[html5] r1643 - /

whatwg at whatwg.org whatwg at whatwg.org
Tue May 20 17:30:42 PDT 2008


Author: ianh
Date: 2008-05-20 17:30:41 -0700 (Tue, 20 May 2008)
New Revision: 1643

Modified:
   index
   source
Log:
[acgiow] (2) * Add <iframe sandbox>, which supports:
   - isolating frames in their own unique origin,
   - disabling plugins
   - disabling forms
   - disabling scripts
   - disabling navigating of other browsing contexts
   - disabling popups and modal dialogs
* Make the spec well-defined in the face of browsers that disable scripting on a per-browsing-context basis, and use this for the concept of sandboxing scripts.
* Abstract out the concept of scripting being disabled, so that we don't have to refer to designMode all over the place.
* Add a note that <noscript> fails pretty badly with designMode. Add and update some XXX notes in various places.
* Require that Henri do the impossible by checking that scripts never cause non-conforming states to occur.
* Require that sets of space-separated tokens with lists of allowed values not use values outside of the allowed values.

Modified: index
===================================================================
--- index	2008-05-20 00:48:51 UTC (rev 1642)
+++ index	2008-05-21 00:30:41 UTC (rev 1643)
@@ -25,7 +25,7 @@
 
    <h1 id=html-5>HTML 5</h1>
 
-   <h2 class="no-num no-toc" id=draft>Draft Recommendation — 20 May
+   <h2 class="no-num no-toc" id=draft>Draft Recommendation — 21 May
     2008</h2>
 
    <p>You can take part in this work. <a
@@ -1677,6 +1677,9 @@
 
          <li><a href="#the-element"><span class=secno>8.2.3.4. </span>The
           element pointers</a>
+
+         <li><a href="#the-scripting"><span class=secno>8.2.3.5. </span>The
+          scripting state</a>
         </ul>
 
        <li><a href="#tokenisation"><span class=secno>8.2.4
@@ -2069,12 +2072,11 @@
 
    <dd>
     <p>Implementations that do not support scripting (or which have their
-     scripting features <a href="#scripting1" title="scripting is
-     disabled">disabled</a>) are exempt from supporting the events and DOM
-     interfaces mentioned in this specification. For the parts of this
-     specification that are defined in terms of an events model or in terms
-     of the DOM, such user agents must still act as if events and the DOM
-     were supported.</p>
+     scripting features disabled entirely) are exempt from supporting the
+     events and DOM interfaces mentioned in this specification. For the parts
+     of this specification that are defined in terms of an events model or in
+     terms of the DOM, such user agents must still act as if events and the
+     DOM were supported.</p>
 
     <p class=note>Scripting can form an integral part of an application. Web
      browsers that do not support scripting, or that have scripting disabled,
@@ -2094,19 +2096,21 @@
      material).</p>
 
     <p>Conformance checkers must check that the input document conforms when
-     <a href="#scripting1">scripting is disabled</a>, and should also check
-     that the input document conforms when <a href="#scripting2">scripting is
-     enabled</a>. (This is only a "SHOULD" and not a "MUST" requirement
-     because it has been proven to be impossible. <a
-     href="#refsHALTINGPROBLEM">[HALTINGPROBLEM]</a>)</p>
+     parsed without a <a href="#browsing1">browsing context</a> (meaning that
+     no scripts are run, and that the parser's <a
+     href="#scripting2">scripting flag</a> is disabled), and should also
+     check that the input document conforms when parsed with a <a
+     href="#browsing1">browsing context</a> in which scripts execute, and
+     that the scripts never cause non-conforming states to occur. (This is
+     only a "SHOULD" and not a "MUST" requirement because it has been proven
+     to be impossible. <a href="#refsHALTINGPROBLEM">[HALTINGPROBLEM]</a>)</p>
     <!-- XXX
     [Computable] On computable numbers, with an application to the
     Entscheidungsproblem. Alan M. Turing. In Proceedings of the London
     Mathematical Society, series 2, volume 42, pages 230-265. London
     Mathematical Society,
     1937. http://www.turingarchive.org/browse.php/B/12 (referenced:
-    2007-03-03)
-    -->
+    2007-03-03) -->
     
     <p>The term "HTML5 validator" can be used to refer to a conformance
      checker that itself conforms to the applicable requirements of this
@@ -5909,6 +5913,12 @@
    a <a href="#set-of">set of space-separated tokens</a> where none of the
    words are duplicated but where the order of the tokens is meaningful.
 
+  <p><a href="#set-of" title="set of space-separated tokens">Sets of
+   space-separated tokens</a> sometimes have a defined set of allowed values.
+   When a set of allowed values is defined, the tokens must all be from that
+   list of allowed values; other values are non-conforming. If no such set of
+   allowed values is provided, then all values are conforming.
+
   <p>When a user agent has to <dfn id=split>split a string on spaces</dfn>,
    it must use the following algorithm:
 
@@ -14135,6 +14145,8 @@
 
    <dd><code title=attr-iframe-name><a href="#name1">name</a></code>
 
+   <dd><code title=attr-iframe-sandbox><a href="#sandbox">sandbox</a></code>
+
    <dd><code title=attr-iframe-seamless><a
     href="#seamless">seamless</a></code>
 
@@ -14145,6 +14157,7 @@
      class=idl>interface <dfn id=htmliframeelement>HTMLIFrameElement</dfn> : <a href="#htmlelement">HTMLElement</a> {
            attribute DOMString <a href="#src2" title=dom-iframe-src>src</a>;
            attribute DOMString <a href="#name2" title=dom-iframe-name>name</a>;
+           attribute DOMString <a href="#sandbox0" title=dom-iframe-sandbox>sandbox</a>;
            attribute DOMString <a href="#seamless1" title=dom-iframe-seamless>seamless</a>;<!--
   readonly attribute Document <span title="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>Window</span> <span title="dom-iframe-contentWindow">contentWindow</span>;-->
@@ -14224,6 +14237,110 @@
    href="#navigate" title=navigate>navigated</a>, that will further <a
    href="#delays">delay the <code title=event-load>load</code> event</a>.
 
+  <p>The <dfn id=sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn>
+   attribute, when specified, enables a set of extra restrictions on any
+   content hosted by the <code><a href="#iframe">iframe</a></code>. Its value
+   must be an <a href="#unordered">unordered set of unique space-separated
+   tokens</a>. The allowed values are <code
+   title=attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name><a
+   href="#xxxoriginpleasesuggestabettername">xxx_origin_please_suggest_a_better_name</a></code>,
+   <code title=attr-iframe-sandbox-unrestricted-forms><a
+   href="#unrestricted-forms">unrestricted-forms</a></code>, and <code
+   title=attr-iframe-sandbox-unrestricted-scripts><a
+   href="#unrestricted-scripts">unrestricted-scripts</a></code>.
+
+  <p>While the <code title=attr-iframe-sandbox><a
+   href="#sandbox">sandbox</a></code> attribute is specified, the <code><a
+   href="#iframe">iframe</a></code> element's <a href="#nested0">nested
+   browsing context</a>, and all the browsing contexts <a href="#nested0"
+   title="nested browsing context">nested</a> within it (either directly or
+   indirectly through other nested browsing contexts) must have the following
+   flags set:
+
+  <dl>
+   <dt>The <dfn id=sandboxed>sandboxed navigation browsing context</dfn> flag
+
+   <dd>
+    <p>This flag <a href="#sandboxLinks">prevents content from navigating
+     browsing contexts other than the sandboxed browsing context itself</a>
+     (or browsing contexts further nested inside it).</p>
+
+    <p>This flag also <a href="#sandboxWindowOpen">prevents content from
+     creating new auxiliary browsing contexts</a>, e.g. using the <code
+     title=attr-hyperlink-target><a href="#target3">target</a></code>
+     attribute or the <code title=dom-window-open>window.open()</code>
+     method.</p>
+
+   <dt>The <dfn id=sandboxed0>sandboxed plugins browsing context</dfn> flag
+
+   <dd>
+    <p>This flag prevents content from instantiating third-party handlers
+     (i.e. plugins), whether using <a href="#sandboxPluginEmbed">the
+     <code>embed</code> element</a>, <a href="#sandboxPluginObject">the
+     <code>object</code> element</a>, <a href="#sandboxPluginApplet">the
+     <code>applet</code> element</a>, or <a
+     href="#sandboxPluginNavigate">through navigation</a> of a <a
+     href="#nested0">nested browsing context</a>.</p>
+
+   <dt>The <dfn id=sandboxed1>sandboxed origin browsing context</dfn> flag,
+    unless the <code title=attr-iframe-sandbox><a
+    href="#sandbox">sandbox</a></code> attribute's value, when <a
+    href="#split" title="split a string on spaces">split on spaces</a>, is
+    found to have the <dfn id=xxxoriginpleasesuggestabettername
+    title=attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name><code>xxx_origin_please_suggest_a_better_name</code></dfn>
+    keyword set
+
+   <dd>
+    <p>This flag <a href="#sandboxOrigin">forces content into a unique
+     origin</a> for the purposes of the <a href="#origin0"
+     title=origin>same-origin policy</a>.</p>
+
+    <div class=note>
+     <p>The <code
+      title=attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name><a
+      href="#xxxoriginpleasesuggestabettername">xxx_origin_please_suggest_a_better_name</a></code>
+      attribute is intended for two cases.</p>
+
+     <p>First, it can be used to allow content from the same site to be
+      sandboxed to disable scripting, while still allowing access to the DOM
+      of the sandboxed content.</p>
+
+     <p>Second, it can be used to embed content from a third-party site,
+      sandboxed to prevent that site from opening popup windows, etc, without
+      preventing the embedded page from communicating back to its originating
+      site, using the database APIs to store data, etc.</p>
+    </div>
+
+    <p class=big-issue>Please don't implement this keyword using the name
+     "xxx_origin_please_suggest_a_better_name" -- please suggest a better
+     name first!</p>
+
+   <dt>The <dfn id=sandboxed2>sandboxed forms browsing context</dfn> flag,
+    unless the <code title=attr-iframe-sandbox><a
+    href="#sandbox">sandbox</a></code> attribute's value, when <a
+    href="#split" title="split a string on spaces">split on spaces</a>, is
+    found to have the <dfn id=unrestricted-forms
+    title=attr-iframe-sandbox-unrestricted-forms><code>unrestricted-forms</code></dfn>
+    keyword set
+
+   <dd>
+    <p>This flag <a href="#sandboxSubmitBlocked">blocks form submission</a>.</p>
+
+   <dt>The <dfn id=sandboxed3>sandboxed scripts browsing context</dfn> flag,
+    unless the <code title=attr-iframe-sandbox><a
+    href="#sandbox">sandbox</a></code> attribute's value, when <a
+    href="#split" title="split a string on spaces">split on spaces</a>, is
+    found to have the <dfn id=unrestricted-scripts
+    title=attr-iframe-sandbox-unrestricted-scripts><code>unrestricted-scripts</code></dfn>
+    keyword set
+
+   <dd>
+    <p>This flag <a href="#sandboxScriptBlocked">blocks script execution</a>.</p>
+  </dl>
+
+  <p>These flags must not be set unless the conditions listed above define
+   them as being set.
+
   <p>The <dfn id=seamless
    title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a
    boolean attribute. When specified, it indicates that the <code><a
@@ -14352,7 +14469,8 @@
 
   <p>The DOM attributes <dfn id=src2
    title=dom-iframe-src><code>src</code></dfn>, <dfn id=name2
-   title=dom-iframe-name><code>name</code></dfn>, and <dfn id=seamless1
+   title=dom-iframe-name><code>name</code></dfn>, <dfn id=sandbox0
+   title=dom-iframe-sandbox><code>sandbox</code></dfn>, and <dfn id=seamless1
    title=dom-iframe-seamless><code>seamless</code></dfn> must <a
    href="#reflect">reflect</a> the content attributes of the same name.
 
@@ -14410,8 +14528,29 @@
 
   <p>If the <code title=attr-embed-src><a href="#src3">src</a></code>
    attribute is missing, then the <code><a href="#embed">embed</a></code>
-   element must be ignored.
+   element must be ignored (it represents nothing).
 
+  <p id=sandboxPluginEmbed>If the <a href="#sandboxed0">sandboxed plugins
+   browsing context</a> flag is set on the <a href="#browsing1">browsing
+   context</a> for which the <code><a href="#embed">embed</a></code>
+   element's document is the <a href="#active">active document</a>, then the
+   user agent must render the <code><a href="#embed">embed</a></code> element
+   in a manner that conveys that the plugin was disabled. The user agent may
+   offer the user the option to override the sandbox and instantiate the
+   handler anyway; if the user invokes such an option, the user agent must
+   act as if the <a href="#sandboxed0">sandboxed plugins browsing context</a>
+   flag was not set for the purposes of this element.
+
+  <p class=warning>Plugins are disabled in sandboxed browsing contexts
+   because they might not honour the restrictions imposed by the sandbox
+   (e.g. they might allow scripting even when scripting in the sandbox is
+   disabled). User agents should convey the danger of overriding the sandbox
+   to the user if an option to do so is provided.
+
+  <p>Otherwise, the <code title=attr-embed-src><a href="#src3">src</a></code>
+   attribute is present, and the element is not in a sandboxed browsing
+   context:
+
   <p>When the <code title=attr-embed-src><a href="#src3">src</a></code>
    attribute is set, user agents are expected to find an appropriate handler
    for the specified resource, based on the <a href="#type-of"
@@ -14463,8 +14602,8 @@
     handler for it.
   </ol>
 
-  <p class=big-issue>Should we instead say that the content-sniffing that
-   we're going to define for top-level browsing contexts should apply here?
+  <p class=big-issue>Should we instead say that the content-sniffing used for
+   top-level browsing contexts should apply here?
 
   <p class=big-issue>Should we require the type attribute to match the server
    information?
@@ -14582,12 +14721,13 @@
     <p>If the <code title=attr-object-classid>classid</code> attribute is
      present, and has a value that isn't the empty string, then: if the user
      agent can find a handler suitable according to the value of the <code
-     title=attr-object-classid>classid</code> attribute, then that handler <a
-     href="#object-plugin">should be used</a>, and the value of the <code
-     title=attr-object-data><a href="#data">data</a></code> attribute, if
-     any, should be passed to the handler. If no suitable handler can be
-     found, or if the handler reports an error, jump to the last step in the
-     overall set of steps (fallback).</p>
+     title=attr-object-classid>classid</code> attribute, and <a
+     href="#sandboxPluginObject">handlers aren't being sandboxed</a>, then
+     that handler <a href="#object-plugin">should be used</a>, and the value
+     of the <code title=attr-object-data><a href="#data">data</a></code>
+     attribute, if any, should be passed to the handler. If no suitable
+     handler can be found, or if the handler reports an error, jump to the
+     last step in the overall set of steps (fallback).</p>
     <!--
      case insensitive:
       is "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" -> application/x-shockwave-flash
@@ -14672,7 +14812,8 @@
 
       <dl class=switch>
        <dt>If the <var title="">resource type</var> can be handled by a
-        special handler (e.g. a plugin)
+        special handler (e.g. a plugin), and <a
+        href="#sandboxPluginObject">handlers aren't being sandboxed</a>
 
        <dd>
         <p>The user agent <a href="#object-plugin">should use that
@@ -14750,12 +14891,13 @@
    <li>
     <p>If the <code title=attr-object-data><a href="#data">data</a></code>
      attribute is absent but the <code title=attr-object-type><a
-     href="#type6">type</a></code> attribute is present, and if the user
-     agent can find a handler suitable according to the value of the <code
-     title=attr-object-type><a href="#type6">type</a></code> attribute, then
-     that handler <a href="#object-plugin">should be used</a>. If no suitable
-     handler can be found, or if the handler reports an error, jump to the
-     next step (fallback).
+     href="#type6">type</a></code> attribute is present, <a
+     href="#sandboxPluginObject">handlers aren't being sandboxed</a>, and the
+     user agent can find a handler suitable according to the value of the
+     <code title=attr-object-type><a href="#type6">type</a></code> attribute,
+     then that handler <a href="#object-plugin">should be used</a>. If no
+     suitable handler can be found, or if the handler reports an error, jump
+     to the next step (fallback).
 
    <li>
     <p>(Fallback.) The <code><a href="#object">object</a></code> element
@@ -14772,7 +14914,14 @@
    handler supports a scriptable interface, the <code><a
    href="#htmlobjectelement">HTMLObjectElement</a></code> object representing
    the element should expose that interface. The handler is not a nested <a
-   href="#browsing1">browsing context</a>.</p>
+   href="#browsing1">browsing context</a>.
+
+  <p id=sandboxPluginObject>If the <a href="#sandboxed0">sandboxed plugins
+   browsing context</a> flag is set on the <a href="#browsing1">browsing
+   context</a> for which the <code><a href="#object">object</a></code>
+   element's document is the <a href="#active">active document</a>, then the
+   steps above must always act as if they had failed to find a handler, even
+   if one would otherwise have been used.</p>
   <!-- duplicates what's in <embed> section above -->
 
   <p class=note>The <code><a href="#object">object</a></code> element can, in
@@ -17205,13 +17354,14 @@
   <p>The <dfn id=controls
    title=attr-media-controls><code>controls</code></dfn> attribute is a <a
    href="#boolean0">boolean attribute</a>. If the attribute is present, or if
-   <a href="#scripting1">scripting is disabled</a>, then the user agent
-   should <dfn id=expose>expose a user interface to the user</dfn>. This user
-   interface should include features to begin playback, pause playback, seek
-   to an arbitrary position in the content (if the content supports arbitrary
-   seeking), change the volume, and show the media content in manners more
-   suitable to the user (e.g. full-screen video or in an independent
-   resizable window). Other controls may also be made available.
+   the <a href="#media7">media element</a> is <a href="#without">without
+   script</a>, then the user agent should <dfn id=expose>expose a user
+   interface to the user</dfn>. This user interface should include features
+   to begin playback, pause playback, seek to an arbitrary position in the
+   content (if the content supports arbitrary seeking), change the volume,
+   and show the media content in manners more suitable to the user (e.g.
+   full-screen video or in an independent resizable window). Other controls
+   may also be made available.
 
   <p>If the attribute is absent, then the user agent should avoid making a
    user interface available that could conflict with an author-provided user
@@ -17778,22 +17928,25 @@
    href="#canvas">canvas</a></code> element, if any, are the element's <a
    href="#fallback">fallback content</a>.
 
-  <p>In interactive visual media with <span>scripting enabled</span>, the
-   canvas element is an embedded element with a dynamically created image.
+  <p>In interactive visual media, if the <code><a
+   href="#canvas">canvas</a></code> element is <a href="#with-script">with
+   script</a>, the <code><a href="#canvas">canvas</a></code> element
+   represents an embedded element with a dynamically created image.
 
   <p>In non-interactive, static, visual media, if the <code><a
    href="#canvas">canvas</a></code> element has been previously painted on
    (e.g. if the page was viewed in an interactive visual medium and is now
    being printed, or if some script that ran during the page layout process
    painted on the element), then the <code><a
-   href="#canvas">canvas</a></code> element must be treated as <a
+   href="#canvas">canvas</a></code> element represents <a
    href="#embedded1">embedded content</a> with the current image and size.
-   Otherwise, the element's <a href="#fallback">fallback content</a> must be
-   used instead.
+   Otherwise, the element represents its <a href="#fallback">fallback
+   content</a> instead.
 
-  <p>In non-visual media, and in visual media with <span>scripting
-   disabled</span>, the <code><a href="#canvas">canvas</a></code> element's
-   <a href="#fallback">fallback content</a> must be used instead.
+  <p>In non-visual media, and in visual media if the <code><a
+   href="#canvas">canvas</a></code> element is <a href="#without">without
+   script</a>, the <code><a href="#canvas">canvas</a></code> element
+   represents its <a href="#fallback">fallback content</a> instead.
 
   <p>The <code><a href="#canvas">canvas</a></code> element has two attributes
    to control the size of the coordinate space: <dfn id=width0
@@ -22851,6 +23004,10 @@
    href="http://www.whatwg.org/specs/web-forms/current-work/#form-submission">WF2</a>
    for now
 
+  <p class=big-issue id=sandboxSubmitBlocked>If a form is in a browsing
+   context whose <a href="#sandboxed2">sandboxed forms browsing context</a>
+   is set, it must not be submitted.
+
   <h3 id=scripting0><span class=secno>3.15 </span>Scripting</h3>
 
   <p>Scripts allow authors to add interactivity to their documents.
@@ -23075,15 +23232,14 @@
      encoding">the encoding of the document itself</a>.</p>
 
    <li>
-    <p>If <a href="#scripting1">scripting is disabled</a>, or if the
-     <code>Document</code> has <code title=dom-document-designMode><a
-     href="#designMode">designMode</a></code> enabled, or if the <code><a
+    <p>If the <code><a href="#script1">script</a></code> element is <a
+     href="#without">without script</a>, or if the <code><a
      href="#script1">script</a></code> element was created by an <span>XML
      parser</span> that itself was created as part of the processing of the
      <code title=dom-innerHTML-XML><a href="#innerhtml1">innerHTML</a></code>
-     attribute's
-     setter<!-- no need to worry about the innerHTML-HTML case, as the
-    HTML parser handles that for us-->,
+     attribute's setter<!--
+    no need to worry about the innerHTML-HTML case, as the HTML parser
+    handles that for us-->,
      or if the user agent does not <a href="#support">support the scripting
      language</a> given by <var><a href="#the-scripts">the script's
      type</a></var> for this <code><a href="#script1">script</a></code>
@@ -23279,10 +23435,7 @@
    <dd>
     <ol>
      <li>
-      <p>If <a href="#scripting2">scripting is enabled</a>, and the
-       <code>Document</code> does not have <code
-       title=dom-document-designMode><a
-       href="#designMode">designMode</a></code> enabled, and the
+      <p>If the <code><a href="#script1">script</a></code> element's
        <code>Document</code> is the <a href="#active">active document</a> in
        its <a href="#browsing1">browsing context</a>, the user agent must
        execute the script:</p>
@@ -23323,7 +23476,7 @@
 
       <p>Scripts must be executed in the scope of the <a
        href="#browsing1">browsing context</a> of the element's
-       <code>Document</code>. That <a href="#script2">script execution
+       <code>Document</code>. The <a href="#script2">script execution
        browsing context</a> is that browsing context.</p>
 
       <p class=note>The element's attributes' values might have changed
@@ -23413,19 +23566,19 @@
 
    <dt>Content model:
 
-   <dd>When <a href="#scripting1">scripting is disabled</a>, in a <code><a
+   <dd><a href="#without">Without script</a>, in a <code><a
     href="#head">head</a></code> element: in any order, zero or more <code><a
     href="#link">link</a></code> elements, zero or more <code><a
     href="#style1">style</a></code> elements, and zero or more <code><a
     href="#meta0">meta</a></code> elements.
 
-   <dd>When <a href="#scripting1">scripting is disabled</a>, not in a
-    <code><a href="#head">head</a></code> element: <a
+   <dd><a href="#without">Without script</a>, not in a <code><a
+    href="#head">head</a></code> element: <a
     href="#transparent0">transparent</a>, but there must be no <code><a
     href="#noscript">noscript</a></code> element descendants.
 
-   <dd>When <a href="#scripting2">scripting is enabled</a>: text that
-    conforms to the requirements given in the prose.
+   <dd><a href="#with-script">With script</a>: text that conforms to the
+    requirements given in the prose.
 
    <dt>Element-specific attributes:
 
@@ -23451,16 +23604,16 @@
    title="">XML serialisation</span><!-- XXX xref -->.</strong>
 
   <p>When used in <a href="#html-">HTML documents</a>, the allowed content
-   model depends on whether scripting is enabled or not, and whether the
-   element is in a <code><a href="#head">head</a></code> element or not.
+   model is as follows:
 
-  <p>In a <code><a href="#head">head</a></code> element, if <a
-   href="#scripting1">scripting is disabled</a>, then the content model of a
-   <code><a href="#noscript">noscript</a></code> element must contain only
-   <code><a href="#link">link</a></code>, <code><a
-   href="#style1">style</a></code>, and <code><a
-   href="#meta0">meta</a></code> elements. If <a href="#scripting2">scripting
-   is enabled</a>, then the content model of a <code><a
+  <p>In a <code><a href="#head">head</a></code> element, if the <code><a
+   href="#noscript">noscript</a></code> element is <a href="#without">without
+   script</a>, then the content model of a <code><a
+   href="#noscript">noscript</a></code> element must contain only <code><a
+   href="#link">link</a></code>, <code><a href="#style1">style</a></code>,
+   and <code><a href="#meta0">meta</a></code> elements. If the <code><a
+   href="#noscript">noscript</a></code> element is <a
+   href="#with-script">with script</a>, then the content model of a <code><a
    href="#noscript">noscript</a></code> element is text, except that invoking
    the <a href="#html-fragment0">HTML fragment parsing algorithm</a> with the
    <code><a href="#noscript">noscript</a></code> element as the <var
@@ -23470,22 +23623,24 @@
    href="#style1">style</a></code>, and <code><a
    href="#meta0">meta</a></code> elements.
 
-  <p>Outside of <code><a href="#head">head</a></code> elements, if <a
-   href="#scripting1">scripting is disabled</a>, then the content model of a
+  <p>Outside of <code><a href="#head">head</a></code> elements, if the
    <code><a href="#noscript">noscript</a></code> element is <a
+   href="#without">without script</a>, then the content model of a <code><a
+   href="#noscript">noscript</a></code> element is <a
    href="#transparent0">transparent</a>, with the additional restriction that
    a <code><a href="#noscript">noscript</a></code> element must not have a
    <code><a href="#noscript">noscript</a></code> element as an ancestor (that
    is, <code><a href="#noscript">noscript</a></code> can't be nested).
 
-  <p>Outside of <code><a href="#head">head</a></code> elements, if <a
-   href="#scripting2">scripting is enabled</a>, then the content model of a
-   <code><a href="#noscript">noscript</a></code> element is text, except that
-   the text must be such that running the following algorithm results in a
-   conforming document with no <code><a href="#noscript">noscript</a></code>
-   elements and no <code><a href="#script1">script</a></code> elements, and
-   such that no step in the algorithm causes an <a href="#html-0">HTML
-   parser</a> to flag a <a href="#parse1">parse error</a>:
+  <p>Outside of <code><a href="#head">head</a></code> elements, if the
+   <code><a href="#noscript">noscript</a></code> element is <a
+   href="#with-script">with script</a>, then the content model of a <code><a
+   href="#noscript">noscript</a></code> element is text, except that the text
+   must be such that running the following algorithm results in a conforming
+   document with no <code><a href="#noscript">noscript</a></code> elements
+   and no <code><a href="#script1">script</a></code> elements, and such that
+   no step in the algorithm causes an <a href="#html-0">HTML parser</a> to
+   flag a <a href="#parse1">parse error</a>:
 
   <ol>
    <li>Remove every <code><a href="#script1">script</a></code> element from
@@ -23532,15 +23687,24 @@
   <p>The <code><a href="#noscript">noscript</a></code> element has no other
    requirements. In particular, children of the <code><a
    href="#noscript">noscript</a></code> element are not exempt from form
-   submission, scripting, and so forth, even when scripting is enabled.
+   submission, scripting, and so forth, even when the element is <a
+   href="#with-script">with script</a>.
 
   <p class=note>All these contortions are required because, for historical
-   reasons, the <code><a href="#noscript">noscript</a></code> element causes
-   the <a href="#html-0">HTML parser</a> to act differently based on whether
-   scripting is enabled or not. The element is not allowed in XML, because in
-   XML the parser is not affected by such state, and thus the element would
-   not have the desired effect.
+   reasons, the <code><a href="#noscript">noscript</a></code> element is
+   handled differently by the <a href="#html-0">HTML parser</a> based on
+   whether <a href="#scripting2" title="scripting flag">scripting was enabled
+   or not</a> when the parser was invoked. The element is not allowed in XML,
+   because in XML the parser is not affected by such state, and thus the
+   element would not have the desired effect.
 
+  <p class=note>The <code><a href="#noscript">noscript</a></code> element
+   interacts poorly with the <code title=dom-document-designMode><a
+   href="#designMode">designMode</a></code> feature. Authors are encouraged
+   to not use <code><a href="#noscript">noscript</a></code> elements on pages
+   that will have <code title=dom-document-designMode><a
+   href="#designMode">designMode</a></code> enabled.
+
   <h4 id=the-event-source><span class=secno>3.15.3 </span>The <dfn
    id=event-source><code>event-source</code></dfn> element</h4>
 
@@ -27116,10 +27280,8 @@
    href="#template">template</a></code> attribute set, the user agent must
    fetch the specified file<!-- XXX or queue it up to be fetched,
   or something -->
-   and parse it (without a <a href="#browsing1">browsing context</a>, and
-   with <span>scripting disabled</span><!-- XXX
-  xref -->) to obtain a DOM.
-   If the URI is the same as the URI of the current
+   and parse it (without a <a href="#browsing1">browsing context</a>) to
+   obtain a DOM. If the URI is the same as the URI of the current
    document<!-- XXX xref -->, then the current document's DOM must be assumed
    to be that parsed DOM. While this loading and parsing is in progress, the
    element is said to be <em>busy loading the template rules or data</em>.
@@ -27242,13 +27404,11 @@
    title=attr-ref><a href="#ref">ref</a></code> attribute set, the user agent
    must fetch the specified file<!-- XXX or queue it up to be fetched, or
   something -->
-   and parse it (without a <a href="#browsing1">browsing context</a>, and
-   with <span>scripting disabled</span><!-- XXX xref -->) to obtain a DOM. If
-   the URI is the same as the URI of the current document<!--
-  XXX xref -->,
-   then the current document's DOM is assumed to be that parsed DOM. While
-   this loading and parsing is in progress, the element is said to be
-   <em>busy loading the template rules or data</em>.
+   and parse it (without a <a href="#browsing1">browsing context</a>) to
+   obtain a DOM. If the URI is the same as the URI of the current
+   document<!-- XXX xref -->, then the current document's DOM is assumed to
+   be that parsed DOM. While this loading and parsing is in progress, the
+   element is said to be <em>busy loading the template rules or data</em>.
 
   <p>If the resource specified by the <code title=attr-ref><a
    href="#ref">ref</a></code> attribute is not the current
@@ -28128,6 +28288,18 @@
      depends on the user agent's configuration and/or abilities:</p>
 
     <dl>
+     <dt id=sandboxWindowOpen>If the current browsing context has the <a
+      href="#sandboxed">sandboxed navigation browsing context</a> flag set.
+
+     <dd>The user agent may offer to create a new <a
+      href="#top-level">top-level browsing context</a> or reuse an existing
+      <a href="#top-level">top-level browsing context</a>. If the user picks
+      one of those options, then the designated browsing context must be the
+      chosen one (the browsing context's name isn't set to the given browsing
+      context name). Otherwise (if the user agent doesn't offer the option to
+      the user, or if the user declines to allow a browsing context to be
+      used) there must not be a chosen browsing context.
+
      <dt>If the user agent has been configured such that in this instance it
       will create a new browsing context
 
@@ -28587,6 +28759,13 @@
 
    <dd>
     <dl class=switch>
+     <dt id=sandboxOrigin>If a <code>Document</code> is in a <a
+      href="#browsing1">browsing context</a> whose <a
+      href="#sandboxed1">sandboxed origin browsing context</a> is set
+
+     <dd>The <a href="#origin0">origin</a> is a globally unique identifier
+      assigned when the <code>Document</code> is created.
+
      <dt>If a <code>Document</code> or image was returned by the
       <code>XMLHttpRequest</code> API
 
@@ -28829,24 +29008,66 @@
     scripting features.
   </ul>
 
-  <p>User agents may provide a mechanism to enable or disable the execution
-   of author-provided code. When the user agent is configured such that
-   author-provided code does not execute, or if the user agent is implemented
-   so as to never execute author-provided code, it is said that <dfn
-   id=scripting1>scripting is disabled</dfn>. When author-provided code
-   <em>does</em> execute, <dfn id=scripting2>scripting is enabled</dfn>. A
-   user agent with scripting disabled is a <a href="#non-scripted"
-   title="User agents with no scripting support">user agent with no scripting
-   support</a> for the purposes of conformance.
-
   <h4 id=script0><span class=secno>4.4.1 </span>Script execution contexts</h4>
 
   <p>The <dfn id=script2>script execution browsing context</dfn> of a script
    is defined when that script is created. It is typically the <a
    href="#browsing1">browsing context</a> of the <code><a
    href="#window">Window</a></code> object that is being used as the script's
-   dereference context..
+   dereference context.
 
+  <p>All <a href="#browsing1" title="browsing context">browsing contexts</a>
+   are, by definition, potential <a href="#script2" title="script execution
+   browsing context">script execution browsing contexts</a>.
+
+  <p>It is said that <dfn id=scripting1>scripting is disabled</dfn> in a <a
+   href="#script2">script execution browsing context</a> when any of the
+   following conditions are true:
+
+  <ul>
+   <li>The user agent does not support scripting.
+
+   <li>The user has disabled scripting for this <a href="#script2">script
+    execution browsing context</a>. (User agents may provide users with the
+    option to disable scripting globally, on a per-origin basis, or in other
+    ways down to the granularity of individual <a href="#script2"
+    title="script execution browsing context">script execution browsing
+    contexts</a>.)
+
+   <li id=designModeScriptBlocked>The <a href="#script2">script execution
+    browsing context</a> is a <a href="#browsing1">browsing context</a> whose
+    <a href="#active">active document</a> has <code
+    title=dom-document-designMode><a href="#designMode">designMode</a></code>
+    enabled.
+
+   <li id=sandboxScriptBlocked>The <a href="#script2">script execution
+    browsing context</a> is a <a href="#browsing1">browsing context</a> whose
+    <a href="#sandboxed3">sandboxed scripts browsing context</a> flag is set.
+  </ul>
+
+  <p>A node is said to be <dfn id=without>without script</dfn> if either the
+   <code>Document</code> object of the node (the node itself, it is itself a
+   <code>Document</code> object) does not have an associated <a
+   href="#browsing1">browsing context</a>, or <a href="#scripting1">scripting
+   is disabled</a> in that <a href="#browsing1">browsing context</a>.
+
+  <p>A node is said to be <dfn id=with-script>with script</dfn> if it is not
+   <a href="#without">without script</a>.
+
+  <p class=big-issue>If you can find a better pair of terms than "with
+   script" and "without script" let me know. The only things I can find that
+   are less confusing are also way, way longer.
+
+  <p>When a script is to be executed in a <a href="#script2">script execution
+   browsing context</a> in which <a href="#scripting1">scripting is
+   disabled</a>, the script must do nothing and return nothing (a void return
+   value).
+
+  <p class=note>Thus, for instance, enabling <code
+   title=dom-document-designMode><a href="#designMode">designMode</a></code>
+   will disable any event handler attributes, event listeners, timeouts, etc,
+   that were set by scripts in the document.
+
   <h4 id=security4><span class=secno>4.4.2 </span>Security exceptions</h4>
 
   <p class=big-issue>Define <dfn id=security9>security exception</dfn>.
@@ -28886,11 +29107,7 @@
    no <a href="#script2">script execution browsing context</a>.
 
   <p>URIs using the <code title="">javascript:</code> protocol should be
-   evaluated when the resource for that URI is needed, unless <a
-   href="#scripting1">scripting is disabled</a> or the <code>Document</code>
-   corresponding to the dereference context (as defined above), if any, has
-   <code title=dom-document-designMode><a
-   href="#designMode">designMode</a></code> enabled.
+   evaluated when the resource for that URI is needed.
 
   <p>If the dereference by-product is void (there is no return value), then
    the URI must be treated in a manner equivalent to an HTTP resource with an
@@ -29318,27 +29535,22 @@
    returns true instead.</p>
   <!-- IE actually uncancels the event if the function returns true -->
 
-  <p>When <a href="#scripting1">scripting is disabled</a>, event handler
-   attributes must do nothing.</p>
-  <!-- XXX arguments should use <var>, not <code>: -->
-
-  <p>When <a href="#scripting2">scripting is enabled</a>, all event handler
-   attributes on an element, whether set to null or to a function, must be
-   registered as event listeners on the element, as if the <code
-   title=dom-EventTarget-addEventListenerNS>addEventListenerNS()</code>
+  <p>All event handler attributes on an element, whether set to null or to a
+   function, must be registered as event listeners on the element, as if the
+   <code title=dom-EventTarget-addEventListenerNS>addEventListenerNS()</code>
    method on the <code>Element</code> object's <code>EventTarget</code>
    interface had been invoked when the element was created, with the event
-   type (<code title=dom-event-type>type</code> argument) equal to the type
+   type (<var title=dom-event-type>type</var> argument) equal to the type
    described for the event handler attribute in the list above, the namespace
-   (<code title=dom-event-namespaceURI>namespaceURI</code> argument) set to
-   null, the listener set to be a target and bubbling phase listener (<code
-   title=dom-event-useCapture>useCapture</code> argument set to false), the
-   event group set to the default group (<code
-   title=dom-event-evtGroup>evtGroup</code> argument set to null), and the
-   event listener itself (<code title=dom-event-listener>listener</code>
+   (<var title=dom-event-namespaceURI>namespaceURI</var> argument) set to
+   null, the listener set to be a target and bubbling phase listener (<var
+   title=dom-event-useCapture>useCapture</var> argument set to false), the
+   event group set to the default group (<var
+   title=dom-event-evtGroup>evtGroup</var> argument set to null), and the
+   event listener itself (<var title=dom-event-listener>listener</var>
    argument) set to do nothing while the event handler attribute is null, and
    set to invoke the function associated with the event handler attribute
-   otherwise. (The <code title=dom-event-listener>listener</code> argument is
+   otherwise. (The <var title=dom-event-listener>listener</var> argument is
    emphatically <em>not</em> the event handler attribute itself.)
 
   <h5 id=event><span class=secno>4.4.4.2. </span>Event firing</h5>
@@ -31956,6 +32168,23 @@
    following steps:
 
   <ol>
+   <li id=sandboxLinks>
+    <p>If the <a href="#source0">source browsing context</a> is not the same
+     as the <a href="#browsing1">browsing context</a> being navigated, and
+     the <a href="#source0">source browsing context</a> is not one of the <a
+     href="#ancestor" title="ancestor browsing context">ancestor browsing
+     contexts</a> of the <a href="#browsing1">browsing context</a> being
+     navigated, and the <a href="#source0">source browsing context</a> has
+     its <a href="#sandboxed">sandboxed navigation browsing context</a> flag
+     set, then abort these steps. The user agent may offer to open the
+     specified resource in a new <a href="#top-level">top-level browsing
+     context</a> or in the <a href="#top-level">top-level browsing
+     context</a> of the <a href="#source0">source browsing context</a>, at
+     the user's option, in which case the user agent must <a
+     href="#navigate">navigate</a> that designated <a
+     href="#top-level">top-level browsing context</a> to the specified
+     resource as if the user had requested it independently.
+
    <li id=seamlessLinks>
     <p>If the <a href="#source0">source browsing context</a> is the same as
      the <a href="#browsing1">browsing context</a> being navigated, and this
@@ -32439,6 +32668,12 @@
    XBL binding, or to give the document a <code><a
    href="#title1">title</a></code>.
 
+  <p class=note id=sandboxPluginNavigate>If the <a
+   href="#sandboxed0">sandboxed plugins browsing context</a> flag is set on
+   the <a href="#browsing1">browsing context</a>, the synthesized <code><a
+   href="#embed">embed</a></code> element will <a
+   href="#sandboxPluginEmbed">fail to render the content</a>.
+
   <h4 id=read-ua-inline><span class=secno>4.9.7 </span><dfn id=page-load4
    title=navigate-ua-inline>Page load processing model for inline content
    that doesn't have a DOM</dfn></h4>
@@ -36358,7 +36593,6 @@
    on the UA.</p>
   <!-- XXX rendering requirement: The current caret should affect the
   line-height (i.e. it acts at least like an empty inline element) -->
-  <!-- XXX document.designMode attribute -->
   <!-- XXX would be useful to have a way to mark an element as
   unremovable. -->
 
@@ -36581,17 +36815,10 @@
    disabled.
 
   <p>Enabling <code title=dom-document-designMode><a
-   href="#designMode">designMode</a></code> causes scripts in general to be
-   disabled and the document to become editable.
+   href="#designMode">designMode</a></code> <a
+   href="#designModeScriptBlocked">causes scripts in general to be
+   disabled</a> and the document to become editable.
 
-  <p>When the <code>Document</code> has <code
-   title=dom-document-designMode><a href="#designMode">designMode</a></code>
-   enabled, the <a href="#event2">event handler attributes</a> of the
-   document and any elements owned by the document must do nothing, and event
-   listeners registered on the document and any elements owned by the
-   document that are associated with script from the document must similarly
-   do nothing.
-
   <h3 id=dnd><span class=secno>5.3 </span><dfn id=drag-and>Drag and
    drop</dfn></h3>
   <!--XXX
@@ -41969,7 +42196,8 @@
    that to break out of the <noscript> but it doesn't. This is an edge
    case that doesn't affect the spec, since the algorithm for fragment
    parsing is only used for innerHTML, where we know scripting is
-   enabled. -->
+   enabled. (XXX except maybe if innerHTML is set from another
+   browsing context on a document with designMode set?) -->
 
    <li>If <var title="">node</var> is a <code><a
     href="#body0">body</a></code> element, then switch the <span>insertion
@@ -42293,6 +42521,13 @@
    associate with forms in the face of dramatically bad markup, for
    historical reasons.
 
+  <h5 id=the-scripting><span class=secno>8.2.3.5. </span>The scripting state</h5>
+
+  <p>The <dfn id=scripting2>scripting flag</dfn> is set to "enabled" if the
+   <code>Document</code> with which the parser is associated was <a
+   href="#with-script">with script</a> when the parser was created, and
+   "disabled" otherwise.
+
   <h4 id=tokenisation><span class=secno>8.2.4 </span><dfn
    id=tokenisation0>Tokenisation</dfn></h4>
 
@@ -45026,16 +45261,16 @@
    <dd>
     <p>Follow the <a href="#generic0">generic RCDATA parsing algorithm</a>.</p>
 
-   <dt>A start tag whose tag name is "noscript", if <a
-    href="#scripting2">scripting is enabled</a>:
+   <dt>A start tag whose tag name is "noscript", if the <a
+    href="#scripting2">scripting flag</a> is enabled:
 
    <dt>A start tag whose tag name is "style"
 
    <dd>
     <p>Follow the <a href="#generic">generic CDATA parsing algorithm</a>.</p>
 
-   <dt>A start tag whose tag name is "noscript", if <a
-    href="#scripting1">scripting is disabled</a>:
+   <dt>A start tag whose tag name is "noscript", if the <a
+    href="#scripting2">scripting flag</a> is disabled:
 
    <dd>
     <p><a href="#insert0">Insert an HTML element</a> for the token.</p>
@@ -46236,8 +46471,8 @@
 
    <dt>A start tag whose tag name is one of: "iframe", "noembed", "noframes"
 
-   <dt>A start tag whose tag name is "noscript", if <a
-    href="#scripting2">scripting is enabled</a>:
+   <dt>A start tag whose tag name is "noscript", if the <a
+    href="#scripting2">scripting flag</a> is enabled:
 
    <dd>
     <p>Follow the <a href="#generic">generic CDATA parsing algorithm</a>.</p>
@@ -46336,8 +46571,8 @@
    <!-- add keygen if we add the start
    tag -->
 
-   <dt>An end tag whose tag name is "noscript", if <a
-    href="#scripting2">scripting is enabled</a>:
+   <dt>An end tag whose tag name is "noscript", if the <a
+    href="#scripting2">scripting flag</a> is enabled:
 
    <dd>
     <p><a href="#parse1">Parse error</a>. Ignore the token.</p>
@@ -47911,7 +48146,9 @@
          <code title="">data</code> DOM attribute literally.</p>
         <!-- note about noscript: we're
         assuming here that scripting is disabled. If this algorithm is
-        used with scripting disabled, this won't work right. -->
+        used with scripting disabled, this won't work right. XXX This
+        might affect calling innerHTML on nodes in a document that is
+        being designMode'd -->
         
         <p>Otherwise, append the value of <var title="">current node</var>'s
          <code title="">data</code> DOM attribute, <a href="#escapingString"
@@ -48048,9 +48285,10 @@
 
      <dt>If it is a <code><a href="#noscript">noscript</a></code> element
 
-     <dd>If <a href="#scripting2">scripting is enabled</a>, set the <a
-      href="#content2">content model flag</a> to <em>CDATA</em>. Otherwise,
-      set the <a href="#content2">content model flag</a> to <em>PCDATA</em>.
+     <dd>If the <a href="#scripting2">scripting flag</a> is enabled, set the
+      <a href="#content2">content model flag</a> to <em>CDATA</em>.
+      Otherwise, set the <a href="#content2">content model flag</a> to
+      <em>PCDATA</em>.
 
      <dt>If it is a <code>plaintext</code> element
 
@@ -50498,8 +50736,15 @@
    all extension frameworks (Java, .NET, Flash, etc) are handled in a
    consistent manner.
 
-  <p class=big-issue>define how the element works, if supported
+  <p id=sandboxPluginApplet>If the <a href="#sandboxed0">sandboxed plugins
+   browsing context</a> flag is set on the <a href="#browsing1">browsing
+   context</a> for which the <code><a href="#applet">applet</a></code>
+   element's document is the <a href="#active">active document</a>, then the
+   element must be ignored (it represents nothing).
 
+  <p>Otherwise, <span class=big-issue>define how the element works, if
+   supported</span>.
+
   <pre class=idl>[XXX] interface <a href="#htmldocument">HTMLDocument</a> {
   readonly attribute <a href="#htmlcollection0">HTMLCollection</a> <a href="#applets" title=dom-document-applets>applets</a>;
 };</pre>

Modified: source
===================================================================
--- source	2008-05-20 00:48:51 UTC (rev 1642)
+++ source	2008-05-21 00:30:41 UTC (rev 1643)
@@ -296,12 +296,12 @@
    <dd>
 
     <p>Implementations that do not support scripting (or which have
-    their scripting features <span title="scripting is
-    disabled">disabled</span>) are exempt from supporting the events
-    and DOM interfaces mentioned in this specification. For the parts
-    of this specification that are defined in terms of an events model
-    or in terms of the DOM, such user agents must still act as if
-    events and the DOM were supported.</p>
+    their scripting features disabled entirely) are exempt from
+    supporting the events and DOM interfaces mentioned in this
+    specification. For the parts of this specification that are
+    defined in terms of an events model or in terms of the DOM, such
+    user agents must still act as if events and the DOM were
+    supported.</p>
 
     <p class="note">Scripting can form an integral part of an
     application. Web browsers that do not support scripting, or that
@@ -324,18 +324,21 @@
     elements only contain quoted material).</p>
 
     <p>Conformance checkers must check that the input document
-    conforms when <span>scripting is disabled</span>, and should also
-    check that the input document conforms when <span>scripting is
-    enabled</span>. (This is only a "SHOULD" and not a "MUST"
-    requirement because it has been proven to be impossible. <a
+    conforms when parsed without a <span>browsing context</span>
+    (meaning that no scripts are run, and that the parser's
+    <span>scripting flag</span> is disabled), and should also check
+    that the input document conforms when parsed with a <span>browsing
+    context</span> in which scripts execute, and that the scripts
+    never cause non-conforming states to occur. (This is only a
+    "SHOULD" and not a "MUST" requirement because it has been proven
+    to be impossible. <a
     href="#refsHALTINGPROBLEM">[HALTINGPROBLEM]</a>)</p> <!-- XXX
     [Computable] On computable numbers, with an application to the
     Entscheidungsproblem. Alan M. Turing. In Proceedings of the London
     Mathematical Society, series 2, volume 42, pages 230-265. London
     Mathematical Society,
     1937. http://www.turingarchive.org/browse.php/B/12 (referenced:
-    2007-03-03)
-    -->
+    2007-03-03) -->
 
     <p>The term "HTML5 validator" can be used to refer to a
     conformance checker that itself conforms to the applicable
@@ -4382,6 +4385,13 @@
   <span>set of space-separated tokens</span> where none of the words
   are duplicated but where the order of the tokens is meaningful.</p>
 
+  <p><span title="set of space-separated tokens">Sets of
+  space-separated tokens</span> sometimes have a defined set of
+  allowed values. When a set of allowed values is defined, the tokens
+  must all be from that list of allowed values; other values are
+  non-conforming. If no such set of allowed values is provided, then
+  all values are conforming.</p>
+
   <p>When a user agent has to <dfn>split a string on spaces</dfn>, it
   must use the following algorithm:</p>
 
@@ -12160,12 +12170,14 @@
    <dt>Element-specific attributes:</dt>
    <dd><code title="attr-iframe-src">src</code></dd>
    <dd><code title="attr-iframe-name">name</code></dd>
+   <dd><code title="attr-iframe-sandbox">sandbox</code></dd>
    <dd><code title="attr-iframe-seamless">seamless</code></dd>
    <dt>DOM interface:</dt>
    <dd>
 <pre class="idl">interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
            attribute DOMString <span title="dom-iframe-src">src</span>;
            attribute DOMString <span title="dom-iframe-name">name</span>;
+           attribute DOMString <span title="dom-iframe-sandbox">sandbox</span>;
            attribute DOMString <span title="dom-iframe-seamless">seamless</span>;<!--
   readonly attribute Document <span title="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>Window</span> <span title="dom-iframe-contentWindow">contentWindow</span>;-->
@@ -12239,6 +12251,131 @@
   <code title="event-load">load</code> event</span>.</p>
 
 
+  <p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn>
+  attribute, when specified, enables a set of extra restrictions on
+  any content hosted by the <code>iframe</code>. Its value must be an
+  <span>unordered set of unique space-separated tokens</span>. The
+  allowed values are <code
+  title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name">xxx_origin_please_suggest_a_better_name</code>,
+  <code
+  title="attr-iframe-sandbox-unrestricted-forms">unrestricted-forms</code>,
+  and <code
+  title="attr-iframe-sandbox-unrestricted-scripts">unrestricted-scripts</code>.</p>
+
+  <p>While the <code title="attr-iframe-sandbox">sandbox</code>
+  attribute is specified, the <code>iframe</code> element's
+  <span>nested browsing context</span>, and all the browsing contexts
+  <span title="nested browsing context">nested</span> within it
+  (either directly or indirectly through other nested browsing
+  contexts) must have the following flags set:</p>
+
+  <dl>
+
+   <dt>The <dfn>sandboxed navigation browsing context</dfn> flag</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxLinks">prevents content from
+    navigating browsing contexts other than the sandboxed browsing
+    context itself</a> (or browsing contexts further nested inside
+    it).</p>
+
+    <p>This flag also <a href="#sandboxWindowOpen">prevents content
+    from creating new auxiliary browsing contexts</a>, e.g. using the
+    <code title="attr-hyperlink-target">target</code> attribute or the
+    <code title="dom-window-open">window.open()</code> method.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed plugins browsing context</dfn> flag</dt>
+
+   <dd>
+
+    <p>This flag prevents content from instantiating third-party
+    handlers (i.e. plugins), whether using <a
+    href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
+    href="#sandboxPluginObject">the <code>object</code> element</a>,
+    <a href="#sandboxPluginApplet">the <code>applet</code>
+    element</a>, or <a href="#sandboxPluginNavigate">through
+    navigation</a> of a <span>nested browsing context</span>.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed origin browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name"><code>xxx_origin_please_suggest_a_better_name</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxOrigin">forces content into a unique
+    origin</a> for the purposes of the <span
+    title="origin">same-origin policy</span>.</p>
+
+    <div class="note">
+
+     <p>The <code
+     title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name">xxx_origin_please_suggest_a_better_name</code>
+     attribute is intended for two cases.</p>
+
+     <p>First, it can be used to allow content from the same site to
+     be sandboxed to disable scripting, while still allowing access to
+     the DOM of the sandboxed content.</p>
+
+     <p>Second, it can be used to embed content from a third-party
+     site, sandboxed to prevent that site from opening popup windows,
+     etc, without preventing the embedded page from communicating back
+     to its originating site, using the database APIs to store data,
+     etc.</p>
+
+    </div>
+
+    <p class="big-issue">Please don't implement this keyword using the
+    name "xxx_origin_please_suggest_a_better_name" -- please suggest a
+    better name first!</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed forms browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-unrestricted-forms"><code>unrestricted-forms</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxSubmitBlocked">blocks form
+    submission</a>.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed scripts browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-unrestricted-scripts"><code>unrestricted-scripts</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxScriptBlocked">blocks script
+    execution</a>.</p>
+
+   </dd>
+
+  </dl>
+
+  <p>These flags must not be set unless the conditions listed above
+  define them as being set.</p>
+
+
   <p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn>
   attribute is a boolean attribute. When specified, it indicates that
   the <code>iframe</code> element's <span>browsing context</span> is
@@ -12364,7 +12501,8 @@
 
   <p>The DOM attributes <dfn
   title="dom-iframe-src"><code>src</code></dfn>, <dfn
-  title="dom-iframe-name"><code>name</code></dfn>, and <dfn
+  title="dom-iframe-name"><code>name</code></dfn>, <dfn
+  title="dom-iframe-sandbox"><code>sandbox</code></dfn>, and <dfn
   title="dom-iframe-seamless"><code>seamless</code></dfn> must
   <span>reflect</span> the content attributes of the same name.</p>
 
@@ -12407,8 +12545,31 @@
   be present and contain a URI (or IRI).</p>
 
   <p>If the <code title="attr-embed-src">src</code> attribute is
-  missing, then the <code>embed</code> element must be ignored.</p>
+  missing, then the <code>embed</code> element must be ignored (it
+  represents nothing).</p>
 
+  <p id="sandboxPluginEmbed">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>embed</code> element's document is the <span>active
+  document</span>, then the user agent must render the
+  <code>embed</code> element in a manner that conveys that the plugin
+  was disabled. The user agent may offer the user the option to
+  override the sandbox and instantiate the handler anyway; if the user
+  invokes such an option, the user agent must act as if the
+  <span>sandboxed plugins browsing context</span> flag was not set for
+  the purposes of this element.</p>
+
+  <p class="warning">Plugins are disabled in sandboxed browsing
+  contexts because they might not honour the restrictions imposed by
+  the sandbox (e.g. they might allow scripting even when scripting in
+  the sandbox is disabled). User agents should convey the danger of
+  overriding the sandbox to the user if an option to do so is
+  provided.</p>
+
+  <p>Otherwise, the <code title="attr-embed-src">src</code> attribute
+  is present, and the element is not in a sandboxed browsing
+  context:</p>
+
   <p>When the <code title="attr-embed-src">src</code> attribute is
   set, user agents are expected to find an appropriate handler for the
   specified resource, based on the <span
@@ -12464,8 +12625,7 @@
   </ol>
 
   <p class="big-issue">Should we instead say that the content-sniffing
-  that we're going to define for top-level browsing contexts should
-  apply here?</p>
+  used for top-level browsing contexts should apply here?</p>
 
   <p class="big-issue">Should we require the type attribute to match
   the server information?</p>
@@ -12570,12 +12730,13 @@
     attribute is present, and has a value that isn't the empty string,
     then: if the user agent can find a handler suitable according to
     the value of the <code title="attr-object-classid">classid</code>
-    attribute, then that handler <a href="#object-plugin">should be
-    used</a>, and the value of the <code
-    title="attr-object-data">data</code> attribute, if any, should be
-    passed to the handler. If no suitable handler can be found, or if
-    the handler reports an error, jump to the last step in the overall
-    set of steps (fallback).</p>
+    attribute, and <a href="#sandboxPluginObject">handlers aren't
+    being sandboxed</a>, then that handler <a
+    href="#object-plugin">should be used</a>, and the value of the
+    <code title="attr-object-data">data</code> attribute, if any,
+    should be passed to the handler. If no suitable handler can be
+    found, or if the handler reports an error, jump to the last step
+    in the overall set of steps (fallback).</p>
 
     <!--
      case insensitive:
@@ -12677,7 +12838,9 @@
       <dl class="switch">
 
        <dt>If the <var title="">resource type</var> can be handled by
-       a special handler (e.g. a plugin)</dt>
+       a special handler (e.g. a plugin), and <a
+       href="#sandboxPluginObject">handlers aren't being
+       sandboxed</a></dt>
 
        <dd>
 
@@ -12772,7 +12935,8 @@
 
    <li><p>If the <code title="attr-object-data">data</code> attribute
    is absent but the <code title="attr-object-type">type</code>
-   attribute is present, and if the user agent can find a handler
+   attribute is present, <a href="#sandboxPluginObject">handlers
+   aren't being sandboxed</a>, and the user agent can find a handler
    suitable according to the value of the <code
    title="attr-object-type">type</code> attribute, then that handler
    <a href="#object-plugin">should be used</a>. If no suitable handler
@@ -12795,6 +12959,13 @@
   object representing the element should expose that interface. The
   handler is not a nested <span>browsing context</span>.</p>
 
+  <p id="sandboxPluginObject">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>object</code> element's document is the <span>active
+  document</span>, then the steps above must always act as if they had
+  failed to find a handler, even if one would otherwise have been
+  used.</p>
+
   <!-- duplicates what's in <embed> section above -->
   <p class="note">The <code>object</code> element can, in certain
   cases as described above, instantiate third-party handlers. This
@@ -15082,14 +15253,14 @@
 
   <p>The <dfn title="attr-media-controls"><code>controls</code></dfn>
   attribute is a <span>boolean attribute</span>. If the attribute is
-  present, or if <span>scripting is disabled</span>, then the user
-  agent should <dfn>expose a user interface to the user</dfn>. This
-  user interface should include features to begin playback, pause
-  playback, seek to an arbitrary position in the content (if the
-  content supports arbitrary seeking), change the volume, and show the
-  media content in manners more suitable to the user (e.g. full-screen
-  video or in an independent resizable window). Other controls may
-  also be made available.</p>
+  present, or if the <span>media element</span> is <span>without
+  script</span>, then the user agent should <dfn>expose a user
+  interface to the user</dfn>. This user interface should include
+  features to begin playback, pause playback, seek to an arbitrary
+  position in the content (if the content supports arbitrary seeking),
+  change the volume, and show the media content in manners more
+  suitable to the user (e.g. full-screen video or in an independent
+  resizable window). Other controls may also be made available.</p>
 
   <p>If the attribute is absent, then the user agent should avoid
   making a user interface available that could conflict with an
@@ -15445,22 +15616,23 @@
   element. The contents of the <code>canvas</code> element, if any,
   are the element's <span>fallback content</span>.</p>
 
-  <p>In interactive visual media with <span>scripting enabled</span>,
-  the canvas element is an embedded element with a dynamically created
-  image.</p>
+  <p>In interactive visual media, if the <code>canvas</code> element
+  is <span>with script</span>, the <code>canvas</code> element
+  represents an embedded element with a dynamically created image.</p>
 
   <p>In non-interactive, static, visual media, if the
   <code>canvas</code> element has been previously painted on (e.g. if
   the page was viewed in an interactive visual medium and is now being
   printed, or if some script that ran during the page layout process
-  painted on the element), then the <code>canvas</code> element must
-  be treated as <span>embedded content</span> with the current image
-  and size. Otherwise, the element's <span>fallback content</span>
-  must be used instead.</p>
+  painted on the element), then the <code>canvas</code> element
+  represents <span>embedded content</span> with the current image and
+  size. Otherwise, the element represents its <span>fallback
+  content</span> instead.</p>
 
-  <p>In non-visual media, and in visual media with <span>scripting
-  disabled</span>, the <code>canvas</code> element's <span>fallback
-  content</span> must be used instead.</p>
+  <p>In non-visual media, and in visual media if the
+  <code>canvas</code> element is <span>without script</span>, the
+  <code>canvas</code> element represents its <span>fallback
+  content</span> instead.</p>
 
   <p>The <code>canvas</code> element has two attributes to control the
   size of the coordinate space: <dfn
@@ -20688,8 +20860,12 @@
 
   <p class="big-issue">See <a href="http://www.whatwg.org/specs/web-forms/current-work/#form-submission">WF2</a> for now</p>
 
+  <p class="big-issue" id="sandboxSubmitBlocked">If a form is in a
+  browsing context whose <span>sandboxed forms browsing context</span>
+  is set, it must not be submitted.</p>
 
 
+
   <h3>Scripting</h3>
 
   <p>Scripts allow authors to add interactivity to their documents.</p>
@@ -20898,14 +21074,13 @@
 
    <li>
 
-    <p>If <span>scripting is disabled</span>, or if the
-    <code>Document</code> has <code
-    title="dom-document-designMode">designMode</code> enabled, or if
-    the <code>script</code> element was created by an <span>XML
-    parser</span> that itself was created as part of the processing of
-    the <code title="dom-innerHTML-XML">innerHTML</code> attribute's
-    setter<!-- no need to worry about the innerHTML-HTML case, as the
-    HTML parser handles that for us-->, or if the user agent does not
+    <p>If the <code>script</code> element is <span>without
+    script</span>, or if the <code>script</code> element was created
+    by an <span>XML parser</span> that itself was created as part of
+    the processing of the <code
+    title="dom-innerHTML-XML">innerHTML</code> attribute's setter<!--
+    no need to worry about the innerHTML-HTML case, as the HTML parser
+    handles that for us-->, or if the user agent does not
     <span>support the scripting language</span> given by <var>the
     script's type</var> for this <code>script</code> element, or if
     the <code>script</code> element has its <span>"already
@@ -21181,12 +21356,9 @@
 
      <li>
 
-      <p>If <span>scripting is enabled</span>, and the
-      <code>Document</code> does not have <code
-      title="dom-document-designMode">designMode</code> enabled, and the
-      <code>Document</code> is the <span>active document</span> in its
-      <span>browsing context</span>, the user agent must execute the
-      script:</p>
+      <p>If the <code>script</code> element's <code>Document</code> is
+      the <span>active document</span> in its <span>browsing
+      context</span>, the user agent must execute the script:</p>
 
       <dl class="switch">
 
@@ -21231,7 +21403,7 @@
       languages</a> section below).</p>
 
       <p>Scripts must be executed in the scope of the <span>browsing
-      context</span> of the element's <code>Document</code>. That
+      context</span> of the element's <code>Document</code>. The
       <span>script execution browsing context</span> is that browsing
       context.</p>
 
@@ -21319,9 +21491,9 @@
    <dd>In a <code>head</code> element of an <span title=">HTML documents">HTML document</span>, if there are no ancestor <code>noscript</code> elements.</dd>
    <dd>Where <span>phrasing content</span> is expected in <span>HTML documents</span>, if there are no ancestor <code>noscript</code> elements.</dd>
    <dt>Content model:</dt>
-   <dd>When <span>scripting is disabled</span>, in a <code>head</code> element: in any order, zero or more <code>link</code> elements, zero or more <code>style</code> elements, and zero or more <code>meta</code> elements.</dd>
-   <dd>When <span>scripting is disabled</span>, not in a <code>head</code> element: <span>transparent</span>, but there must be no <code>noscript</code> element descendants.</dd>
-   <dd>When <span>scripting is enabled</span>: text that conforms to the requirements given in the prose.</dd>
+   <dd><span>Without script</span>, in a <code>head</code> element: in any order, zero or more <code>link</code> elements, zero or more <code>style</code> elements, and zero or more <code>meta</code> elements.</dd>
+   <dd><span>Without script</span>, not in a <code>head</code> element: <span>transparent</span>, but there must be no <code>noscript</code> element descendants.</dd>
+   <dd><span>With script</span>: text that conforms to the requirements given in the prose.</dd>
    <dt>Element-specific attributes:</dt>
    <dd>None.</dd>
    <dt>DOM interface:</dt>
@@ -21342,35 +21514,36 @@
   serialisation</span><!-- XXX xref -->.</strong></p>
 
   <p>When used in <span>HTML documents</span>, the allowed content
-  model depends on whether scripting is enabled or not, and whether
-  the element is in a <code>head</code> element or not.</p>
+  model is as follows:</p>
 
-  <p>In a <code>head</code> element, if <span>scripting is
-  disabled</span>, then the content model of a <code>noscript</code>
-  element must contain only <code>link</code>, <code>style</code>, and
-  <code>meta</code> elements. If <span>scripting is enabled</span>,
-  then the content model of a <code>noscript</code> element is text,
-  except that invoking the <span>HTML fragment parsing
-  algorithm</span> with the <code>noscript</code> element as the <var
-  title="">context</var> element and the text contents as the <var
-  title="">input</var> must result in a list of nodes that consists
-  only of <code>link</code>, <code>style</code>, and <code>meta</code>
-  elements.</p>
+  <p>In a <code>head</code> element, if the <code>noscript</code>
+  element is <span>without script</span>, then the content model of a
+  <code>noscript</code> element must contain only <code>link</code>,
+  <code>style</code>, and <code>meta</code> elements. If the
+  <code>noscript</code> element is <span>with script</span>, then the
+  content model of a <code>noscript</code> element is text, except
+  that invoking the <span>HTML fragment parsing algorithm</span> with
+  the <code>noscript</code> element as the <var title="">context</var>
+  element and the text contents as the <var title="">input</var> must
+  result in a list of nodes that consists only of <code>link</code>,
+  <code>style</code>, and <code>meta</code> elements.</p>
 
-  <p>Outside of <code>head</code> elements, if <span>scripting is
-  disabled</span>, then the content model of a <code>noscript</code>
-  element is <span>transparent</span>, with the additional restriction
-  that a <code>noscript</code> element must not have a
-  <code>noscript</code> element as an ancestor (that is,
-  <code>noscript</code> can't be nested).</p>
+  <p>Outside of <code>head</code> elements, if the
+  <code>noscript</code> element is <span>without script</span>, then
+  the content model of a <code>noscript</code> element is
+  <span>transparent</span>, with the additional restriction that a
+  <code>noscript</code> element must not have a <code>noscript</code>
+  element as an ancestor (that is, <code>noscript</code> can't be
+  nested).</p>
 
-  <p>Outside of <code>head</code> elements, if <span>scripting is
-  enabled</span>, then the content model of a <code>noscript</code>
-  element is text, except that the text must be such that running the
-  following algorithm results in a conforming document with no
-  <code>noscript</code> elements and no <code>script</code> elements,
-  and such that no step in the algorithm causes an <span>HTML
-  parser</span> to flag a <span>parse error</span>:</p>
+  <p>Outside of <code>head</code> elements, if the
+  <code>noscript</code> element is <span>with script</span>, then the
+  content model of a <code>noscript</code> element is text, except
+  that the text must be such that running the following algorithm
+  results in a conforming document with no <code>noscript</code>
+  elements and no <code>script</code> elements, and such that no step
+  in the algorithm causes an <span>HTML parser</span> to flag a
+  <span>parse error</span>:</p>
 
   <ol>
 
@@ -21420,17 +21593,24 @@
 
   <p>The <code>noscript</code> element has no other requirements. In
   particular, children of the <code>noscript</code> element are not
-  exempt from form submission, scripting, and so forth, even when
-  scripting is enabled.</p>
+  exempt from form submission, scripting, and so forth, even when the
+  element is <span>with script</span>.</p>
 
   <p class="note">All these contortions are required because, for
-  historical reasons, the <code>noscript</code> element causes the
-  <span>HTML parser</span> to act differently based on whether
-  scripting is enabled or not. The element is not allowed in XML,
-  because in XML the parser is not affected by such state, and thus
-  the element would not have the desired effect.</p>
+  historical reasons, the <code>noscript</code> element is handled
+  differently by the <span>HTML parser</span> based on whether <span
+  title="scripting flag">scripting was enabled or not</span> when the
+  parser was invoked. The element is not allowed in XML, because in
+  XML the parser is not affected by such state, and thus the element
+  would not have the desired effect.</p>
 
+  <p class="note">The <code>noscript</code> element interacts poorly
+  with the <code title="dom-document-designMode">designMode</code>
+  feature. Authors are encouraged to not use <code>noscript</code>
+  elements on pages that will have <code
+  title="dom-document-designMode">designMode</code> enabled.</p>
 
+
   <h4>The <dfn><code>event-source</code></dfn> element</h4>
 
   <dl class="element">
@@ -24809,12 +24989,11 @@
   title="attr-template">template</code> attribute set, the user agent
   must fetch the specified file<!-- XXX or queue it up to be fetched,
   or something --> and parse it (without a <span>browsing
-  context</span>, and with <span>scripting disabled</span><!-- XXX
-  xref -->) to obtain a DOM. If the URI is the same as the URI of the
-  current document<!-- XXX xref -->, then the current document's DOM
-  must be assumed to be that parsed DOM. While this loading and
-  parsing is in progress, the element is said to be <em>busy loading
-  the template rules or data</em>.</p>
+  context</span>) to obtain a DOM. If the URI is the same as the URI
+  of the current document<!-- XXX xref -->, then the current
+  document's DOM must be assumed to be that parsed DOM. While this
+  loading and parsing is in progress, the element is said to be
+  <em>busy loading the template rules or data</em>.</p>
 
   <p>If the resource specified by the <code
   title="attr-template">template</code> attribute is not the current
@@ -24937,13 +25116,12 @@
   title="attr-ref">ref</code> attribute has its <code
   title="attr-ref">ref</code> attribute set, the user agent must fetch
   the specified file<!-- XXX or queue it up to be fetched, or
-  something --> and parse it (without a <span>browsing context</span>,
-  and with <span>scripting disabled</span><!-- XXX xref -->) to obtain
-  a DOM. If the URI is the same as the URI of the current document<!--
-  XXX xref -->, then the current document's DOM is assumed to be that
-  parsed DOM. While this loading and parsing is in progress, the
-  element is said to be <em>busy loading the template rules or
-  data</em>.</p>
+  something --> and parse it (without a <span>browsing context</span>)
+  to obtain a DOM. If the URI is the same as the URI of the current
+  document<!-- XXX xref -->, then the current document's DOM is
+  assumed to be that parsed DOM. While this loading and parsing is in
+  progress, the element is said to be <em>busy loading the template
+  rules or data</em>.</p>
 
   <p>If the resource specified by the <code
   title="attr-ref">ref</code> attribute is not the current
@@ -25839,6 +26017,19 @@
 
     <dl>
 
+     <dt id="sandboxWindowOpen">If the current browsing context has
+     the <span>sandboxed navigation browsing context</span> flag
+     set.</dt>
+
+     <dd>The user agent may offer to create a new <span>top-level
+     browsing context</span> or reuse an existing <span>top-level
+     browsing context</span>. If the user picks one of those options,
+     then the designated browsing context must be the chosen one (the
+     browsing context's name isn't set to the given browsing context
+     name). Otherwise (if the user agent doesn't offer the option to
+     the user, or if the user declines to allow a browsing context to
+     be used) there must not be a chosen browsing context.</dd>
+
      <dt>If the user agent has been configured such that in this
      instance it will create a new browsing context</dt>
 
@@ -26320,6 +26511,14 @@
 
     <dl class="switch">
 
+     <dt id="sandboxOrigin">If a <code>Document</code> is in a
+     <span>browsing context</span> whose <span>sandboxed origin
+     browsing context</span> is set</dt>
+
+     <dd>The <span>origin</span> is a globally unique identifier
+     assigned when the <code>Document</code> is created.</dd>
+
+
      <dt>If a <code>Document</code> or image was returned by the
      <code>XMLHttpRequest</code> API</dt>
 
@@ -26609,27 +26808,70 @@
 
   </ul>
 
-  <p>User agents may provide a mechanism to enable or disable the
-  execution of author-provided code. When the user agent is configured
-  such that author-provided code does not execute, or if the user
-  agent is implemented so as to never execute author-provided code, it
-  is said that <dfn>scripting is disabled</dfn>. When author-provided
-  code <em>does</em> execute, <dfn>scripting is enabled</dfn>. A user
-  agent with scripting disabled is a <span title="User agents with no
-  scripting support">user agent with no scripting support</span> for
-  the purposes of conformance.</p>
 
-  
 
   <h4>Script execution contexts</h4>
 
   <p>The <dfn>script execution browsing context</dfn> of a script is
   defined when that script is created. It is typically the
   <span>browsing context</span> of the <code>Window</code> object that
-  is being used as the script's dereference context..</p>
+  is being used as the script's dereference context.</p>
 
+  <p>All <span title="browsing context">browsing contexts</span> are,
+  by definition, potential <span title="script execution browsing
+  context">script execution browsing contexts</span>.</p>
 
+  <p>It is said that <dfn>scripting is disabled</dfn> in a
+  <span>script execution browsing context</span> when any of the
+  following conditions are true:</p>
 
+  <ul>
+
+   <li>The user agent does not support scripting.</li>
+
+   <li>The user has disabled scripting for this <span>script execution
+   browsing context</span>. (User agents may provide users with the
+   option to disable scripting globally, on a per-origin basis, or in
+   other ways down to the granularity of individual <span
+   title="script execution browsing context">script execution browsing
+   contexts</span>.)</li>
+
+   <li id="designModeScriptBlocked">The <span>script execution
+   browsing context</span> is a <span>browsing context</span> whose
+   <span>active document</span> has <code
+   title="dom-document-designMode">designMode</code> enabled.</li>
+
+   <li id="sandboxScriptBlocked">The <span>script execution browsing
+   context</span> is a <span>browsing context</span> whose
+   <span>sandboxed scripts browsing context</span> flag is set.</li>
+
+  </ul>
+
+  <p>A node is said to be <dfn>without script</dfn> if either the
+  <code>Document</code> object of the node (the node itself, it is
+  itself a <code>Document</code> object) does not have an associated
+  <span>browsing context</span>, or <span>scripting is disabled</span>
+  in that <span>browsing context</span>.</p>
+
+  <p>A node is said to be <dfn>with script</dfn> if it is not
+  <span>without script</span>.</p>
+
+  <p class="big-issue">If you can find a better pair of terms than
+  "with script" and "without script" let me know. The only things I
+  can find that are less confusing are also way, way longer.</p>
+
+  <p>When a script is to be executed in a <span>script execution
+  browsing context</span> in which <span>scripting is disabled</span>,
+  the script must do nothing and return nothing (a void return
+  value).</p>
+
+  <p class="note">Thus, for instance, enabling <code
+  title="dom-document-designMode">designMode</code> will disable any
+  event handler attributes, event listeners, timeouts, etc, that were
+  set by scripts in the document.</p>
+
+
+
   <h4>Security exceptions</h4>
 
   <p class="big-issue">Define <dfn>security exception</dfn>.</p>
@@ -26669,11 +26911,7 @@
   there is no <span>script execution browsing context</span>.</p>
 
   <p>URIs using the <code title="">javascript:</code> protocol should
-  be evaluated when the resource for that URI is needed, unless
-  <span>scripting is disabled</span> or the <code>Document</code>
-  corresponding to the dereference context (as defined above), if any,
-  has <code title="dom-document-designMode">designMode</code>
-  enabled.</p>
+  be evaluated when the resource for that URI is needed.</p>
 
   <p>If the dereference by-product is void (there is no return value),
   then the URI must be treated in a manner equivalent to an HTTP
@@ -27034,30 +27272,25 @@
 
   <!-- IE actually uncancels the event if the function returns true -->
 
-
-  <p>When <span>scripting is disabled</span>, event handler attributes
-  must do nothing.</p>
-
-  <!-- XXX arguments should use <var>, not <code>: --> <p>When
-  <span>scripting is enabled</span>, all event handler attributes on
-  an element, whether set to null or to a function, must be registered
-  as event listeners on the element, as if the <code
+  <p>All event handler attributes on an element, whether set to null
+  or to a function, must be registered as event listeners on the
+  element, as if the <code
   title="dom-EventTarget-addEventListenerNS">addEventListenerNS()</code>
   method on the <code>Element</code> object's <code>EventTarget</code>
   interface had been invoked when the element was created, with the
-  event type (<code title="dom-event-type">type</code> argument) equal
+  event type (<var title="dom-event-type">type</var> argument) equal
   to the type described for the event handler attribute in the list
-  above, the namespace (<code
-  title="dom-event-namespaceURI">namespaceURI</code> argument) set to
+  above, the namespace (<var
+  title="dom-event-namespaceURI">namespaceURI</var> argument) set to
   null, the listener set to be a target and bubbling phase listener
-  (<code title="dom-event-useCapture">useCapture</code> argument set
-  to false), the event group set to the default group (<code
-  title="dom-event-evtGroup">evtGroup</code> argument set to null),
-  and the event listener itself (<code
-  title="dom-event-listener">listener</code> argument) set to do
+  (<var title="dom-event-useCapture">useCapture</var> argument set to
+  false), the event group set to the default group (<var
+  title="dom-event-evtGroup">evtGroup</var> argument set to null), and
+  the event listener itself (<var
+  title="dom-event-listener">listener</var> argument) set to do
   nothing while the event handler attribute is null, and set to invoke
   the function associated with the event handler attribute
-  otherwise. (The <code title="dom-event-listener">listener</code>
+  otherwise. (The <var title="dom-event-listener">listener</var>
   argument is emphatically <em>not</em> the event handler attribute
   itself.)</p>
 
@@ -29793,6 +30026,21 @@
 
   <ol>
 
+   <li id="sandboxLinks"><p>If the <span>source browsing
+   context</span> is not the same as the <span>browsing context</span>
+   being navigated, and the <span>source browsing context</span> is
+   not one of the <span title="ancestor browsing context">ancestor
+   browsing contexts</span> of the <span>browsing context</span> being
+   navigated, and the <span>source browsing context</span> has its
+   <span>sandboxed navigation browsing context</span> flag set, then
+   abort these steps. The user agent may offer to open the specified
+   resource in a new <span>top-level browsing context</span> or in the
+   <span>top-level browsing context</span> of the <span>source
+   browsing context</span>, at the user's option, in which case the
+   user agent must <span>navigate</span> that designated
+   <span>top-level browsing context</span> to the specified resource
+   as if the user had requested it independently.</p></li>
+
    <li id="seamlessLinks"><p>If the <span>source browsing
    context</span> is the same as the <span>browsing context</span>
    being navigated, and this browsing context has its <span>seamless
@@ -30292,7 +30540,12 @@
   element, e.g. to link to stylesheet or an XBL binding, or to give
   the document a <code>title</code>.</p>
 
+  <p class="note" id="sandboxPluginNavigate">If the <span>sandboxed
+  plugins browsing context</span> flag is set on the <span>browsing
+  context</span>, the synthesized <code>embed</code> element will <a
+  href="#sandboxPluginEmbed">fail to render the content</a>.</p>
 
+
   <h4 id="read-ua-inline"><dfn title="navigate-ua-inline">Page load processing model for inline content that doesn't have a DOM</dfn></h4>
 
   <p>When the user agent is to display a user agent page inline in a
@@ -34035,8 +34288,6 @@
   <!-- XXX rendering requirement: The current caret should affect the
   line-height (i.e. it acts at least like an empty inline element) -->
 
-  <!-- XXX document.designMode attribute -->
-
   <!-- XXX would be useful to have a way to mark an element as
   unremovable. -->
 
@@ -34264,19 +34515,11 @@
   title="dom-document-designMode">designMode</code> disabled.</p>
 
   <p>Enabling <code title="dom-document-designMode">designMode</code>
-  causes scripts in general to be disabled and the document to become
-  editable.</p>
+  <a href="#designModeScriptBlocked">causes scripts in general to be
+  disabled</a> and the document to become editable.</p>
 
-  <p>When the <code>Document</code> has <code
-  title="dom-document-designMode">designMode</code> enabled, the
-  <span>event handler attributes</span> of the document and any
-  elements owned by the document must do nothing, and event listeners
-  registered on the document and any elements owned by the document
-  that are associated with script from the document must similarly do
-  nothing.</p>
 
 
-
   <h3 id="dnd"><dfn>Drag and drop</dfn></h3>
 
 <!--XXX
@@ -39620,7 +39863,8 @@
    that to break out of the <noscript> but it doesn't. This is an edge
    case that doesn't affect the spec, since the algorithm for fragment
    parsing is only used for innerHTML, where we know scripting is
-   enabled. -->
+   enabled. (XXX except maybe if innerHTML is set from another
+   browsing context on a document with designMode set?) -->
 
    <li>If <var title="">node</var> is a <code>body</code> element,
    then switch the <span>insertion mode</span> to "<span
@@ -39919,7 +40163,14 @@
   markup, for historical reasons.</p>
 
 
+  <h5>The scripting state</h5>
 
+  <p>The <dfn>scripting flag</dfn> is set to "enabled" if the
+  <code>Document</code> with which the parser is associated was
+  <span>with script</span> when the parser was created, and "disabled"
+  otherwise.</p>
+
+
   <h4><dfn>Tokenisation</dfn></h4>
 
   <p>Implementations must act as if they used the following state
@@ -42186,13 +42437,13 @@
     <p>Follow the <span>generic RCDATA parsing algorithm</span>.</p>
    </dd>
 
-   <dt>A start tag whose tag name is "noscript", if <span>scripting is enabled</span>:</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dt>A start tag whose tag name is "style"</dt>
    <dd>
     <p>Follow the <span>generic CDATA parsing algorithm</span>.</p>
    </dd>
 
-   <dt>A start tag whose tag name is "noscript", if <span>scripting is disabled</span>:</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is disabled:</dt>
    <dd>
 
     <p><span>Insert an HTML element</span> for the token.</p>
@@ -43484,10 +43735,8 @@
 
    </dd>
 
-   <dt>A start tag whose tag name is one of: "iframe",
-   "noembed", "noframes"</dt>
-   <dt>A start tag whose tag name is "noscript", if
-   <span>scripting is enabled</span>:</dt>
+   <dt>A start tag whose tag name is one of: "iframe", "noembed", "noframes"</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dd>
     <p>Follow the <span>generic CDATA parsing algorithm</span>.</p>
    </dd>
@@ -43586,8 +43835,7 @@
    "isindex", "noembed", "noframes", "param", "select", "spacer",
    "table", "textarea", "wbr"</dt> <!-- add keygen if we add the start
    tag -->
-   <dt>An end tag whose tag name is "noscript", if <span>scripting
-   is enabled</span>:</dt>
+   <dt>An end tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dd>
     <p><span>Parse error</span>. Ignore the token.</p>
    </dd>
@@ -45239,7 +45487,9 @@
         title="">current node</var>'s <code title="">data</code> DOM
         attribute literally.</p> <!-- note about noscript: we're
         assuming here that scripting is disabled. If this algorithm is
-        used with scripting disabled, this won't work right. -->
+        used with scripting disabled, this won't work right. XXX This
+        might affect calling innerHTML on nodes in a document that is
+        being designMode'd -->
 
         <p>Otherwise, append the value of <var title="">current
         node</var>'s <code title="">data</code> DOM attribute, <span
@@ -45411,11 +45661,12 @@
 
 
      <dt>If it is a <code>noscript</code> element</dt>
-     <dd>If <span>scripting is enabled</span>, set the <span>content
-     model flag</span> to <em>CDATA</em>. Otherwise, set the
-     <span>content model flag</span> to <em>PCDATA</em>.</dd>
 
+     <dd>If the <span>scripting flag</span> is enabled, set the
+     <span>content model flag</span> to <em>CDATA</em>. Otherwise, set
+     the <span>content model flag</span> to <em>PCDATA</em>.</dd>
 
+
      <dt>If it is a <code>plaintext</code> element</dt>
 
      <dd>Set the <span>content model flag</span> to
@@ -45754,8 +46005,15 @@
   is obsoleted so that all extension frameworks (Java, .NET, Flash,
   etc) are handled in a consistent manner.</p>
 
-  <p class="big-issue">define how the element works, if supported</p>
+  <p id="sandboxPluginApplet">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>applet</code> element's document is the <span>active
+  document</span>, then the element must be ignored (it represents
+  nothing).</p>
 
+  <p>Otherwise, <span class="big-issue">define how the element works,
+  if supported</span>.</p>
+
   <pre class="idl">[XXX] interface <span>HTMLDocument</span> {
   readonly attribute <span>HTMLCollection</span> <span title="dom-document-applets">applets</span>;
 };</pre>




More information about the Commit-Watchers mailing list