[html5] r4584 - [agiow] (1) Make <iframe sandbox=''> block localStorage and openDatabase.

whatwg at whatwg.org whatwg at whatwg.org
Tue Jan 12 19:09:02 PST 2010 

Author: ianh
Date: 2010-01-12 19:09:00 -0800 (Tue, 12 Jan 2010)
New Revision: 4584

Modified:
   complete.html
   index
   source
Log:
[agiow] (1) Make <iframe sandbox=''> block localStorage and openDatabase.

Modified: complete.html
===================================================================
--- complete.html	2010-01-13 01:39:41 UTC (rev 4583)
+++ complete.html	2010-01-13 03:09:00 UTC (rev 4584)
@@ -19748,7 +19748,7 @@
 
     <p>This flag also <a href=#sandboxCookies>prevents script from
     reading the <code title=dom-document-cookie>document.cookie</code> IDL
-    attribute</a>.</p>
+    attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> and <code title=dom-opendatabase>openDatabase()</code>.</p>
 
     <div class=note>
 
@@ -58834,7 +58834,7 @@
   <p>When the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>
   attribute is accessed, the user agent must run the following steps:</p>
 
-  <ol><li><p>The user agent may raise a <code><a href=#security_err>SECURITY_ERR</a></code>
+  <ol><li><p>The user agent may throw a <code><a href=#security_err>SECURITY_ERR</a></code>
    exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
    request violates a policy decision (e.g. if the user agent is
    configured to not allow the page to persist data).</li>
@@ -58844,6 +58844,10 @@
    <code>Document</code>'s <a href=#origin>origin</a>, then throw a
    <code><a href=#security_err>SECURITY_ERR</a></code> exception and abort these steps.</li>
 
+   <li><p>If the <code>Document</code>'s <a href=#origin>origin</a> is not a
+   scheme/host/port tuple, then throw a <code><a href=#security_err>SECURITY_ERR</a></code>
+   exception and abort these steps.</li>
+
    <li><p>Check to see if the user agent has allocated a local storage
    area for the <a href=#origin>origin</a> of the <code>Document</code> of
    the <code><a href=#window>Window</a></code> object on which the method was invoked. If

Modified: index
===================================================================
--- index	2010-01-13 01:39:41 UTC (rev 4583)
+++ index	2010-01-13 03:09:00 UTC (rev 4584)
@@ -19648,7 +19648,7 @@
 
     <p>This flag also <a href=#sandboxCookies>prevents script from
     reading the <code title=dom-document-cookie>document.cookie</code> IDL
-    attribute</a>.</p>
+    attribute</a>, and blocks access to <code title=dom-localStorage>localStorage</code> and <code title=dom-opendatabase>openDatabase()</code>.</p>
 
     <div class=note>
 

Modified: source
===================================================================
--- source	2010-01-13 01:39:41 UTC (rev 4583)
+++ source	2010-01-13 03:09:00 UTC (rev 4584)
@@ -21017,7 +21017,9 @@
     <p>This flag also <a href="#sandboxCookies">prevents script from
     reading the <code
     title="dom-document-cookie">document.cookie</code> IDL
-    attribute</a>.</p>
+    attribute</a>, and blocks access to <code
+    title="dom-localStorage">localStorage</code> and <code
+    title="dom-opendatabase">openDatabase()</code>.</p>
 
     <div class="note">
 
@@ -66557,7 +66559,7 @@
 
   <ol>
 
-   <li><p>The user agent may raise a <code>SECURITY_ERR</code>
+   <li><p>The user agent may throw a <code>SECURITY_ERR</code>
    exception instead of returning a <code>Storage</code> object if the
    request violates a policy decision (e.g. if the user agent is
    configured to not allow the page to persist data).</p></li>
@@ -66567,6 +66569,10 @@
    <code>Document</code>'s <span>origin</span>, then throw a
    <code>SECURITY_ERR</code> exception and abort these steps.</p></li>
 
+   <li><p>If the <code>Document</code>'s <span>origin</span> is not a
+   scheme/host/port tuple, then throw a <code>SECURITY_ERR</code>
+   exception and abort these steps.</p></li>
+
    <li><p>Check to see if the user agent has allocated a local storage
    area for the <span>origin</span> of the <code>Document</code> of
    the <code>Window</code> object on which the method was invoked. If
@@ -66883,6 +66889,10 @@
 
    </li>
 
+   <li><p>If <var title="">origin</var> is not a scheme/host/port
+   tuple, then throw a <code>SECURITY_ERR</code> exception and abort
+   these steps.</p></li>
+
    <li><p>If the database version provided is not the empty string,
    and there is already a database with the given name from the origin
    <var title="">origin</var>, but the database has a different

More information about the Commit-Watchers mailing list