[html5] r4577 - [acgiow] (1) Make sandbox='' disallow using both allow-same-origin and allow-scr [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Jan 11 18:41:37 PST 2010
Author: ianh
Date: 2010-01-11 18:41:34 -0800 (Mon, 11 Jan 2010)
New Revision: 4577
Modified:
complete.html
index
source
Log:
[acgiow] (1) Make sandbox='' disallow using both allow-same-origin and allow-scripts (and make same-origin win).
Modified: complete.html
===================================================================
--- complete.html 2010-01-11 13:23:07 UTC (rev 4576)
+++ complete.html 2010-01-12 02:41:34 UTC (rev 4577)
@@ -110,7 +110,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
<hgroup><h1>Web Applications 1.0</h1>
- <h2 class="no-num no-toc">Draft Standard — 11 January 2010</h2>
+ <h2 class="no-num no-toc">Draft Standard — 12 January 2010</h2>
</hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
<p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
<!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -19657,11 +19657,15 @@
prevented from targeting other <a href=#browsing-context title="browsing
context">browsing contexts</a>, and plugins are disabled. The
<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- token allows the content to be treated as being from the same origin
+ keyword allows the content to be treated as being from the same origin
instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- tokens re-enable forms and scripts respectively (though scripts are
+ keywords re-enable forms and scripts respectively (though scripts are
still prevented from creating popups).</p>
+ <p>The <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword
+ must not be specified if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword is specified.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -19781,6 +19785,7 @@
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
+ keyword set and <em>not </em> to have the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
keyword set</dt>
<dd>
@@ -19795,6 +19800,9 @@
or elsewhere) will continue to run. Only <em>new</em> scripts will
be prevented from executing by this flag.</p>
+ <p>This keyword is ignored if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword is set.</p>
+
</dd>
</dl><p>These flags must not be set unless the conditions listed above
Modified: index
===================================================================
--- index 2010-01-11 13:23:07 UTC (rev 4576)
+++ index 2010-01-12 02:41:34 UTC (rev 4577)
@@ -112,7 +112,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
<hgroup><h1>HTML5 (including next generation additions still in development)</h1>
- <h2 class="no-num no-toc">Draft Standard — 11 January 2010</h2>
+ <h2 class="no-num no-toc">Draft Standard — 12 January 2010</h2>
</hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
<p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
<!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -19557,11 +19557,15 @@
prevented from targeting other <a href=#browsing-context title="browsing
context">browsing contexts</a>, and plugins are disabled. The
<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- token allows the content to be treated as being from the same origin
+ keyword allows the content to be treated as being from the same origin
instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- tokens re-enable forms and scripts respectively (though scripts are
+ keywords re-enable forms and scripts respectively (though scripts are
still prevented from creating popups).</p>
+ <p>The <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword
+ must not be specified if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword is specified.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -19681,6 +19685,7 @@
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
+ keyword set and <em>not </em> to have the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
keyword set</dt>
<dd>
@@ -19695,6 +19700,9 @@
or elsewhere) will continue to run. Only <em>new</em> scripts will
be prevented from executing by this flag.</p>
+ <p>This keyword is ignored if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword is set.</p>
+
</dd>
</dl><p>These flags must not be set unless the conditions listed above
Modified: source
===================================================================
--- source 2010-01-11 13:23:07 UTC (rev 4576)
+++ source 2010-01-12 02:41:34 UTC (rev 4577)
@@ -20910,13 +20910,19 @@
context">browsing contexts</span>, and plugins are disabled. The
<code
title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- token allows the content to be treated as being from the same origin
+ keyword allows the content to be treated as being from the same origin
instead of forcing it into a unique origin, and the <code
title="attr-iframe-sandbox-allow-forms">allow-forms</code> and <code
title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- tokens re-enable forms and scripts respectively (though scripts are
+ keywords re-enable forms and scripts respectively (though scripts are
still prevented from creating popups).</p>
+ <p>The <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keyword
+ must not be specified if the <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+ keyword is specified.</p>
+
<div class="impl">
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -21050,6 +21056,8 @@
value, when <span title="split a string on spaces">split on
spaces</span>, is found to have the <dfn
title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
+ keyword set and <em>not </em> to have the <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
keyword set</dt>
<dd>
@@ -21065,6 +21073,10 @@
or elsewhere) will continue to run. Only <em>new</em> scripts will
be prevented from executing by this flag.</p>
+ <p>This keyword is ignored if the <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+ keyword is set.</p>
+
</dd>
</dl>
More information about the Commit-Watchers
mailing list