[html5] r4982 - [agiow] (1) Make <iframe sandbox> also block autoplay, autofocus, and meta refresh.
whatwg at whatwg.org
whatwg at whatwg.org
Tue Apr 6 22:10:27 PDT 2010
Author: ianh
Date: 2010-04-06 22:10:26 -0700 (Tue, 06 Apr 2010)
New Revision: 4982
Modified:
complete.html
index
source
Log:
[agiow] (1) Make <iframe sandbox> also block autoplay, autofocus, and meta refresh.
Modified: complete.html
===================================================================
--- complete.html 2010-04-07 00:29:45 UTC (rev 4981)
+++ complete.html 2010-04-07 05:10:26 UTC (rev 4982)
@@ -12870,9 +12870,14 @@
<ul><li><p>Set a timer so that in <var title="">time</var> seconds,
adjusted to take into account user or user agent preferences,
- if the user has not canceled the redirect, the user agent <a href=#navigate title=navigate>navigates</a> the document's browsing
- context to <var title="">url</var>, with <a href=#replacement-enabled>replacement
- enabled</a>, and with the document's browsing context as the
+ if the user has not canceled the redirect and if the
+ <code><a href=#meta>meta</a></code> element's <code><a href=#document>Document</a></code>'s
+ <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
+ automatic features browsing context flag</a> set when the
+ <code><a href=#document>Document</a></code> was created, the user agent <a href=#navigate title=navigate>navigates</a> the <code><a href=#document>Document</a></code>'s
+ <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with
+ <a href=#replacement-enabled>replacement enabled</a>, and with the
+ <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> as the
<a href=#source-browsing-context>source browsing context</a>.</li>
<li><p>Provide the user with an interface that, when selected,
@@ -21375,6 +21380,26 @@
</dd>
+
+ <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+ found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+ keyword (defined above) set</dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+ video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+ focusing a form control</a>. It is relaxed by the same flag as
+ scripts, because when scripts are enabled these features are
+ trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than
+ allowing them to use the declarative features.</p>
+
+ </dd>
+
</dl><p>These flags must not be set unless the conditions listed above
define them as being set.</p>
@@ -24737,10 +24762,14 @@
<p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
<a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
- then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
+ and the <a href=#media-element>media element</a> is in a <code><a href=#document>Document</a></code>
+ whose <a href=#browsing-context>browsing context</a> did not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+ set when the <code><a href=#document>Document</a></code> was created, then the user
+ agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
- named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue a
- task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
+ named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
<p class=note>User agents are not required to autoplay, and it
is suggested that user agents honor user preferences on the
@@ -40957,13 +40986,16 @@
<p>Whenever an element with the <code title=attr-fe-autofocus><a href=#attr-fe-autofocus>autofocus</a></code> attribute specified is
<a href=#insert-an-element-into-a-document title="insert an element into a document">inserted into a
- document</a>, the user agent should <a href=#queue-a-task>queue a task</a>
- that checks to see if the element is <a href=#focusable>focusable</a>, and if
- so, runs the <a href=#focusing-steps>focusing steps</a> for that element. User
- agents may also change the scrolling position of the document, or
- perform some other action that brings the element to the user's
- attention. The <a href=#task-source>task source</a> for this task is the
- <a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
+ document</a> whose <a href=#browsing-context>browsing context</a> did not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a> set
+ when the <code><a href=#document>Document</a></code> was created, the user agent should
+ <a href=#queue-a-task>queue a task</a> that checks to see if the element is
+ <a href=#focusable>focusable</a>, and if so, runs the <a href=#focusing-steps>focusing
+ steps</a> for that element. User agents may also change the
+ scrolling position of the document, or perform some other action
+ that brings the element to the user's attention. The <a href=#task-source>task
+ source</a> for this task is the <a href=#dom-manipulation-task-source>DOM manipulation task
+ source</a>.</p>
<p>User agents may ignore this attribute if the user has indicated
(for example, by starting to type in a form control) that he does
Modified: index
===================================================================
--- index 2010-04-07 00:29:45 UTC (rev 4981)
+++ index 2010-04-07 05:10:26 UTC (rev 4982)
@@ -12768,9 +12768,14 @@
<ul><li><p>Set a timer so that in <var title="">time</var> seconds,
adjusted to take into account user or user agent preferences,
- if the user has not canceled the redirect, the user agent <a href=#navigate title=navigate>navigates</a> the document's browsing
- context to <var title="">url</var>, with <a href=#replacement-enabled>replacement
- enabled</a>, and with the document's browsing context as the
+ if the user has not canceled the redirect and if the
+ <code><a href=#meta>meta</a></code> element's <code><a href=#document>Document</a></code>'s
+ <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
+ automatic features browsing context flag</a> set when the
+ <code><a href=#document>Document</a></code> was created, the user agent <a href=#navigate title=navigate>navigates</a> the <code><a href=#document>Document</a></code>'s
+ <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with
+ <a href=#replacement-enabled>replacement enabled</a>, and with the
+ <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> as the
<a href=#source-browsing-context>source browsing context</a>.</li>
<li><p>Provide the user with an interface that, when selected,
@@ -21276,6 +21281,26 @@
</dd>
+
+ <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+ found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+ keyword (defined above) set</dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+ video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+ focusing a form control</a>. It is relaxed by the same flag as
+ scripts, because when scripts are enabled these features are
+ trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than
+ allowing them to use the declarative features.</p>
+
+ </dd>
+
</dl><p>These flags must not be set unless the conditions listed above
define them as being set.</p>
@@ -24638,10 +24663,14 @@
<p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
<a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
- then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
+ and the <a href=#media-element>media element</a> is in a <code><a href=#document>Document</a></code>
+ whose <a href=#browsing-context>browsing context</a> did not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+ set when the <code><a href=#document>Document</a></code> was created, then the user
+ agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
- named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue a
- task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
+ named <code title=event-media-play><a href=#event-media-play>play</a></code>, and <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
<p class=note>User agents are not required to autoplay, and it
is suggested that user agents honor user preferences on the
@@ -40858,13 +40887,16 @@
<p>Whenever an element with the <code title=attr-fe-autofocus><a href=#attr-fe-autofocus>autofocus</a></code> attribute specified is
<a href=#insert-an-element-into-a-document title="insert an element into a document">inserted into a
- document</a>, the user agent should <a href=#queue-a-task>queue a task</a>
- that checks to see if the element is <a href=#focusable>focusable</a>, and if
- so, runs the <a href=#focusing-steps>focusing steps</a> for that element. User
- agents may also change the scrolling position of the document, or
- perform some other action that brings the element to the user's
- attention. The <a href=#task-source>task source</a> for this task is the
- <a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
+ document</a> whose <a href=#browsing-context>browsing context</a> did not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a> set
+ when the <code><a href=#document>Document</a></code> was created, the user agent should
+ <a href=#queue-a-task>queue a task</a> that checks to see if the element is
+ <a href=#focusable>focusable</a>, and if so, runs the <a href=#focusing-steps>focusing
+ steps</a> for that element. User agents may also change the
+ scrolling position of the document, or perform some other action
+ that brings the element to the user's attention. The <a href=#task-source>task
+ source</a> for this task is the <a href=#dom-manipulation-task-source>DOM manipulation task
+ source</a>.</p>
<p>User agents may ignore this attribute if the user has indicated
(for example, by starting to type in a form control) that he does
Modified: source
===================================================================
--- source 2010-04-07 00:29:45 UTC (rev 4981)
+++ source 2010-04-07 05:10:26 UTC (rev 4982)
@@ -13454,10 +13454,15 @@
<li><p>Set a timer so that in <var title="">time</var> seconds,
adjusted to take into account user or user agent preferences,
- if the user has not canceled the redirect, the user agent <span
- title="navigate">navigates</span> the document's browsing
- context to <var title="">url</var>, with <span>replacement
- enabled</span>, and with the document's browsing context as the
+ if the user has not canceled the redirect and if the
+ <code>meta</code> element's <code>Document</code>'s
+ <span>browsing context</span> did not have the <span>sandboxed
+ automatic features browsing context flag</span> set when the
+ <code>Document</code> was created, the user agent <span
+ title="navigate">navigates</span> the <code>Document</code>'s
+ <span>browsing context</span> to <var title="">url</var>, with
+ <span>replacement enabled</span>, and with the
+ <code>Document</code>'s <span>browsing context</span> as the
<span>source browsing context</span>.</p></li>
<li><p>Provide the user with an interface that, when selected,
@@ -22768,6 +22773,28 @@
</dd>
+
+ <dt>The <dfn>sandboxed automatic features browsing context
+ flag</dfn>, unless the <code
+ title="attr-iframe-sandbox">sandbox</code> attribute's value, when
+ <span title="split a string on spaces">split on spaces</span>, is
+ found to have the <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
+ keyword (defined above) set</dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <span title="attr-media-autoplay">automatically playing a
+ video</span> or <span title="attr-fe-autofocus">automatically
+ focusing a form control</span>. It is relaxed by the same flag as
+ scripts, because when scripts are enabled these features are
+ trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than
+ allowing them to use the declarative features.</p>
+
+ </dd>
+
</dl>
<p>These flags must not be set unless the conditions listed above
@@ -26649,11 +26676,15 @@
title="dom-media-paused">paused</code> attribute is true, and the
<span>media element</span> has an <code
title="attr-media-autoplay">autoplay</code> attribute specified,
- then the user agent may also set the <code
+ and the <span>media element</span> is in a <code>Document</code>
+ whose <span>browsing context</span> did not have the
+ <span>sandboxed automatic features browsing context flag</span>
+ set when the <code>Document</code> was created, then the user
+ agent may also set the <code
title="dom-media-paused">paused</code> attribute to false,
<span>queue a task</span> to <span>fire a simple event</span>
- named <code title="event-media-play">play</code>, and <span>queue a
- task</span> to <span>fire a simple event</span> named <code
+ named <code title="event-media-play">play</code>, and <span>queue
+ a task</span> to <span>fire a simple event</span> named <code
title="event-media-playing">playing</code>.</p>
<p class="note">User agents are not required to autoplay, and it
@@ -45609,13 +45640,16 @@
<p>Whenever an element with the <code
title="attr-fe-autofocus">autofocus</code> attribute specified is
<span title="insert an element into a document">inserted into a
- document</span>, the user agent should <span>queue a task</span>
- that checks to see if the element is <span>focusable</span>, and if
- so, runs the <span>focusing steps</span> for that element. User
- agents may also change the scrolling position of the document, or
- perform some other action that brings the element to the user's
- attention. The <span>task source</span> for this task is the
- <span>DOM manipulation task source</span>.</p>
+ document</span> whose <span>browsing context</span> did not have the
+ <span>sandboxed automatic features browsing context flag</span> set
+ when the <code>Document</code> was created, the user agent should
+ <span>queue a task</span> that checks to see if the element is
+ <span>focusable</span>, and if so, runs the <span>focusing
+ steps</span> for that element. User agents may also change the
+ scrolling position of the document, or perform some other action
+ that brings the element to the user's attention. The <span>task
+ source</span> for this task is the <span>DOM manipulation task
+ source</span>.</p>
<p>User agents may ignore this attribute if the user has indicated
(for example, by starting to type in a form control) that he does
More information about the Commit-Watchers
mailing list