[html5] r4982 - [agiow] (1) Make <iframe sandbox> also block autoplay, autofocus, and meta refresh.

whatwg at whatwg.org whatwg at whatwg.org
Tue Apr 6 22:10:27 PDT 2010


Author: ianh
Date: 2010-04-06 22:10:26 -0700 (Tue, 06 Apr 2010)
New Revision: 4982

Modified:
   complete.html
   index
   source
Log:
[agiow] (1) Make <iframe sandbox> also block autoplay, autofocus, and meta refresh.

Modified: complete.html
===================================================================
--- complete.html	2010-04-07 00:29:45 UTC (rev 4981)
+++ complete.html	2010-04-07 05:10:26 UTC (rev 4982)
@@ -12870,9 +12870,14 @@
 
       <ul><li><p>Set a timer so that in <var title="">time</var> seconds,
        adjusted to take into account user or user agent preferences,
-       if the user has not canceled the redirect, the user agent <a href=#navigate title=navigate>navigates</a> the document's browsing
-       context to <var title="">url</var>, with <a href=#replacement-enabled>replacement
-       enabled</a>, and with the document's browsing context as the
+       if the user has not canceled the redirect and if the
+       <code><a href=#meta>meta</a></code> element's <code><a href=#document>Document</a></code>'s
+       <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
+       automatic features browsing context flag</a> set when the
+       <code><a href=#document>Document</a></code> was created, the user agent <a href=#navigate title=navigate>navigates</a> the <code><a href=#document>Document</a></code>'s
+       <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with
+       <a href=#replacement-enabled>replacement enabled</a>, and with the
+       <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> as the
        <a href=#source-browsing-context>source browsing context</a>.</li>
 
        <li><p>Provide the user with an interface that, when selected,
@@ -21375,6 +21380,26 @@
 
    </dd>
 
+
+   <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+   flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+   <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+   found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+   keyword (defined above) set</dt>
+
+   <dd>
+
+    <p>This flag blocks features that trigger automatically, such as
+    <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+    video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+    focusing a form control</a>. It is relaxed by the same flag as
+    scripts, because when scripts are enabled these features are
+    trivially possible anyway, and it would be unfortunate to force
+    authors to use script to do them when sandboxed rather than
+    allowing them to use the declarative features.</p>
+
+   </dd>
+
   </dl><p>These flags must not be set unless the conditions listed above
   define them as being set.</p>
 
@@ -24737,10 +24762,14 @@
 
     <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
     <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
-    then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
+    and the <a href=#media-element>media element</a> is in a <code><a href=#document>Document</a></code>
+    whose <a href=#browsing-context>browsing context</a> did not have the
+    <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+    set when the <code><a href=#document>Document</a></code> was created, then the user
+    agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
     <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
-    named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue a
-    task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
+    named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue
+    a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
 
     <p class=note>User agents are not required to autoplay, and it
     is suggested that user agents honor user preferences on the
@@ -40957,13 +40986,16 @@
 
   <p>Whenever an element with the <code title=attr-fe-autofocus><a href=#attr-fe-autofocus>autofocus</a></code> attribute specified is
   <a href=#insert-an-element-into-a-document title="insert an element into a document">inserted into a
-  document</a>, the user agent should <a href=#queue-a-task>queue a task</a>
-  that checks to see if the element is <a href=#focusable>focusable</a>, and if
-  so, runs the <a href=#focusing-steps>focusing steps</a> for that element. User
-  agents may also change the scrolling position of the document, or
-  perform some other action that brings the element to the user's
-  attention. The <a href=#task-source>task source</a> for this task is the
-  <a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
+  document</a> whose <a href=#browsing-context>browsing context</a> did not have the
+  <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a> set
+  when the <code><a href=#document>Document</a></code> was created, the user agent should
+  <a href=#queue-a-task>queue a task</a> that checks to see if the element is
+  <a href=#focusable>focusable</a>, and if so, runs the <a href=#focusing-steps>focusing
+  steps</a> for that element. User agents may also change the
+  scrolling position of the document, or perform some other action
+  that brings the element to the user's attention. The <a href=#task-source>task
+  source</a> for this task is the <a href=#dom-manipulation-task-source>DOM manipulation task
+  source</a>.</p>
 
   <p>User agents may ignore this attribute if the user has indicated
   (for example, by starting to type in a form control) that he does

Modified: index
===================================================================
--- index	2010-04-07 00:29:45 UTC (rev 4981)
+++ index	2010-04-07 05:10:26 UTC (rev 4982)
@@ -12768,9 +12768,14 @@
 
       <ul><li><p>Set a timer so that in <var title="">time</var> seconds,
        adjusted to take into account user or user agent preferences,
-       if the user has not canceled the redirect, the user agent <a href=#navigate title=navigate>navigates</a> the document's browsing
-       context to <var title="">url</var>, with <a href=#replacement-enabled>replacement
-       enabled</a>, and with the document's browsing context as the
+       if the user has not canceled the redirect and if the
+       <code><a href=#meta>meta</a></code> element's <code><a href=#document>Document</a></code>'s
+       <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
+       automatic features browsing context flag</a> set when the
+       <code><a href=#document>Document</a></code> was created, the user agent <a href=#navigate title=navigate>navigates</a> the <code><a href=#document>Document</a></code>'s
+       <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with
+       <a href=#replacement-enabled>replacement enabled</a>, and with the
+       <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> as the
        <a href=#source-browsing-context>source browsing context</a>.</li>
 
        <li><p>Provide the user with an interface that, when selected,
@@ -21276,6 +21281,26 @@
 
    </dd>
 
+
+   <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+   flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+   <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+   found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+   keyword (defined above) set</dt>
+
+   <dd>
+
+    <p>This flag blocks features that trigger automatically, such as
+    <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+    video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+    focusing a form control</a>. It is relaxed by the same flag as
+    scripts, because when scripts are enabled these features are
+    trivially possible anyway, and it would be unfortunate to force
+    authors to use script to do them when sandboxed rather than
+    allowing them to use the declarative features.</p>
+
+   </dd>
+
   </dl><p>These flags must not be set unless the conditions listed above
   define them as being set.</p>
 
@@ -24638,10 +24663,14 @@
 
     <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
     <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
-    then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
+    and the <a href=#media-element>media element</a> is in a <code><a href=#document>Document</a></code>
+    whose <a href=#browsing-context>browsing context</a> did not have the
+    <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+    set when the <code><a href=#document>Document</a></code> was created, then the user
+    agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
     <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
-    named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue a
-    task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
+    named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue
+    a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
 
     <p class=note>User agents are not required to autoplay, and it
     is suggested that user agents honor user preferences on the
@@ -40858,13 +40887,16 @@
 
   <p>Whenever an element with the <code title=attr-fe-autofocus><a href=#attr-fe-autofocus>autofocus</a></code> attribute specified is
   <a href=#insert-an-element-into-a-document title="insert an element into a document">inserted into a
-  document</a>, the user agent should <a href=#queue-a-task>queue a task</a>
-  that checks to see if the element is <a href=#focusable>focusable</a>, and if
-  so, runs the <a href=#focusing-steps>focusing steps</a> for that element. User
-  agents may also change the scrolling position of the document, or
-  perform some other action that brings the element to the user's
-  attention. The <a href=#task-source>task source</a> for this task is the
-  <a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
+  document</a> whose <a href=#browsing-context>browsing context</a> did not have the
+  <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a> set
+  when the <code><a href=#document>Document</a></code> was created, the user agent should
+  <a href=#queue-a-task>queue a task</a> that checks to see if the element is
+  <a href=#focusable>focusable</a>, and if so, runs the <a href=#focusing-steps>focusing
+  steps</a> for that element. User agents may also change the
+  scrolling position of the document, or perform some other action
+  that brings the element to the user's attention. The <a href=#task-source>task
+  source</a> for this task is the <a href=#dom-manipulation-task-source>DOM manipulation task
+  source</a>.</p>
 
   <p>User agents may ignore this attribute if the user has indicated
   (for example, by starting to type in a form control) that he does

Modified: source
===================================================================
--- source	2010-04-07 00:29:45 UTC (rev 4981)
+++ source	2010-04-07 05:10:26 UTC (rev 4982)
@@ -13454,10 +13454,15 @@
 
        <li><p>Set a timer so that in <var title="">time</var> seconds,
        adjusted to take into account user or user agent preferences,
-       if the user has not canceled the redirect, the user agent <span
-       title="navigate">navigates</span> the document's browsing
-       context to <var title="">url</var>, with <span>replacement
-       enabled</span>, and with the document's browsing context as the
+       if the user has not canceled the redirect and if the
+       <code>meta</code> element's <code>Document</code>'s
+       <span>browsing context</span> did not have the <span>sandboxed
+       automatic features browsing context flag</span> set when the
+       <code>Document</code> was created, the user agent <span
+       title="navigate">navigates</span> the <code>Document</code>'s
+       <span>browsing context</span> to <var title="">url</var>, with
+       <span>replacement enabled</span>, and with the
+       <code>Document</code>'s <span>browsing context</span> as the
        <span>source browsing context</span>.</p></li>
 
        <li><p>Provide the user with an interface that, when selected,
@@ -22768,6 +22773,28 @@
 
    </dd>
 
+
+   <dt>The <dfn>sandboxed automatic features browsing context
+   flag</dfn>, unless the <code
+   title="attr-iframe-sandbox">sandbox</code> attribute's value, when
+   <span title="split a string on spaces">split on spaces</span>, is
+   found to have the <code
+   title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
+   keyword (defined above) set</dt>
+
+   <dd>
+
+    <p>This flag blocks features that trigger automatically, such as
+    <span title="attr-media-autoplay">automatically playing a
+    video</span> or <span title="attr-fe-autofocus">automatically
+    focusing a form control</span>. It is relaxed by the same flag as
+    scripts, because when scripts are enabled these features are
+    trivially possible anyway, and it would be unfortunate to force
+    authors to use script to do them when sandboxed rather than
+    allowing them to use the declarative features.</p>
+
+   </dd>
+
   </dl>
 
   <p>These flags must not be set unless the conditions listed above
@@ -26649,11 +26676,15 @@
     title="dom-media-paused">paused</code> attribute is true, and the
     <span>media element</span> has an <code
     title="attr-media-autoplay">autoplay</code> attribute specified,
-    then the user agent may also set the <code
+    and the <span>media element</span> is in a <code>Document</code>
+    whose <span>browsing context</span> did not have the
+    <span>sandboxed automatic features browsing context flag</span>
+    set when the <code>Document</code> was created, then the user
+    agent may also set the <code
     title="dom-media-paused">paused</code> attribute to false,
     <span>queue a task</span> to <span>fire a simple event</span>
-    named <code title="event-media-play">play</code>, and <span>queue a
-    task</span> to <span>fire a simple event</span> named <code
+    named <code title="event-media-play">play</code>, and <span>queue
+    a task</span> to <span>fire a simple event</span> named <code
     title="event-media-playing">playing</code>.</p>
 
     <p class="note">User agents are not required to autoplay, and it
@@ -45609,13 +45640,16 @@
   <p>Whenever an element with the <code
   title="attr-fe-autofocus">autofocus</code> attribute specified is
   <span title="insert an element into a document">inserted into a
-  document</span>, the user agent should <span>queue a task</span>
-  that checks to see if the element is <span>focusable</span>, and if
-  so, runs the <span>focusing steps</span> for that element. User
-  agents may also change the scrolling position of the document, or
-  perform some other action that brings the element to the user's
-  attention. The <span>task source</span> for this task is the
-  <span>DOM manipulation task source</span>.</p>
+  document</span> whose <span>browsing context</span> did not have the
+  <span>sandboxed automatic features browsing context flag</span> set
+  when the <code>Document</code> was created, the user agent should
+  <span>queue a task</span> that checks to see if the element is
+  <span>focusable</span>, and if so, runs the <span>focusing
+  steps</span> for that element. User agents may also change the
+  scrolling position of the document, or perform some other action
+  that brings the element to the user's attention. The <span>task
+  source</span> for this task is the <span>DOM manipulation task
+  source</span>.</p>
 
   <p>User agents may ignore this attribute if the user has indicated
   (for example, by starting to type in a form control) that he does




More information about the Commit-Watchers mailing list