[html5] r7984 - [giow] (2) Sandboxing: prevent pages from closing their top-level browsing conte [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Jun 17 17:24:05 PDT 2013 

Author: ianh
Date: 2013-06-17 17:24:03 -0700 (Mon, 17 Jun 2013)
New Revision: 7984

Modified:
   complete.html
   index
   source
Log:
[giow] (2) Sandboxing: prevent pages from closing their top-level browsing context (unless they can navigate it, in which case, whatever)
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=22319
Affected topics: DOM APIs, HTML

Modified: complete.html
===================================================================
--- complete.html	2013-06-17 23:27:19 UTC (rev 7983)
+++ complete.html	2013-06-18 00:24:03 UTC (rev 7984)
@@ -256,7 +256,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 17 June 2013</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 18 June 2013</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -53860,7 +53860,7 @@
      <td><a href=#valid-e-mail-address>Valid e-mail address</a>
      <td>timbl at w3.org
     <tr><td colspan=4>"<dfn id=attr-fe-autocomplete-impp title=attr-fe-autocomplete-impp><code>impp</code></dfn>"
-     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or <code title="">xmpp:fred at example.net</code>")
+     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or "<code title="">xmpp:fred at example.net</code>")
      <td><a href=#valid-url>Valid URL</a>
      <td>irc://example.org/timbl,isuser
   </table><p>If the <code title=attr-fe-autocomplete><a href=#attr-fe-autocomplete>autocomplete</a></code>
@@ -65380,12 +65380,19 @@
   navigated to another domain.</p>
 
   <hr><!--CLEANUP--><p>The <dfn id=dom-window-close title=dom-window-close><code>close()</code></dfn> method on <code><a href=#window>Window</a></code>
-  objects should, if the corresponding <a href=#browsing-context>browsing context</a> <var title="">A</var> is
-  <a href=#script-closable>script-closable</a> and the <a href="#script's-browsing-context" title="script's browsing context">browsing
-  context</a> of the <a href=#incumbent-script>incumbent script</a> is
-  <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>, <a href=#close-a-browsing-context title="close a browsing context">close</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</p>
+  objects should, if all the following conditions are met, <a href=#close-a-browsing-context title="close a browsing context">close</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>:
 
-  <p>A <a href=#browsing-context>browsing context</a> is <dfn id=script-closable>script-closable</dfn> if it is an <a href=#auxiliary-browsing-context>auxiliary
+  <ul class=brief><li>The corresponding <a href=#browsing-context>browsing context</a> <var title="">A</var> is
+   <a href=#script-closable>script-closable</a>.</li>
+
+   <li>The <a href="#script's-browsing-context" title="script's browsing context">browsing context</a> of the <a href=#incumbent-script>incumbent
+   script</a> is <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</li>
+
+   <li id=sandboxClose>The <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href="#script's-document" title="script's
+   document">document</a> of the <a href=#incumbent-script>incumbent script</a> does not have its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
+   top-level navigation browsing context flag</a> set.</li>
+
+  </ul><p>A <a href=#browsing-context>browsing context</a> is <dfn id=script-closable>script-closable</dfn> if it is an <a href=#auxiliary-browsing-context>auxiliary
   browsing context</a> that was created by a script (as opposed to by an action of the user), or
   if it is a <a href=#browsing-context>browsing context</a> whose <a href=#session-history>session history</a> contains only one
   <code><a href=#document>Document</a></code>.</p>
@@ -66333,7 +66340,8 @@
    <dd>
 
     <p>This flag <a href=#sandboxLinks>prevents content from navigating their <span>top-level
-    browsing context</span></a>.</p>
+    browsing context</span></a> and <a href=#sandboxClose>prevents content from closing their
+    <span>top-level browsing context</span></a>.</p>
 
     <p>When the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a> is <em>not</em>
     set, content can navigate its <a href=#top-level-browsing-context>top-level browsing context</a>, but other <a href=#browsing-context title="browsing context">browsing contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed

Modified: index
===================================================================
--- index	2013-06-17 23:27:19 UTC (rev 7983)
+++ index	2013-06-18 00:24:03 UTC (rev 7984)
@@ -256,7 +256,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 17 June 2013</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 18 June 2013</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -53860,7 +53860,7 @@
      <td><a href=#valid-e-mail-address>Valid e-mail address</a>
      <td>timbl at w3.org
     <tr><td colspan=4>"<dfn id=attr-fe-autocomplete-impp title=attr-fe-autocomplete-impp><code>impp</code></dfn>"
-     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or <code title="">xmpp:fred at example.net</code>")
+     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or "<code title="">xmpp:fred at example.net</code>")
      <td><a href=#valid-url>Valid URL</a>
      <td>irc://example.org/timbl,isuser
   </table><p>If the <code title=attr-fe-autocomplete><a href=#attr-fe-autocomplete>autocomplete</a></code>
@@ -65380,12 +65380,19 @@
   navigated to another domain.</p>
 
   <hr><!--CLEANUP--><p>The <dfn id=dom-window-close title=dom-window-close><code>close()</code></dfn> method on <code><a href=#window>Window</a></code>
-  objects should, if the corresponding <a href=#browsing-context>browsing context</a> <var title="">A</var> is
-  <a href=#script-closable>script-closable</a> and the <a href="#script's-browsing-context" title="script's browsing context">browsing
-  context</a> of the <a href=#incumbent-script>incumbent script</a> is
-  <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>, <a href=#close-a-browsing-context title="close a browsing context">close</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</p>
+  objects should, if all the following conditions are met, <a href=#close-a-browsing-context title="close a browsing context">close</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>:
 
-  <p>A <a href=#browsing-context>browsing context</a> is <dfn id=script-closable>script-closable</dfn> if it is an <a href=#auxiliary-browsing-context>auxiliary
+  <ul class=brief><li>The corresponding <a href=#browsing-context>browsing context</a> <var title="">A</var> is
+   <a href=#script-closable>script-closable</a>.</li>
+
+   <li>The <a href="#script's-browsing-context" title="script's browsing context">browsing context</a> of the <a href=#incumbent-script>incumbent
+   script</a> is <a href=#allowed-to-navigate>allowed to navigate</a> the <a href=#browsing-context>browsing context</a> <var title="">A</var>.</li>
+
+   <li id=sandboxClose>The <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> of the <a href="#script's-document" title="script's
+   document">document</a> of the <a href=#incumbent-script>incumbent script</a> does not have its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
+   top-level navigation browsing context flag</a> set.</li>
+
+  </ul><p>A <a href=#browsing-context>browsing context</a> is <dfn id=script-closable>script-closable</dfn> if it is an <a href=#auxiliary-browsing-context>auxiliary
   browsing context</a> that was created by a script (as opposed to by an action of the user), or
   if it is a <a href=#browsing-context>browsing context</a> whose <a href=#session-history>session history</a> contains only one
   <code><a href=#document>Document</a></code>.</p>
@@ -66333,7 +66340,8 @@
    <dd>
 
     <p>This flag <a href=#sandboxLinks>prevents content from navigating their <span>top-level
-    browsing context</span></a>.</p>
+    browsing context</span></a> and <a href=#sandboxClose>prevents content from closing their
+    <span>top-level browsing context</span></a>.</p>
 
     <p>When the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a> is <em>not</em>
     set, content can navigate its <a href=#top-level-browsing-context>top-level browsing context</a>, but other <a href=#browsing-context title="browsing context">browsing contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed

Modified: source
===================================================================
--- source	2013-06-17 23:27:19 UTC (rev 7983)
+++ source	2013-06-18 00:24:03 UTC (rev 7984)
@@ -59340,7 +59340,7 @@
      <td>timbl at w3.org
     <tr>
      <td colspan=4>"<dfn title="attr-fe-autocomplete-impp"><code>impp</code></dfn>"
-     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or <code title="">xmpp:fred at example.net</code>")
+     <td>URL representing an instant messaging protocol endpoint (for example, "<code title="">aim:goim?screenname=example</code>" or "<code title="">xmpp:fred at example.net</code>")
      <td><span>Valid URL</span>
      <td>irc://example.org/timbl,isuser
   </table>
@@ -72901,13 +72901,25 @@
 <!--CLEANUP-->
 
   <p>The <dfn title="dom-window-close"><code>close()</code></dfn> method on <code>Window</code>
-  objects should, if the corresponding <span>browsing context</span> <var title="">A</var> is
-  <span>script-closable</span> and the <span title="script's browsing context">browsing
-  context</span> of the <span>incumbent script</span> is
-  <span>allowed to navigate</span> the <span>browsing context</span> <var title="">A</var>, <span
+  objects should, if all the following conditions are met, <span
   title="close a browsing context">close</span> the <span>browsing context</span> <var
-  title="">A</var>.</p>
+  title="">A</var>:
 
+  <ul class="brief">
+
+   <li>The corresponding <span>browsing context</span> <var title="">A</var> is
+   <span>script-closable</span>.</li>
+
+   <li>The <span title="script's browsing context">browsing context</span> of the <span>incumbent
+   script</span> is <span>allowed to navigate</span> the <span>browsing context</span> <var
+   title="">A</var>.</li>
+
+   <li id="sandboxClose">The <span>active sandboxing flag set</span> of the <span title="script's
+   document">document</span> of the <span>incumbent script</span> does not have its <span>sandboxed
+   top-level navigation browsing context flag</span> set.</li>
+
+  </ul>
+
   <p>A <span>browsing context</span> is <dfn>script-closable</dfn> if it is an <span>auxiliary
   browsing context</span> that was created by a script (as opposed to by an action of the user), or
   if it is a <span>browsing context</span> whose <span>session history</span> contains only one
@@ -74011,7 +74023,8 @@
    <dd>
 
     <p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
-    browsing context</span></a>.</p>
+    browsing context</span></a> and <a href="#sandboxClose">prevents content from closing their
+    <span>top-level browsing context</span></a>.</p>
 
     <p>When the <span>sandboxed top-level navigation browsing context flag</span> is <em>not</em>
     set, content can navigate its <span>top-level browsing context</span>, but other <span

More information about the Commit-Watchers mailing list