
+   scripts disabled, and this overrides the <code
+   title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
+   keyword set on the <code>iframe</code> in B. Forms are also
+   disabled, because the inner <code>iframe</code> (in B) does not
+   have the <code
+   title="attr-iframe-sandbox-allow-forms">allow-forms</code> keyword
+   set.</p>
+
+   <p>Suppose now that a script in A removes all the <code
+   title="attr-iframe-sandbox">sandbox</code> attributes in A and
+   B. This would change nothing immediately. If the user clicked the
+   link in C, loading page D into the <code>iframe</code> in B, page D
+   would now act as if the <code>iframe</code> in B had the <code
+   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+   and <code
+   title="attr-iframe-sandbox-allow-forms">allow-forms</code> keywords
+   set, because that was the state of the <span>nested browsing
+   context</span> in the <code>iframe</code> in A when page B was
+   loaded.</p>
+
+   <p>Generally speaking, dynamically removing or changing the <code
+   title="attr-iframe-sandbox">sandbox</code> attribute is
+   ill-advised, because it can make it quite hard to reason about what
+   will be allowed and what will not.</p>
+
+  </div>
+
   <p class="note">Potentially hostile files can be served from the
   same server as the file containing the <code>iframe</code> element
   by labeling them as <code>text/html-sandboxed</code> instead of

More information about the Commit-Watchers mailing list