[html5] r1651 - /
whatwg at whatwg.org
whatwg at whatwg.org
Tue May 20 20:51:21 PDT 2008
Author: ianh
Date: 2008-05-20 20:51:21 -0700 (Tue, 20 May 2008)
New Revision: 1651
Modified:
index
source
Log:
[] (0) Block document.cookies if the page is sandboxed. Add an example of sandboxing.
Modified: index
===================================================================
--- index 2008-05-21 03:16:01 UTC (rev 1650)
+++ index 2008-05-21 03:51:21 UTC (rev 1651)
@@ -2777,17 +2777,25 @@
page to an <code title="">http:</code> page).
<p>The <dfn id=cookie0 title=dom-document-cookie><code>cookie</code></dfn>
- attribute must, on getting, return the same string as the value of the
- <code title="">Cookie</code> HTTP header it would include if fetching the
+ attribute represents the cookies of the resource.
+
+ <p id=sandboxCookies>On getting, if the <a href="#sandboxed1">sandboxed
+ origin browsing context flag</a> is set on the <a
+ href="#browsing1">browsing context</a> of the document, the user agent
+ must raise a <a href="#security9">security exception</a>. Otherwise, it
+ must return the same string as the value of the <code
+ title="">Cookie</code> HTTP header it would include if fetching the
resource indicated by <span>the document's address</span> over HTTP, as
per RFC 2109 section 4.3.4. <a href="#refsRFC2109">[RFC2109]</a>
- <p>On setting, the <code title=dom-document-cookie><a
- href="#cookie0">cookie</a></code> attribute must cause the user agent to
- act as it would when processing cookies if it had just attempted to fetch
- <span>the document's address</span> over HTTP, and had received a response
- with a <code>Set-Cookie</code> header whose value was the specified value,
- as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
+ <p>On setting, if the <a href="#sandboxed1">sandboxed origin browsing
+ context flag</a> is set on the <a href="#browsing1">browsing context</a>
+ of the document, the user agent must raise a <a href="#security9">security
+ exception</a>. Otherwise, the user agent must act as it would when
+ processing cookies if it had just attempted to fetch <span>the document's
+ address</span> over HTTP, and had received a response with a
+ <code>Set-Cookie</code> header whose value was the specified value, as per
+ RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
href="#refsRFC2109">[RFC2109]</a>
<p class=note>Since the <code title=dom-document-cookie><a
@@ -14300,6 +14308,10 @@
attribute or the <code title=dom-open><a
href="#open2">window.open()</a></code> method.</p>
+ <p>Finally, this flag <a href="#sandboxCookies">prevents script from
+ reading the <code title=dom-document-cookies>document.cookies</code> DOM
+ attribute</a>.</p>
+
<dt>The <dfn id=sandboxed0>sandboxed plugins browsing context flag</dfn>
<dd>
@@ -14307,8 +14319,8 @@
title=plugin>plugins</a>, whether using <a
href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
href="#sandboxPluginObject">the <code>object</code> element</a>, <a
- href="#sandboxPluginApplet">the <code>applet</code> element</a>, or <a
- href="#sandboxPluginNavigate">through navigation</a> of a <a
+ href="#sandboxPluginApplet">the <code>applet</code> element</a>, or
+ through <a href="#sandboxPluginNavigate">navigation</a> of a <a
href="#nested0">nested browsing context</a>.</p>
<dt>The <dfn id=sandboxed1>sandboxed origin browsing context flag</dfn>,
@@ -14365,6 +14377,25 @@
<p>These flags must not be set unless the conditions listed above define
them as being set.
+ <div class=example>
+ <p>In this example, some completely-unknown, potentially hostile,
+ user-provided HTML content is embedded in a page. Because it is
+ sandboxed, it is treated by the user agent as being from a unique origin,
+ despite the content being served from the same site. Thus it is affected
+ by all the normal cross-site restrictions. In addition, the embedded page
+ has scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
+
+ <pre><p>We're not scared of you! Here is your content, unedited:</p>
+<iframe src="getusercontent.cgi?id=12193"></iframe></pre>
+
+ <p>Note that cookies are still send to the server in the <code
+ title="">getusercontent.cgi</code> request, though they are not visible
+ in the <code title=dom-document-cookies>document.cookies</code> DOM
+ attribute.</p>
+ </div>
+
<hr>
<p>The <dfn id=seamless
Modified: source
===================================================================
--- source 2008-05-21 03:16:01 UTC (rev 1650)
+++ source 2008-05-21 03:51:21 UTC (rev 1651)
@@ -1058,15 +1058,22 @@
<p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
- attribute must, on getting, return the same string as the value of
- the <code title="">Cookie</code> HTTP header it would include if
- fetching the resource indicated by <span>the document's
- address</span> over HTTP, as per RFC 2109 section 4.3.4. <a
- href="#refsRFC2109">[RFC2109]</a></p>
+ attribute represents the cookies of the resource.</p>
- <p>On setting, the <code title="dom-document-cookie">cookie</code>
- attribute must cause the user agent to act as it would when
- processing cookies if it had just attempted to fetch <span>the
+ <p id="sandboxCookies">On getting, if the <span>sandboxed origin
+ browsing context flag</span> is set on the <span>browsing
+ context</span> of the document, the user agent must raise a
+ <span>security exception</span>. Otherwise, it must return the same
+ string as the value of the <code title="">Cookie</code> HTTP header
+ it would include if fetching the resource indicated by <span>the
+ document's address</span> over HTTP, as per RFC 2109 section
+ 4.3.4. <a href="#refsRFC2109">[RFC2109]</a></p>
+
+ <p>On setting, if the <span>sandboxed origin browsing context
+ flag</span> is set on the <span>browsing context</span> of the
+ document, the user agent must raise a <span>security
+ exception</span>. Otherwise, the user agent must act as it would
+ when processing cookies if it had just attempted to fetch <span>the
document's address</span> over HTTP, and had received a response
with a <code>Set-Cookie</code> header whose value was the specified
value, as per RFC 2109 sections 4.3.1, 4.3.2, and 4.3.3. <a
@@ -12280,8 +12287,12 @@
title="navigate">navigated</span>, that will further <span>delay the
<code title="event-load">load</code> event</span>.</p>
+
+
<hr>
+
+
<p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn>
attribute, when specified, enables a set of extra restrictions on
any content hosted by the <code>iframe</code>. Its value must be an
@@ -12316,6 +12327,11 @@
<code title="attr-hyperlink-target">target</code> attribute or the
<code title="dom-open">window.open()</code> method.</p>
+ <p>Finally, this flag <a href="#sandboxCookies">prevents script
+ from reading the <code
+ title="dom-document-cookies">document.cookies</code> DOM
+ attribute</a>.</p>
+
</dd>
@@ -12328,8 +12344,9 @@
href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
href="#sandboxPluginObject">the <code>object</code> element</a>,
<a href="#sandboxPluginApplet">the <code>applet</code>
- element</a>, or <a href="#sandboxPluginNavigate">through
- navigation</a> of a <span>nested browsing context</span>.</p>
+ element</a>, or through <a
+ href="#sandboxPluginNavigate">navigation</a> of a <span>nested
+ browsing context</span>.</p>
</dd>
@@ -12402,8 +12419,35 @@
<p>These flags must not be set unless the conditions listed above
define them as being set.</p>
+ <div class="example">
+
+ <p>In this example, some completely-unknown, potentially hostile,
+ user-provided HTML content is embedded in a page. Because it is
+ sandboxed, it is treated by the user agent as being from a unique
+ origin, despite the content being served from the same site. Thus
+ it is affected by all the normal cross-site restrictions. In
+ addition, the embedded page has scripting disabled, plugins
+ disabled, forms disabled, and it cannot navigate any frames or
+ windows other than itself (or any frames or windows it itself
+ embeds).</p>
+
+ <pre><p>We're not scared of you! Here is your content, unedited:</p>
+<iframe src="getusercontent.cgi?id=12193"></iframe></pre>
+
+ <p>Note that cookies are still send to the server in the <code
+ title="">getusercontent.cgi</code> request, though they are not
+ visible in the <code
+ title="dom-document-cookies">document.cookies</code> DOM
+ attribute.</p>
+
+ </div>
+
+
+
<hr>
+
+
<p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn>
attribute is a boolean attribute. When specified, it indicates that
the <code>iframe</code> element's <span>browsing context</span> is
More information about the Commit-Watchers
mailing list