[html5] r7411 - [giow] (1) Also sandbox the initial about:blank document of an <iframe sandbox>. [...]

whatwg at whatwg.org whatwg at whatwg.org
Wed Sep 26 14:58:21 PDT 2012


Author: ianh
Date: 2012-09-26 14:58:19 -0700 (Wed, 26 Sep 2012)
New Revision: 7411

Modified:
   complete.html
   index
   source
Log:
[giow] (1) Also sandbox the initial about:blank document of an <iframe sandbox>. Also, much cleanup.
Affected topics: HTML

Modified: complete.html
===================================================================
--- complete.html	2012-09-26 18:10:58 UTC (rev 7410)
+++ complete.html	2012-09-26 21:58:19 UTC (rev 7411)
@@ -26819,13 +26819,22 @@
   <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
   embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
   allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
+  attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
 
-  <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
-  user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
-  the damage that can be caused by hostile HTML content, it should be served from a separate
-  dedicated domain.</p>
+  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+  already-loaded page.</p>
 
+  <p class=warning>Potentially hostile files should not be served from the same server as the file
+  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+  attacker can convince the user to just visit the hostile content directly, rather than in the
+  <code><a href=#the-iframe-element>iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+  served from a separate dedicated domain. Using a different domain ensures that scripts in the
+  files are unable to attack the site, even if the user is tricked into visiting those pages
+  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26835,16 +26844,18 @@
        - block access to 'parent.frames' from sandbox
   -->
 
-  <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
-  user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
-  using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
-  <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
-  output.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element with a <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute has its <a href=#nested-browsing-context>nested browsing context</a> created (before the initial
+  <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is created), and when an <code><a href=#the-iframe-element>iframe</a></code>
+  element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed while it
+  has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing
+  directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
-  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
-  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
-  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
-  already-loaded page.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute is removed while it has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must
+  empty the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
   </div>
 
@@ -26910,19 +26921,7 @@
 
   </div>
 
-  <p class=note>Potentially hostile files should not be served from the same server as the file
-  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
-  files are unable to attack the site, even if the user is tricked into visiting those pages
-  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
 
-  <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
-  from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
-  script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
-  out of the sandbox altogether.</p>
-
-
   <hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
   sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
   attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
@@ -67216,14 +67215,15 @@
 
   <div class=impl>
 
-  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be
-  created with a single <code><a href=#document>Document</a></code> in its session history,
-  whose <a href="#the-document's-address" title="the document's address">address</a> is
-  <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
-  UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
-  <a href=#completely-loaded>completely loaded</a> immediately. The
-  <code><a href=#document>Document</a></code> must have a single child <code><a href=#the-html-element>html</a></code>
-  node, which itself has a single child <code><a href=#the-body-element>body</a></code> node.</p>
+  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be created with a single
+  <code><a href=#document>Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+  address">address</a> is <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML
+  documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+  encoding</a> is UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
+  <a href=#completely-loaded>completely loaded</a> immediately. The <code><a href=#document>Document</a></code> must have a single child
+  <code><a href=#the-html-element>html</a></code> node, which itself has a single child <code><a href=#the-body-element>body</a></code> node. As soon as this
+  <code><a href=#document>Document</a></code> is created, the user agent must <a href=#implement-the-sandboxing>implement the sandboxing</a> for
+  it.</p>
 
   <p class=note>If the <a href=#browsing-context>browsing context</a> is created
   specifically to be immediately navigated, then that initial
@@ -69571,10 +69571,38 @@
   <code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
   set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
 
+  <p>Every resource that is obtained by the <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
+  sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+  set</a>. A resource by default has no flags set in its
+  <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
+  specifications can define that certain flags are set.</p>
 
+  <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+  set</a> is used by the Content Security Policy specification.
+  <a href=#refsCSP>[CSP]</a></p>
 
-  <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+  <hr><p>When a user agent is to <dfn id=implement-the-sandboxing>implement the sandboxing</dfn> for a <code><a href=#document>Document</a></code>, it
+  must populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> with the union of
+  the flags that are present in the following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
+  sets</a> at the time the <code><a href=#document>Document</a></code> object is created:</p>
 
+  <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#top-level-browsing-context>top-level browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#popup-sandboxing-flag-set>popup sandboxing
+   flag set</a>.</li>
+
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s
+   <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent browsing
+   context</a>'s <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+   <li><p>The flags set on the <code><a href=#document>Document</a></code>'s resource's <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+   set</a>, if it has one.</li>
+
+  </ul><h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
   <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
 
   <p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
@@ -70902,45 +70930,8 @@
      <code><a href=#window>Window</a></code> object to point to the new
      <code><a href=#document>Document</a></code>.</p>
 
-     <li>
+     <li><p><a href=#implement-the-sandboxing>Implement the sandboxing</a> for the <code><a href=#document>Document</a></code>.</li>
 
-      <p>Populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
-      set</a> with the union of the flags that are present in the
-      following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
-      sets</a> at the time the <code><a href=#document>Document</a></code> object is
-      created:</p>
-
-      <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#top-level-browsing-context>top-level browsing context</a>,
-       then: the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
-       browsing context</a>'s <a href=#active-document>active document</a>'s
-       <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
-
-       <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
-       flag set</a>.</li>
-
-      </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
-      sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
-      set</a>. A resource by default has no flags set in its
-      <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
-      specifications can define that certain flags are set.</p>
-
-      <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
-      set</a> is used by the Content Security Policy specification.
-      <a href=#refsCSP>[CSP]</a></p>
-
-     </li>
-
     </ol></li>
 
    <li id=navigate-non-Document>

Modified: index
===================================================================
--- index	2012-09-26 18:10:58 UTC (rev 7410)
+++ index	2012-09-26 21:58:19 UTC (rev 7411)
@@ -26819,13 +26819,22 @@
   <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
   embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
   allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
+  attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
 
-  <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
-  user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
-  the damage that can be caused by hostile HTML content, it should be served from a separate
-  dedicated domain.</p>
+  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+  already-loaded page.</p>
 
+  <p class=warning>Potentially hostile files should not be served from the same server as the file
+  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+  attacker can convince the user to just visit the hostile content directly, rather than in the
+  <code><a href=#the-iframe-element>iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+  served from a separate dedicated domain. Using a different domain ensures that scripts in the
+  files are unable to attack the site, even if the user is tricked into visiting those pages
+  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26835,16 +26844,18 @@
        - block access to 'parent.frames' from sandbox
   -->
 
-  <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
-  user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
-  using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
-  <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
-  output.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element with a <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute has its <a href=#nested-browsing-context>nested browsing context</a> created (before the initial
+  <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is created), and when an <code><a href=#the-iframe-element>iframe</a></code>
+  element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed while it
+  has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing
+  directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
-  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
-  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
-  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
-  already-loaded page.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute is removed while it has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must
+  empty the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
   </div>
 
@@ -26910,19 +26921,7 @@
 
   </div>
 
-  <p class=note>Potentially hostile files should not be served from the same server as the file
-  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
-  files are unable to attack the site, even if the user is tricked into visiting those pages
-  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
 
-  <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
-  from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
-  script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
-  out of the sandbox altogether.</p>
-
-
   <hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
   sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
   attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
@@ -67216,14 +67215,15 @@
 
   <div class=impl>
 
-  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be
-  created with a single <code><a href=#document>Document</a></code> in its session history,
-  whose <a href="#the-document's-address" title="the document's address">address</a> is
-  <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
-  UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
-  <a href=#completely-loaded>completely loaded</a> immediately. The
-  <code><a href=#document>Document</a></code> must have a single child <code><a href=#the-html-element>html</a></code>
-  node, which itself has a single child <code><a href=#the-body-element>body</a></code> node.</p>
+  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be created with a single
+  <code><a href=#document>Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+  address">address</a> is <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML
+  documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+  encoding</a> is UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
+  <a href=#completely-loaded>completely loaded</a> immediately. The <code><a href=#document>Document</a></code> must have a single child
+  <code><a href=#the-html-element>html</a></code> node, which itself has a single child <code><a href=#the-body-element>body</a></code> node. As soon as this
+  <code><a href=#document>Document</a></code> is created, the user agent must <a href=#implement-the-sandboxing>implement the sandboxing</a> for
+  it.</p>
 
   <p class=note>If the <a href=#browsing-context>browsing context</a> is created
   specifically to be immediately navigated, then that initial
@@ -69571,10 +69571,38 @@
   <code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
   set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
 
+  <p>Every resource that is obtained by the <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
+  sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+  set</a>. A resource by default has no flags set in its
+  <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
+  specifications can define that certain flags are set.</p>
 
+  <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+  set</a> is used by the Content Security Policy specification.
+  <a href=#refsCSP>[CSP]</a></p>
 
-  <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+  <hr><p>When a user agent is to <dfn id=implement-the-sandboxing>implement the sandboxing</dfn> for a <code><a href=#document>Document</a></code>, it
+  must populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> with the union of
+  the flags that are present in the following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
+  sets</a> at the time the <code><a href=#document>Document</a></code> object is created:</p>
 
+  <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#top-level-browsing-context>top-level browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#popup-sandboxing-flag-set>popup sandboxing
+   flag set</a>.</li>
+
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s
+   <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent browsing
+   context</a>'s <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+   <li><p>The flags set on the <code><a href=#document>Document</a></code>'s resource's <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+   set</a>, if it has one.</li>
+
+  </ul><h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
   <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
 
   <p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
@@ -70902,45 +70930,8 @@
      <code><a href=#window>Window</a></code> object to point to the new
      <code><a href=#document>Document</a></code>.</p>
 
-     <li>
+     <li><p><a href=#implement-the-sandboxing>Implement the sandboxing</a> for the <code><a href=#document>Document</a></code>.</li>
 
-      <p>Populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
-      set</a> with the union of the flags that are present in the
-      following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
-      sets</a> at the time the <code><a href=#document>Document</a></code> object is
-      created:</p>
-
-      <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#top-level-browsing-context>top-level browsing context</a>,
-       then: the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
-       browsing context</a>'s <a href=#active-document>active document</a>'s
-       <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
-
-       <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
-       flag set</a>.</li>
-
-      </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
-      sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
-      set</a>. A resource by default has no flags set in its
-      <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
-      specifications can define that certain flags are set.</p>
-
-      <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
-      set</a> is used by the Content Security Policy specification.
-      <a href=#refsCSP>[CSP]</a></p>
-
-     </li>
-
     </ol></li>
 
    <li id=navigate-non-Document>

Modified: source
===================================================================
--- source	2012-09-26 18:10:58 UTC (rev 7410)
+++ source	2012-09-26 21:58:19 UTC (rev 7411)
@@ -28932,13 +28932,22 @@
   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the
   embedded page has the <span>same origin</span> as the page containing the <code>iframe</code>
   allows the embedded page to simply remove the <code title="attr-iframe-sandbox">sandbox</code>
-  attribute.</p>
+  attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
 
-  <p class="warning">Sandboxing hostile content is of minimal help if an attacker can convince the
-  user to just visit the hostile content directly, rather than in the <code>iframe</code>. To limit
-  the damage that can be caused by hostile HTML content, it should be served from a separate
-  dedicated domain.</p>
+  <p class="warning">These flags only take effect when the <span>nested browsing context</span> of
+  the <code>iframe</code> is <span title="navigate">navigated</span>. Removing them, or removing the
+  entire <code title="attr-iframe-sandbox">sandbox</code> attribute, has no effect on an
+  already-loaded page.</p>
 
+  <p class="warning">Potentially hostile files should not be served from the same server as the file
+  containing the <code>iframe</code> element. Sandboxing hostile content is of minimal help if an
+  attacker can convince the user to just visit the hostile content directly, rather than in the
+  <code>iframe</code>. To limit the damage that can be caused by hostile HTML content, it should be
+  served from a separate dedicated domain. Using a different domain ensures that scripts in the
+  files are unable to attack the site, even if the user is tricked into visiting those pages
+  directly, without the protection of the <code title="attr-iframe-sandbox">sandbox</code>
+  attribute.</p>
+
   <div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -28948,16 +28957,19 @@
        - block access to 'parent.frames' from sandbox
   -->
 
-  <p>While the <code title="attr-iframe-sandbox">sandbox</code> attribute is set or changed, the
-  user agent must <span title="parse a sandboxing directive">parse the sandboxing directive</span>
-  using the attribute's value as the <var title="">input</var> and the <code>iframe</code> element's
-  <span>nested browsing context</span>'s <span><code>iframe</code> sandboxing flag set</span> as the
-  output.</p>
+  <p>When an <code>iframe</code> element with a <code title="attr-iframe-sandbox">sandbox</code>
+  attribute has its <span>nested browsing context</span> created (before the initial
+  <code>about:blank</code> <code>Document</code> is created), and when an <code>iframe</code>
+  element's <code title="attr-iframe-sandbox">sandbox</code> attribute is set or changed while it
+  has a <span>nested browsing context</span>, the user agent must <span title="parse a sandboxing
+  directive">parse the sandboxing directive</span> using the attribute's value as the <var
+  title="">input</var> and the <code>iframe</code> element's <span>nested browsing context</span>'s
+  <span><code>iframe</code> sandboxing flag set</span> as the output.</p>
 
-  <p class="warning">These flags only take effect when the <span>nested browsing context</span> of
-  the <code>iframe</code> is <span title="navigate">navigated</span>. Removing them, or removing the
-  entire <code title="attr-iframe-sandbox">sandbox</code> attribute, has no effect on an
-  already-loaded page.</p>
+  <p>When an <code>iframe</code> element's <code title="attr-iframe-sandbox">sandbox</code>
+  attribute is removed while it has a <span>nested browsing context</span>, the user agent must
+  empty the <code>iframe</code> element's <span>nested browsing context</span>'s
+  <span><code>iframe</code> sandboxing flag set</span> as the output.</p>
 
   </div>
 
@@ -29028,21 +29040,7 @@
 
   </div>
 
-  <p class="note">Potentially hostile files should not be served from the same server as the file
-  containing the <code>iframe</code> element. Using a different domain ensures that scripts in the
-  files are unable to attack the site, even if the user is tricked into visiting those pages
-  directly, without the protection of the <code title="attr-iframe-sandbox">sandbox</code>
-  attribute.</p>
 
-  <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
-  keyword is set along with <code
-  title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword, and the file is
-  from the <span>same origin</span> as the <code>iframe</code>'s <code>Document</code>, then a
-  script in the "sandboxed" iframe could just reach out, remove the <code
-  title="attr-iframe-sandbox">sandbox</code> attribute, and then reload itself, effectively breaking
-  out of the sandbox altogether.</p>
-
-
   <hr> <!-- SEAMLESS -->
 
   <!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
@@ -78684,16 +78682,15 @@
 
   <div class="impl">
 
-  <p>When a <span>browsing context</span> is first created, it must be
-  created with a single <code>Document</code> in its session history,
-  whose <span title="the document's address">address</span> is
-  <code>about:blank</code>, which is marked as being an <span
-  title="HTML documents">HTML document</span>, whose <span
-  title="document's character encoding">character encoding</span> is
-  UTF-8, and which is both <span>ready for post-load tasks</span> and
-  <span>completely loaded</span> immediately. The
-  <code>Document</code> must have a single child <code>html</code>
-  node, which itself has a single child <code>body</code> node.</p>
+  <p>When a <span>browsing context</span> is first created, it must be created with a single
+  <code>Document</code> in its session history, whose <span title="the document's
+  address">address</span> is <code>about:blank</code>, which is marked as being an <span title="HTML
+  documents">HTML document</span>, whose <span title="document's character encoding">character
+  encoding</span> is UTF-8, and which is both <span>ready for post-load tasks</span> and
+  <span>completely loaded</span> immediately. The <code>Document</code> must have a single child
+  <code>html</code> node, which itself has a single child <code>body</code> node. As soon as this
+  <code>Document</code> is created, the user agent must <span>implement the sandboxing</span> for
+  it.</p>
 
   <p class="note">If the <span>browsing context</span> is created
   specifically to be immediately navigated, then that initial
@@ -81394,8 +81391,45 @@
   set</span> must be empty. It is populated by the <span
   title="navigate">navigation algorithm</span>.</p>
 
+  <p>Every resource that is obtained by the <span
+  title="navigate">navigation algorithm</span> has a <dfn>forced
+  sandboxing flag set</dfn>, which is a <span>sandboxing flag
+  set</span>. A resource by default has no flags set in its
+  <span>forced sandboxing flag set</span>, but other
+  specifications can define that certain flags are set.</p>
 
+  <p class="note">In particular, the <span>forced sandboxing flag
+  set</span> is used by the Content Security Policy specification.
+  <a href="#refsCSP">[CSP]</a></p>
 
+  <hr>
+
+  <p>When a user agent is to <dfn>implement the sandboxing</dfn> for a <code>Document</code>, it
+  must populate <code>Document</code>'s <span>active sandboxing flag set</span> with the union of
+  the flags that are present in the following <span title="sandboxing flag set">sandboxing flag
+  sets</span> at the time the <code>Document</code> object is created:</p>
+
+  <ul>
+
+   <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>top-level browsing
+   context</span>, then: the flags set on the <span>browsing context</span>'s <span>popup sandboxing
+   flag set</span>.</p></li>
+
+   <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>nested browsing
+   context</span>, then: the flags set on the <span>browsing context</span>'s
+   <span><code>iframe</code> sandboxing flag set</span>.</p></li>
+
+   <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>nested browsing
+   context</span>, then: the flags set on the <span>browsing context</span>'s <span>parent browsing
+   context</span>'s <span>active document</span>'s <span>active sandboxing flag set</span>.</p></li>
+
+   <li><p>The flags set on the <code>Document</code>'s resource's <span>forced sandboxing flag
+   set</span>, if it has one.</p></li>
+
+  </ul>
+
+
+
   <h3 id="history">Session history and navigation</h3>
 
   <h4>The session history of browsing contexts</h4>
@@ -82884,50 +82918,8 @@
      <code>Window</code> object to point to the new
      <code>Document</code>.</p>
 
-     <li>
+     <li><p><span>Implement the sandboxing</span> for the <code>Document</code>.</p></li>
 
-      <p>Populate <code>Document</code>'s <span>active sandboxing flag
-      set</span> with the union of the flags that are present in the
-      following <span title="sandboxing flag set">sandboxing flag
-      sets</span> at the time the <code>Document</code> object is
-      created:</p>
-
-      <ul>
-
-       <li><p>If the <code>Document</code>'s <span>browsing
-       context</span> is a <span>top-level browsing context</span>,
-       then: the flags set on the <span>browsing context</span>'s
-       <span>popup sandboxing flag set</span>.</p></li>
-
-       <li><p>If the <code>Document</code>'s <span>browsing
-       context</span> is a <span>nested browsing context</span>, then:
-       the flags set on the <span>browsing context</span>'s
-       <span><code>iframe</code> sandboxing flag set</span>.</p></li>
-
-       <li><p>If the <code>Document</code>'s <span>browsing
-       context</span> is a <span>nested browsing context</span>, then:
-       the flags set on the <span>browsing context</span>'s <span>parent
-       browsing context</span>'s <span>active document</span>'s
-       <span>active sandboxing flag set</span>.</p></li>
-
-       <li><p>The flags set on the resource's <span>forced sandboxing
-       flag set</span>.</p></li>
-
-      </ul>
-
-      <p>Each resource obtained by this <span
-      title="navigate">navigation algorithm</span> has a <dfn>forced
-      sandboxing flag set</dfn>, which is a <span>sandboxing flag
-      set</span>. A resource by default has no flags set in its
-      <span>forced sandboxing flag set</span>, but other
-      specifications can define that certain flags are set.</p>
-
-      <p class="note">In particular, the <span>forced sandboxing flag
-      set</span> is used by the Content Security Policy specification.
-      <a href="#refsCSP">[CSP]</a></p>
-
-     </li>
-
     </ol>
 
    </li>




More information about the Commit-Watchers mailing list