[html5] r7052 - [e] (0) Refactor the sandboxing flags to make it easier to hook into for CSP. Af [...]
whatwg at whatwg.org
whatwg at whatwg.org
Fri Apr 13 15:55:47 PDT 2012
Author: ianh
Date: 2012-04-13 15:55:46 -0700 (Fri, 13 Apr 2012)
New Revision: 7052
Modified:
complete.html
index
source
Log:
[e] (0) Refactor the sandboxing flags to make it easier to hook into for CSP.
Affected topics: DOM APIs, HTML, Security, Video and Audio
Modified: complete.html
===================================================================
--- complete.html 2012-04-11 23:22:15 UTC (rev 7051)
+++ complete.html 2012-04-13 22:55:46 UTC (rev 7052)
@@ -240,7 +240,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 11 April 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 13 April 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -868,50 +868,51 @@
<li><a href=#origin-0><span class=secno>6.3 </span>Origin</a>
<ol>
<li><a href=#relaxing-the-same-origin-restriction><span class=secno>6.3.1 </span>Relaxing the same-origin restriction</a></ol></li>
- <li><a href=#history><span class=secno>6.4 </span>Session history and navigation</a>
+ <li><a href=#sandboxing><span class=secno>6.4 </span>Sandboxing</a></li>
+ <li><a href=#history><span class=secno>6.5 </span>Session history and navigation</a>
<ol>
- <li><a href=#the-session-history-of-browsing-contexts><span class=secno>6.4.1 </span>The session history of browsing contexts</a></li>
- <li><a href=#the-history-interface><span class=secno>6.4.2 </span>The <code>History</code> interface</a></li>
- <li><a href=#the-location-interface><span class=secno>6.4.3 </span>The <code>Location</code> interface</a>
+ <li><a href=#the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</a></li>
+ <li><a href=#the-history-interface><span class=secno>6.5.2 </span>The <code>History</code> interface</a></li>
+ <li><a href=#the-location-interface><span class=secno>6.5.3 </span>The <code>Location</code> interface</a>
<ol>
- <li><a href=#security-location><span class=secno>6.4.3.1 </span>Security</a></ol></li>
- <li><a href=#history-notes><span class=secno>6.4.4 </span>Implementation notes for session history</a></ol></li>
- <li><a href=#browsing-the-web><span class=secno>6.5 </span>Browsing the Web</a>
+ <li><a href=#security-location><span class=secno>6.5.3.1 </span>Security</a></ol></li>
+ <li><a href=#history-notes><span class=secno>6.5.4 </span>Implementation notes for session history</a></ol></li>
+ <li><a href=#browsing-the-web><span class=secno>6.6 </span>Browsing the Web</a>
<ol>
- <li><a href=#navigating-across-documents><span class=secno>6.5.1 </span>Navigating across documents</a></li>
- <li><a href=#read-html><span class=secno>6.5.2 </span>Page load processing model for HTML files</a></li>
- <li><a href=#read-xml><span class=secno>6.5.3 </span>Page load processing model for XML files</a></li>
- <li><a href=#read-text><span class=secno>6.5.4 </span>Page load processing model for text files</a></li>
- <li><a href=#read-multipart-x-mixed-replace><span class=secno>6.5.5 </span>Page load processing model for <code>multipart/x-mixed-replace</code> resources</a></li>
- <li><a href=#read-media><span class=secno>6.5.6 </span>Page load processing model for media</a></li>
- <li><a href=#read-plugin><span class=secno>6.5.7 </span>Page load processing model for content that uses plugins</a></li>
- <li><a href=#read-ua-inline><span class=secno>6.5.8 </span>Page load processing model for inline content that doesn't have a DOM</a></li>
- <li><a href=#scroll-to-fragid><span class=secno>6.5.9 </span>Navigating to a fragment identifier</a></li>
- <li><a href=#history-traversal><span class=secno>6.5.10 </span>History traversal</a>
+ <li><a href=#navigating-across-documents><span class=secno>6.6.1 </span>Navigating across documents</a></li>
+ <li><a href=#read-html><span class=secno>6.6.2 </span>Page load processing model for HTML files</a></li>
+ <li><a href=#read-xml><span class=secno>6.6.3 </span>Page load processing model for XML files</a></li>
+ <li><a href=#read-text><span class=secno>6.6.4 </span>Page load processing model for text files</a></li>
+ <li><a href=#read-multipart-x-mixed-replace><span class=secno>6.6.5 </span>Page load processing model for <code>multipart/x-mixed-replace</code> resources</a></li>
+ <li><a href=#read-media><span class=secno>6.6.6 </span>Page load processing model for media</a></li>
+ <li><a href=#read-plugin><span class=secno>6.6.7 </span>Page load processing model for content that uses plugins</a></li>
+ <li><a href=#read-ua-inline><span class=secno>6.6.8 </span>Page load processing model for inline content that doesn't have a DOM</a></li>
+ <li><a href=#scroll-to-fragid><span class=secno>6.6.9 </span>Navigating to a fragment identifier</a></li>
+ <li><a href=#history-traversal><span class=secno>6.6.10 </span>History traversal</a>
<ol>
- <li><a href=#event-definitions-0><span class=secno>6.5.10.1 </span>Event definitions</a></ol></li>
- <li><a href=#unloading-documents><span class=secno>6.5.11 </span>Unloading documents</a>
+ <li><a href=#event-definitions-0><span class=secno>6.6.10.1 </span>Event definitions</a></ol></li>
+ <li><a href=#unloading-documents><span class=secno>6.6.11 </span>Unloading documents</a>
<ol>
- <li><a href=#event-definition><span class=secno>6.5.11.1 </span>Event definition</a></ol></li>
- <li><a href=#aborting-a-document-load><span class=secno>6.5.12 </span>Aborting a document load</a></ol></li>
- <li><a href=#offline><span class=secno>6.6 </span>Offline Web applications</a>
+ <li><a href=#event-definition><span class=secno>6.6.11.1 </span>Event definition</a></ol></li>
+ <li><a href=#aborting-a-document-load><span class=secno>6.6.12 </span>Aborting a document load</a></ol></li>
+ <li><a href=#offline><span class=secno>6.7 </span>Offline Web applications</a>
<ol>
- <li><a href=#introduction-5><span class=secno>6.6.1 </span>Introduction</a>
+ <li><a href=#introduction-5><span class=secno>6.7.1 </span>Introduction</a>
<ol>
- <li><a href=#appcacheevents><span class=secno>6.6.1.1 </span>Event summary</a></ol></li>
- <li><a href=#appcache><span class=secno>6.6.2 </span>Application caches</a></li>
- <li><a href=#manifests><span class=secno>6.6.3 </span>The cache manifest syntax</a>
+ <li><a href=#appcacheevents><span class=secno>6.7.1.1 </span>Event summary</a></ol></li>
+ <li><a href=#appcache><span class=secno>6.7.2 </span>Application caches</a></li>
+ <li><a href=#manifests><span class=secno>6.7.3 </span>The cache manifest syntax</a>
<ol>
- <li><a href=#some-sample-manifests><span class=secno>6.6.3.1 </span>Some sample manifests</a></li>
- <li><a href=#writing-cache-manifests><span class=secno>6.6.3.2 </span>Writing cache manifests</a></li>
- <li><a href=#parsing-cache-manifests><span class=secno>6.6.3.3 </span>Parsing cache manifests</a></ol></li>
- <li><a href=#downloading-or-updating-an-application-cache><span class=secno>6.6.4 </span>Downloading or updating an application cache</a></li>
- <li><a href=#the-application-cache-selection-algorithm><span class=secno>6.6.5 </span>The application cache selection algorithm</a></li>
- <li><a href=#changesToNetworkingModel><span class=secno>6.6.6 </span>Changes to the networking model</a></li>
- <li><a href=#expiring-application-caches><span class=secno>6.6.7 </span>Expiring application caches</a></li>
- <li><a href=#disk-space><span class=secno>6.6.8 </span>Disk space</a></li>
- <li><a href=#application-cache-api><span class=secno>6.6.9 </span>Application cache API</a></li>
- <li><a href=#browser-state><span class=secno>6.6.10 </span>Browser state</a></ol></ol></li>
+ <li><a href=#some-sample-manifests><span class=secno>6.7.3.1 </span>Some sample manifests</a></li>
+ <li><a href=#writing-cache-manifests><span class=secno>6.7.3.2 </span>Writing cache manifests</a></li>
+ <li><a href=#parsing-cache-manifests><span class=secno>6.7.3.3 </span>Parsing cache manifests</a></ol></li>
+ <li><a href=#downloading-or-updating-an-application-cache><span class=secno>6.7.4 </span>Downloading or updating an application cache</a></li>
+ <li><a href=#the-application-cache-selection-algorithm><span class=secno>6.7.5 </span>The application cache selection algorithm</a></li>
+ <li><a href=#changesToNetworkingModel><span class=secno>6.7.6 </span>Changes to the networking model</a></li>
+ <li><a href=#expiring-application-caches><span class=secno>6.7.7 </span>Expiring application caches</a></li>
+ <li><a href=#disk-space><span class=secno>6.7.8 </span>Disk space</a></li>
+ <li><a href=#application-cache-api><span class=secno>6.7.9 </span>Application cache API</a></li>
+ <li><a href=#browser-state><span class=secno>6.7.10 </span>Browser state</a></ol></ol></li>
<li><a href=#webappapis><span class=secno>7 </span>Web application APIs</a>
<ol>
<li><a href=#scripting><span class=secno>7.1 </span>Scripting</a>
@@ -10031,7 +10032,7 @@
<p>Can be set, to add a new cookie to the element's set of HTTP
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
- context flag">sandboxed into a unique origin</a> (in an
+ context flag">sandboxed into a unique origin</a> (e.g. in an
<code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
@@ -15425,9 +15426,9 @@
<p>After the refresh has come due (as defined below), if the
user has not canceled the redirect and if the
<code><a href=#the-meta-element>meta</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
- automatic features browsing context flag</a> set when the
- <code><a href=#document>Document</a></code> was created, <a href=#navigate title=navigate>navigate</a><!--DONAV meta refresh--> the
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</a> set, <a href=#navigate title=navigate>navigate</a><!--DONAV meta refresh--> the
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with <a href=#replacement-enabled>replacement enabled</a>, and
with the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a>
as the <a href=#source-browsing-context>source browsing context</a>.</p>
@@ -25359,102 +25360,34 @@
<p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
attribute is specified, the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a> must have the flags given in
- the following list set. In addition, any browsing contexts <a href=#nested-browsing-context title="nested browsing context">nested</a> within an
- <code><a href=#the-iframe-element>iframe</a></code>, either directly or indirectly, must have all
- the flags set on them as were set on the <code><a href=#the-iframe-element>iframe</a></code>'s
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> when the
- <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code> was created.</p>
+ <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code>
+ sandboxing flag set</a> must have the flags given in the
+ following list set.</p>
- <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
+ <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a></li>
- <dd>
-
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
- protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
- context flag</a> defined next).</p>
-
- <p>This flag also <a href=#sandboxWindowOpen>prevents content
- from creating new auxiliary browsing contexts</a>, e.g. using the
- <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
- <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
- flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
+ flag</a>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
<a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
found to have the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
+ <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a></li>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a></li>
- <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
- context</a>, but other <a href=#browsing-context title="browsing context">browsing
- contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> defined above.</p>
+ <li>
- </dd>
+ <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>, unless
+ the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
+ value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
+ spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
+ keyword set</p>
-
- <dt>The <dfn id=sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
- <a href=#sandboxPluginApplet>the <code>applet</code>
- element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
- descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
-
- <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
-
- <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</dfn>, unless
- the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
- value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
- spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
- keyword set</dt>
-
- <dd>
-
- <p>This flag <a href=#sandboxOrigin>forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <a href=#origin>origin</a>.</p>
-
- <p>This flag also <a href=#sandboxCookies>prevents script from
- reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
- attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
- </p>
-
<div class=note>
<p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- attribute is intended for two cases.</p>
+ keyword is intended for two cases.</p>
<p>First, it can be used to allow content from the same site to
be sandboxed to disable scripting, while still allowing access to
@@ -25468,57 +25401,37 @@
</div>
- </dd>
+ </li>
-
- <dt>The <dfn id=sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</dfn>, unless
+ <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>, unless
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
-
- <p>This flag <a href=#sandboxSubmitBlocked>blocks form
- submission</a>.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</dfn>, unless
+ <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>, unless
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
+ <li>
- <p>This flag <a href=#sandboxScriptBlocked>blocks script
- execution</a>.</p>
+ <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</a>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+ found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+ keyword (defined above) set</p>
- </dd>
-
-
- <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
- flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
- <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
- found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword (defined above) set</dt>
-
- <dd>
-
- <p>This flag blocks features that trigger automatically, such as
- <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
- video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
- focusing a form control</a>. It is relaxed by the same flag as
+ <p class=note>This flag is relaxed by the same flag as
scripts, because when scripts are enabled these features are
trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than
allowing them to use the declarative features.</p>
- </dd>
+ </li>
- </dl><p>These flags must not be set unless the conditions listed above
+ </ul><p>These flags must not be set unless the conditions listed above
define them as being set.</p>
<p class=warning>These flags only take effect when the
@@ -25628,18 +25541,17 @@
be part of the containing document (seamlessly included in the
parent document). <span class=impl>Specifically, when the
attribute is set on an <code><a href=#the-iframe-element>iframe</a></code> element whose owner
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> did not have
- the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set when that
- <code><a href=#document>Document</a></code> was created, and while either the
- <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> has the
- <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's
- document, or the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>'s <em><a href="#the-document's-address" title="the document's
- address">address</a></em> has the <a href=#same-origin>same origin</a> as the
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does
+ not have the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
+ while either the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
+ document</a> has the <a href=#same-origin>same origin</a> as the
<code><a href=#the-iframe-element>iframe</a></code> element's document, or the <a href=#browsing-context>browsing
- context</a>'s <a href=#active-document>active document</a> is <a href=#an-iframe-srcdoc-document>an
- <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
- document</a>, the following requirements apply:</span></p>
+ context</a>'s <a href=#active-document>active document</a>'s <em><a href="#the-document's-address" title="the
+ document's address">address</a></em> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's document, or the
+ <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> is
+ <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>, the
+ following requirements apply:</span></p>
<div class=impl>
@@ -25961,10 +25873,9 @@
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
- context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
- <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
- <code><a href=#document>Document</a></code> was created, then the user agent must not
+ plugins browsing context flag</a> is set on the
+ <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a>, then the user agent must not
instantiate the <a href=#plugin>plugin</a>, and must instead render the
<code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
<a href=#plugin>plugin</a> was disabled. The user agent may offer the user
@@ -26771,9 +26682,9 @@
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the
- <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> when the <code><a href=#document>Document</a></code> was created.</p>
+ plugins browsing context flag</a> is set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a>.</p>
<p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
@@ -29867,16 +29778,15 @@
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
- <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
- <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
+ <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and
+ the <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
and the <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
- automatic features browsing context flag</a> set when the
- <code><a href=#document>Document</a></code> was created, then the user agent may also
- set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to
- false, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
- event</a> named <code title=event-media-play><a href=#event-media-play>play</a></code>, and
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+ set, then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
+ named <code title=event-media-play><a href=#event-media-play>play</a></code>, and
+ <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
<p class=note>User agents do not need to support autoplay,
@@ -53106,10 +53016,9 @@
it is a <a href=#nested-browsing-context>nested browsing context</a> with no <a href=#parent-browsing-context>parent
browsing context</a>), abort these steps.</li>
- <li><p>If <var title="">target</var>'s <a href=#browsing-context>browsing
- context</a> had the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing
- context flag</a> set when <var title="">target</var> was
- created, abort these steps.</li>
+ <li><p>If <var title="">target</var>'s <a href=#active-sandboxing-flag-set>active sandboxing
+ flag set</a> has the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features
+ browsing context flag</a>, abort these steps.</li>
<li><p>If <var title="">target</var>'s <a href=#origin>origin</a> is not
the <a href=#same-origin title="same origin">same</a> as the
@@ -54100,9 +54009,9 @@
<li id=sandboxSubmitBlocked><p>If <var title="">form
document</var> has no associated <a href=#browsing-context>browsing context</a> or
- its <a href=#browsing-context>browsing context</a> had its <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms
- browsing context flag</a> set when the <code><a href=#document>Document</a></code> was
- created, then abort these steps without doing anything.</li>
+ its <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a> set, then abort
+ these steps without doing anything.</li>
<li><p>Let <var title="">form browsing context</var> be the
<a href=#browsing-context>browsing context</a> of <var title="">form
@@ -64164,9 +64073,10 @@
— it is determined by the rules given for the first
applicable option from the following list:</p>
- <dl class=switch><dt id=sandboxWindowOpen>If the current browsing context had
- the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set
- when its <a href=#active-document>active document</a> was created.</dt>
+ <dl class=switch><dt id=sandboxWindowOpen>If the current browsing context's
+ <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> has the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context
+ flag</a> set.</dt>
<dd><p>The user agent may offer to create a new <a href=#top-level-browsing-context>top-level
browsing context</a> or reuse an existing <a href=#top-level-browsing-context>top-level
@@ -65141,10 +65051,9 @@
<dd>
- <dl class=switch><dt id=sandboxOrigin>If a <code><a href=#document>Document</a></code> is in a
- <a href=#browsing-context>browsing context</a> whose <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
- browsing context flag</a> was set when the
- <code><a href=#document>Document</a></code> was created</dt>
+ <dl class=switch><dt id=sandboxOrigin>If a <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a> has its <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
+ browsing context flag</a> set</dt>
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -65517,10 +65426,145 @@
<!--TOPIC:HTML-->
- <h3 id=history><span class=secno>6.4 </span>Session history and navigation</h3>
- <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.4.1 </span>The session history of browsing contexts</h4>
+ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
+
+ <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the
+ following flags, which are used to restrict the abilities that
+ potentially untrusted resources have:</p>
+
+ <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxLinks>prevents content from
+ navigating browsing contexts other than the sandboxed browsing
+ context itself</a> (or browsing contexts further nested inside
+ it), and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
+ protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
+ context flag</a> defined next).</p>
+
+ <p>This flag also <a href=#sandboxWindowOpen>prevents content
+ from creating new auxiliary browsing contexts</a>, e.g. using the
+ <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
+ <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxLinks>prevents content from
+ navigating their <span>top-level browsing context</span></a>.</p>
+
+ <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
+ is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
+ context</a>, but other <a href=#browsing-context title="browsing context">browsing
+ contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
+ navigation browsing context flag</a> defined above.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
+ <a href=#sandboxPluginApplet>the <code>applet</code>
+ element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
+ browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
+ descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
+
+ <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword from using a CSS-selector-based method of probing the DOM
+ of other pages on the same site (in particular, pages that contain
+ user-sensitive information).</p>
+
+ <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxOrigin>forces content into a unique
+ origin</a>, thus preventing it from accessing other content from
+ the same <a href=#origin>origin</a>.</p>
+
+ <p>This flag also <a href=#sandboxCookies>prevents script from
+ reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
+ attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
+ </p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxSubmitBlocked>blocks form
+ submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxScriptBlocked>blocks script
+ execution</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+ video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+ focusing a form control</a>.</p>
+
+ </dd>
+
+ </dl><p>Every <a href=#nested-browsing-context>nested browsing context</a> has an
+ <dfn id=iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</dfn>, which is a
+ <a href=#sandboxing-flag-set>sandboxing flag set</a>. Which flags in a <a href=#nested-browsing-context>nested
+ browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag
+ set</a> are set at any particular time is determined by the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+ <p>Every <code><a href=#document>Document</a></code> has an <dfn id=active-sandboxing-flag-set>active sandboxing flag
+ set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag set</a>. When the
+ <code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
+
+
+
+ <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
+ <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
+
<p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
context</a> is its <dfn id=session-history>session history</dfn>.</p>
@@ -65667,7 +65711,7 @@
<!--TOPIC:DOM APIs-->
- <h4 id=the-history-interface><span class=secno>6.4.2 </span>The <code><a href=#history-0>History</a></code> interface</h4>
+ <h4 id=the-history-interface><span class=secno>6.5.2 </span>The <code><a href=#history-0>History</a></code> interface</h4>
<pre class=idl>interface <dfn id=history-0>History</dfn> {
readonly attribute long <a href=#dom-history-length title=dom-history-length>length</a>;
@@ -66087,7 +66131,7 @@
- <h4 id=the-location-interface><span class=secno>6.4.3 </span>The <code><a href=#location>Location</a></code> interface</h4>
+ <h4 id=the-location-interface><span class=secno>6.5.3 </span>The <code><a href=#location>Location</a></code> interface</h4>
<p>Each <code><a href=#document>Document</a></code> object in a <a href=#browsing-context>browsing
context</a>'s session history is associated with a unique
@@ -66287,7 +66331,7 @@
<!--ADD-TOPIC:Security-->
<div class=impl>
- <h5 id=security-location><span class=secno>6.4.3.1 </span>Security</h5>
+ <h5 id=security-location><span class=secno>6.5.3.1 </span>Security</h5>
<p id=security-3>User agents must throw a
<code><a href=#securityerror>SecurityError</a></code> exception whenever any of the members of a
@@ -66313,7 +66357,7 @@
<div class=impl>
- <h4 id=history-notes><span class=secno>6.4.4 </span>Implementation notes for session history</h4>
+ <h4 id=history-notes><span class=secno>6.5.4 </span>Implementation notes for session history</h4>
<!-- don't change the ID without updating multiple internal links -->
<p><i>This section is non-normative.</i></p>
@@ -66354,11 +66398,11 @@
</div>
- <h3 id=browsing-the-web><span class=secno>6.5 </span>Browsing the Web</h3>
+ <h3 id=browsing-the-web><span class=secno>6.6 </span>Browsing the Web</h3>
<div class=impl>
- <h4 id=navigating-across-documents><span class=secno>6.5.1 </span>Navigating across documents</h4>
+ <h4 id=navigating-across-documents><span class=secno>6.6.1 </span>Navigating across documents</h4>
<p>Certain actions cause the <a href=#browsing-context>browsing context</a> to
<i><a href=#navigate>navigate</a></i> to a new resource. Navigation always involves
@@ -66387,22 +66431,23 @@
the <a href=#browsing-context>browsing context</a> being navigated, and the
<a href=#source-browsing-context>source browsing context</a> is not one of the <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#browsing-context>browsing context</a> being
- navigated, and the <a href=#browsing-context>browsing context</a> being navigated is
- not both a <a href=#top-level-browsing-context>top-level browsing context</a> and one of the
- <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
+ navigated, and the <a href=#browsing-context>browsing context</a> being navigated
+ is not both a <a href=#top-level-browsing-context>top-level browsing context</a> and one of
+ the <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#source-browsing-context>source browsing context</a>, and
- the <a href=#source-browsing-context>source browsing context</a> had its <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> set when its <a href=#active-document>active
- document</a> was created, then abort these steps.</p>
+ the <a href=#source-browsing-context>source browsing context</a>'s <a href=#active-document>active
+ document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set, then
+ abort these steps.</p>
<p>Otherwise, if the <a href=#browsing-context>browsing context</a> being navigated
is a <a href=#top-level-browsing-context>top-level browsing context</a>, and is one of the
<a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#source-browsing-context>source browsing context</a>, and
- the <a href=#source-browsing-context>source browsing context</a> had its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
- top-level navigation browsing context flag</a> set when its
- <a href=#active-document>active document</a> was created, then abort these
- steps.</p>
+ the <a href=#source-browsing-context>source browsing context</a>'s <code><a href=#document>Document</a></code>'s
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
+ top-level navigation browsing context flag</a> set, then abort
+ these steps.</p>
<p>In both cases, the user agent may additionally offer to open
the new resource in a new <a href=#top-level-browsing-context>top-level browsing context</a>
@@ -66769,20 +66814,54 @@
<code>javascript:</code> URL</a>.</p>
<p><dfn id=create-a-document-object title="create a Document object">Creating a new
- <code>Document</code> object</dfn>: When a <code><a href=#document>Document</a></code>
- is created as part of the above steps, a new <code><a href=#window>Window</a></code>
- object must be created and associated with the
- <code><a href=#document>Document</a></code>, with one exception: if the <a href=#browsing-context>browsing
- context</a>'s only entry in its <a href=#session-history>session history</a> is
- the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> that was added
- when the <a href=#browsing-context>browsing context</a> was created, and navigation
- is occurring with <a href=#replacement-enabled>replacement enabled</a>, and that
- <code><a href=#document>Document</a></code> has the <a href=#same-origin>same origin</a> as the new
- <code><a href=#document>Document</a></code>, then the <code><a href=#window>Window</a></code> object of that
- <code><a href=#document>Document</a></code> must be used instead, and the <code title=dom-document><a href=#dom-document-0>document</a></code> attribute of the
+ <code>Document</code> object</dfn>: when a <code><a href=#document>Document</a></code>
+ is created as part of the above steps, the user agent has a couple
+ of additional requirements to follow as part of creating the new
+ object:</p>
+
+ <p>First, a new <code><a href=#window>Window</a></code> object must be created and
+ associated with the <code><a href=#document>Document</a></code>, with one exception: if
+ the <a href=#browsing-context>browsing context</a>'s only entry in its
+ <a href=#session-history>session history</a> is the <code><a href=#about:blank>about:blank</a></code>
+ <code><a href=#document>Document</a></code> that was added when the <a href=#browsing-context>browsing
+ context</a> was created, and navigation is occurring with
+ <a href=#replacement-enabled>replacement enabled</a>, and that <code><a href=#document>Document</a></code>
+ has the <a href=#same-origin>same origin</a> as the new <code><a href=#document>Document</a></code>,
+ then the <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>
+ must be used instead, and the <code title=dom-document><a href=#dom-document-0>document</a></code> attribute of the
<code><a href=#window>Window</a></code> object must be changed to point to the new
<code><a href=#document>Document</a></code> instead.</p>
+ <p>Second, the <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing
+ flag set</a> must be populated with the union of the flags that
+ are present in the following <a href=#sandboxing-flag-set title="sandboxing flag
+ set">sandboxing flag sets</a> at the time the
+ <code><a href=#document>Document</a></code> object is created:</p>
+
+ <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
+ the flags set on the <a href=#browsing-context>browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
+ the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
+ browsing context</a>'s <a href=#active-document>active document</a>'s
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+ <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
+ flag set</a>.</li>
+
+ </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set> forced
+ sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other specifications
+ can define that certain flags are set.</p>
+
+ <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href=#refsCSP>[CSP]</a></p>
+
</li>
<li id=navigate-non-Document>
@@ -66906,7 +66985,7 @@
source</a>.</p>
- <h4 id=read-html><span class=secno>6.5.2 </span><dfn title=navigate-html>Page load processing model for HTML files</dfn></h4>
+ <h4 id=read-html><span class=secno>6.6.2 </span><dfn title=navigate-html>Page load processing model for HTML files</dfn></h4>
<p>When an HTML document is to be loaded in a <a href=#browsing-context>browsing
context</a>, the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -66945,7 +67024,7 @@
- <h4 id=read-xml><span class=secno>6.5.3 </span><dfn title=navigate-xml>Page load processing model for XML files</dfn></h4>
+ <h4 id=read-xml><span class=secno>6.6.3 </span><dfn title=navigate-xml>Page load processing model for XML files</dfn></h4>
<p>When faced with displaying an XML file inline, user agents must
first <a href=#create-a-document-object>create a <code>Document</code> object</a>, following
@@ -67004,7 +67083,7 @@
<code><a href=#document>Document</a></code>.</p>
- <h4 id=read-text><span class=secno>6.5.4 </span><dfn title=navigate-text>Page load processing model for text files</dfn></h4>
+ <h4 id=read-text><span class=secno>6.6.4 </span><dfn title=navigate-text>Page load processing model for text files</dfn></h4>
<p>When a plain text document is to be loaded in a <a href=#browsing-context>browsing
context</a>, the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -67063,7 +67142,7 @@
section must be the <a href=#networking-task-source>networking task source</a>.</p>
- <h4 id=read-multipart-x-mixed-replace><span class=secno>6.5.5 </span><dfn title=navigate-multipart-x-mixed-replace>Page load processing model for <code>multipart/x-mixed-replace</code> resources</dfn></h4>
+ <h4 id=read-multipart-x-mixed-replace><span class=secno>6.6.5 </span><dfn title=navigate-multipart-x-mixed-replace>Page load processing model for <code>multipart/x-mixed-replace</code> resources</dfn></h4>
<p>When a resource with the type
<code><a href=#multipart/x-mixed-replace>multipart/x-mixed-replace</a></code> is to be loaded in a
@@ -67090,7 +67169,7 @@
events) do fire for each body part loaded.</p>
- <h4 id=read-media><span class=secno>6.5.6 </span><dfn title=navigate-media>Page load processing model for media</dfn></h4>
+ <h4 id=read-media><span class=secno>6.6.6 </span><dfn title=navigate-media>Page load processing model for media</dfn></h4>
<p>When an image, video, or audio resource is to be loaded in a
<a href=#browsing-context>browsing context</a>, the user agent should <a href=#create-a-document-object>create a
@@ -67142,7 +67221,7 @@
<code><a href=#the-title-element>title</a></code>, to make the media <a href=#attr-media-autoplay title=attr-media-autoplay>autoplay</a>, etc.</p>
- <h4 id=read-plugin><span class=secno>6.5.7 </span><dfn title=navigate-plugin>Page load processing model for content that uses plugins</dfn></h4>
+ <h4 id=read-plugin><span class=secno>6.6.7 </span><dfn title=navigate-plugin>Page load processing model for content that uses plugins</dfn></h4>
<p>When a resource that requires an external resource to be rendered
is to be loaded in a <a href=#browsing-context>browsing context</a>, the user agent
@@ -67178,14 +67257,14 @@
element, e.g. to link to a style sheet or an XBL binding, or to give
the document a <code><a href=#the-title-element>title</a></code>.</p>
- <p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
- context</a> when the <code><a href=#document>Document</a></code> was created, the
+ <p class=note id=sandboxPluginNavigate>If the
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has
+ its <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set, the
synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
- <h4 id=read-ua-inline><span class=secno>6.5.8 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
+ <h4 id=read-ua-inline><span class=secno>6.6.8 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
<p>When the user agent is to display a user agent page inline in a
<a href=#browsing-context>browsing context</a>, the user agent should <a href=#create-a-document-object>create a
@@ -67212,7 +67291,7 @@
- <h4 id=scroll-to-fragid><span class=secno>6.5.9 </span><dfn title=navigate-fragid>Navigating to a fragment identifier</dfn></h4>
+ <h4 id=scroll-to-fragid><span class=secno>6.6.9 </span><dfn title=navigate-fragid>Navigating to a fragment identifier</dfn></h4>
<p>When a user agent is supposed to navigate to a fragment
identifier, then the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -67314,7 +67393,7 @@
- <h4 id=history-traversal><span class=secno>6.5.10 </span>History traversal</h4> <!-- session history -->
+ <h4 id=history-traversal><span class=secno>6.6.10 </span>History traversal</h4> <!-- session history -->
<div class=impl>
@@ -67494,7 +67573,7 @@
<a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
- <h5 id=event-definitions-0><span class=secno>6.5.10.1 </span>Event definitions</h5>
+ <h5 id=event-definitions-0><span class=secno>6.6.10.1 </span>Event definitions</h5>
</div>
@@ -67618,7 +67697,7 @@
- <h4 id=unloading-documents><span class=secno>6.5.11 </span>Unloading documents</h4>
+ <h4 id=unloading-documents><span class=secno>6.6.11 </span>Unloading documents</h4>
<div class=impl>
@@ -67807,7 +67886,7 @@
false, empty the <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>'s
<a href=#list-of-active-timers>list of active timers</a>.</li>
- </ol><h5 id=event-definition><span class=secno>6.5.11.1 </span>Event definition</h5>
+ </ol><h5 id=event-definition><span class=secno>6.6.11.1 </span>Event definition</h5>
</div>
@@ -67841,7 +67920,7 @@
<div class=impl>
- <h4 id=aborting-a-document-load><span class=secno>6.5.12 </span>Aborting a document load</h4>
+ <h4 id=aborting-a-document-load><span class=secno>6.6.12 </span>Aborting a document load</h4>
<p>If a <code><a href=#document>Document</a></code> is <dfn id=abort-a-document title="abort a
document">aborted</dfn>, the user agent must run the following
@@ -67880,7 +67959,7 @@
<!--TOPIC:Offline Web Applications-->
- <h3 id=offline><span class=secno>6.6 </span>Offline Web applications</h3>
+ <h3 id=offline><span class=secno>6.7 </span>Offline Web applications</h3>
<!-- v2 ideas for appcache:
@@ -67928,7 +68007,7 @@
-->
- <h4 id=introduction-5><span class=secno>6.6.1 </span>Introduction</h4>
+ <h4 id=introduction-5><span class=secno>6.7.1 </span>Introduction</h4>
<p><i>This section is non-normative.</i></p>
@@ -68015,7 +68094,7 @@
- <h5 id=appcacheevents><span class=secno>6.6.1.1 </span>Event summary</h5>
+ <h5 id=appcacheevents><span class=secno>6.7.1.1 </span>Event summary</h5>
<p><i>This section is non-normative.</i></p>
@@ -68072,7 +68151,7 @@
<td> The user agent will try fetching the files again momentarily.
</table><div class=impl>
- <h4 id=appcache><span class=secno>6.6.2 </span>Application caches</h4>
+ <h4 id=appcache><span class=secno>6.7.2 </span>Application caches</h4>
<p>An <dfn id=application-cache>application cache</dfn> is a set of cached resources
consisting of:</p>
@@ -68266,10 +68345,10 @@
- <h4 id=manifests><span class=secno>6.6.3 </span>The cache manifest syntax</h4>
+ <h4 id=manifests><span class=secno>6.7.3 </span>The cache manifest syntax</h4>
- <h5 id=some-sample-manifests><span class=secno>6.6.3.1 </span>Some sample manifests</h5>
+ <h5 id=some-sample-manifests><span class=secno>6.7.3.1 </span>Some sample manifests</h5>
<p><i>This section is non-normative.</i></p>
@@ -68365,7 +68444,7 @@
- <h5 id=writing-cache-manifests><span class=secno>6.6.3.2 </span>Writing cache manifests</h5>
+ <h5 id=writing-cache-manifests><span class=secno>6.7.3.2 </span>Writing cache manifests</h5>
<p>Manifests must be served using the
<code><a href=#text/cache-manifest>text/cache-manifest</a></code> <a href=#mime-type>MIME type</a>. All
@@ -68517,7 +68596,7 @@
<div class=impl>
- <h5 id=parsing-cache-manifests><span class=secno>6.6.3.3 </span>Parsing cache manifests</h5>
+ <h5 id=parsing-cache-manifests><span class=secno>6.7.3.3 </span>Parsing cache manifests</h5>
<p>When a user agent is to <dfn id=parse-a-manifest>parse a manifest</dfn>, it means
that the user agent must run the following steps:</p>
@@ -68790,7 +68869,7 @@
</div>
- <h4 id=downloading-or-updating-an-application-cache><span class=secno>6.6.4 </span>Downloading or updating an application cache</h4>
+ <h4 id=downloading-or-updating-an-application-cache><span class=secno>6.7.4 </span>Downloading or updating an application cache</h4>
<p>When the user agent is required (by other parts of this
specification) to start the <dfn id=application-cache-download-process>application cache download
@@ -69577,7 +69656,7 @@
- <h4 id=the-application-cache-selection-algorithm><span class=secno>6.6.5 </span>The application cache selection algorithm</h4>
+ <h4 id=the-application-cache-selection-algorithm><span class=secno>6.7.5 </span>The application cache selection algorithm</h4>
<p>When the <dfn id=concept-appcache-init title=concept-appcache-init>application cache
selection algorithm</dfn> algorithm is invoked with a
@@ -69665,7 +69744,7 @@
</dd>
- </dl><h4 id=changesToNetworkingModel><span class=secno>6.6.6 </span>Changes to the networking model</h4>
+ </dl><h4 id=changesToNetworkingModel><span class=secno>6.7.6 </span>Changes to the networking model</h4>
<p>When a <a href=#cache-host>cache host</a> is associated with an
<a href=#application-cache>application cache</a> whose <a href=#concept-appcache-completeness title=concept-appcache-completeness>completeness flag</a> is
@@ -69734,7 +69813,7 @@
<div class=impl>
- <h4 id=expiring-application-caches><span class=secno>6.6.7 </span>Expiring application caches</h4>
+ <h4 id=expiring-application-caches><span class=secno>6.7.7 </span>Expiring application caches</h4>
<p>As a general rule, user agents should not expire application
caches, except on request from the user, or after having been left
@@ -69758,7 +69837,7 @@
<div class=impl>
- <h4 id=disk-space><span class=secno>6.6.8 </span>Disk space</h4>
+ <h4 id=disk-space><span class=secno>6.7.8 </span>Disk space</h4>
<p>User agents should consider applying constraints on disk usage of
<a href=#application-cache title="application cache">application caches</a>, and care
@@ -69781,7 +69860,7 @@
- <h4 id=application-cache-api><span class=secno>6.6.9 </span>Application cache API</h4>
+ <h4 id=application-cache-api><span class=secno>6.7.9 </span>Application cache API</h4>
<pre class=idl>interface <dfn id=applicationcache>ApplicationCache</dfn> : <a href=#eventtarget>EventTarget</a> {
@@ -70039,7 +70118,7 @@
</table></div>
- <h4 id=browser-state><span class=secno>6.6.10 </span>Browser state</h4>
+ <h4 id=browser-state><span class=secno>6.7.10 </span>Browser state</h4>
<pre class=idl>[NoInterfaceObject]
interface <dfn id=navigatoronline>NavigatorOnLine</dfn> {
@@ -70151,10 +70230,10 @@
the option to disable scripting globally, or in a finer-grained
manner, e.g. on a per-origin basis.)</li>
- <li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a> did
- not have the <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>
- set when the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> was created.</li>
+ <li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a>'s
+ <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> does not have its <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing
+ context flag</a> set.</li>
</ul><p><dfn id=concept-bc-noscript title=concept-bc-noscript>Scripting is disabled</dfn> in a
<a href=#browsing-context>browsing context</a> when any of the above conditions are
@@ -72397,10 +72476,10 @@
<li>
- <p>If the current browsing context had the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> set when its <a href=#active-document>active
- document</a> was created, then return the empty string and
- abort these steps.</p>
+ <p>If the current browsing context's <a href=#active-document>active
+ document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set, then
+ return the empty string and abort these steps.</p>
</li>
@@ -95618,15 +95697,14 @@
or <a href=#xml-parser>XML parser</a>, and when the element is not <a href=#in-a-document>in a
<code>Document</code></a>, and when the element's document is not
<a href=#fully-active>fully active</a>, and when the element's
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
- <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element has an
- ancestor <a href=#media-element>media element</a>, and when the element has an
- ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
- its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
- <a href=#plugin>plugin</a> is available, and when one <em>is</em> available
- but it is disabled, the element <a href=#represents>represents</a> its
- contents.</p>
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has
+ its <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set, and
+ when the element has an ancestor <a href=#media-element>media element</a>, and
+ when the element has an ancestor <code><a href=#the-object-element>object</a></code> element that is
+ <em>not</em> showing its <a href=#fallback-content>fallback content</a>, and when no
+ Java Language runtime <a href=#plugin>plugin</a> is available, and when one
+ <em>is</em> available but it is disabled, the element
+ <a href=#represents>represents</a> its contents.</p>
<!-- we assume here that the Java plugin can't be <span
title="concept-plugin-secure">secured</span>; if anyone does end up
@@ -100660,6 +100738,9 @@
such, but there's a western bias to these references for
consistency. sorry. -->
+ <dt id=refsCSP>[CSS]</dt>
+ <dd>(Non-normative) <cite><a href=http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>Content Security Policy</a></cite>, B. Sterne, A. Barth. W3C.</dd>
+
<dt id=refsCSS>[CSS]</dt>
<dd><cite><a href=http://www.w3.org/TR/CSS/>Cascading Style Sheets Level 2
Revision 1</a></cite>, B. Bos, T. Çelik, I.
Modified: index
===================================================================
--- index 2012-04-11 23:22:15 UTC (rev 7051)
+++ index 2012-04-13 22:55:46 UTC (rev 7052)
@@ -240,7 +240,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 11 April 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 13 April 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -868,50 +868,51 @@
<li><a href=#origin-0><span class=secno>6.3 </span>Origin</a>
<ol>
<li><a href=#relaxing-the-same-origin-restriction><span class=secno>6.3.1 </span>Relaxing the same-origin restriction</a></ol></li>
- <li><a href=#history><span class=secno>6.4 </span>Session history and navigation</a>
+ <li><a href=#sandboxing><span class=secno>6.4 </span>Sandboxing</a></li>
+ <li><a href=#history><span class=secno>6.5 </span>Session history and navigation</a>
<ol>
- <li><a href=#the-session-history-of-browsing-contexts><span class=secno>6.4.1 </span>The session history of browsing contexts</a></li>
- <li><a href=#the-history-interface><span class=secno>6.4.2 </span>The <code>History</code> interface</a></li>
- <li><a href=#the-location-interface><span class=secno>6.4.3 </span>The <code>Location</code> interface</a>
+ <li><a href=#the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</a></li>
+ <li><a href=#the-history-interface><span class=secno>6.5.2 </span>The <code>History</code> interface</a></li>
+ <li><a href=#the-location-interface><span class=secno>6.5.3 </span>The <code>Location</code> interface</a>
<ol>
- <li><a href=#security-location><span class=secno>6.4.3.1 </span>Security</a></ol></li>
- <li><a href=#history-notes><span class=secno>6.4.4 </span>Implementation notes for session history</a></ol></li>
- <li><a href=#browsing-the-web><span class=secno>6.5 </span>Browsing the Web</a>
+ <li><a href=#security-location><span class=secno>6.5.3.1 </span>Security</a></ol></li>
+ <li><a href=#history-notes><span class=secno>6.5.4 </span>Implementation notes for session history</a></ol></li>
+ <li><a href=#browsing-the-web><span class=secno>6.6 </span>Browsing the Web</a>
<ol>
- <li><a href=#navigating-across-documents><span class=secno>6.5.1 </span>Navigating across documents</a></li>
- <li><a href=#read-html><span class=secno>6.5.2 </span>Page load processing model for HTML files</a></li>
- <li><a href=#read-xml><span class=secno>6.5.3 </span>Page load processing model for XML files</a></li>
- <li><a href=#read-text><span class=secno>6.5.4 </span>Page load processing model for text files</a></li>
- <li><a href=#read-multipart-x-mixed-replace><span class=secno>6.5.5 </span>Page load processing model for <code>multipart/x-mixed-replace</code> resources</a></li>
- <li><a href=#read-media><span class=secno>6.5.6 </span>Page load processing model for media</a></li>
- <li><a href=#read-plugin><span class=secno>6.5.7 </span>Page load processing model for content that uses plugins</a></li>
- <li><a href=#read-ua-inline><span class=secno>6.5.8 </span>Page load processing model for inline content that doesn't have a DOM</a></li>
- <li><a href=#scroll-to-fragid><span class=secno>6.5.9 </span>Navigating to a fragment identifier</a></li>
- <li><a href=#history-traversal><span class=secno>6.5.10 </span>History traversal</a>
+ <li><a href=#navigating-across-documents><span class=secno>6.6.1 </span>Navigating across documents</a></li>
+ <li><a href=#read-html><span class=secno>6.6.2 </span>Page load processing model for HTML files</a></li>
+ <li><a href=#read-xml><span class=secno>6.6.3 </span>Page load processing model for XML files</a></li>
+ <li><a href=#read-text><span class=secno>6.6.4 </span>Page load processing model for text files</a></li>
+ <li><a href=#read-multipart-x-mixed-replace><span class=secno>6.6.5 </span>Page load processing model for <code>multipart/x-mixed-replace</code> resources</a></li>
+ <li><a href=#read-media><span class=secno>6.6.6 </span>Page load processing model for media</a></li>
+ <li><a href=#read-plugin><span class=secno>6.6.7 </span>Page load processing model for content that uses plugins</a></li>
+ <li><a href=#read-ua-inline><span class=secno>6.6.8 </span>Page load processing model for inline content that doesn't have a DOM</a></li>
+ <li><a href=#scroll-to-fragid><span class=secno>6.6.9 </span>Navigating to a fragment identifier</a></li>
+ <li><a href=#history-traversal><span class=secno>6.6.10 </span>History traversal</a>
<ol>
- <li><a href=#event-definitions-0><span class=secno>6.5.10.1 </span>Event definitions</a></ol></li>
- <li><a href=#unloading-documents><span class=secno>6.5.11 </span>Unloading documents</a>
+ <li><a href=#event-definitions-0><span class=secno>6.6.10.1 </span>Event definitions</a></ol></li>
+ <li><a href=#unloading-documents><span class=secno>6.6.11 </span>Unloading documents</a>
<ol>
- <li><a href=#event-definition><span class=secno>6.5.11.1 </span>Event definition</a></ol></li>
- <li><a href=#aborting-a-document-load><span class=secno>6.5.12 </span>Aborting a document load</a></ol></li>
- <li><a href=#offline><span class=secno>6.6 </span>Offline Web applications</a>
+ <li><a href=#event-definition><span class=secno>6.6.11.1 </span>Event definition</a></ol></li>
+ <li><a href=#aborting-a-document-load><span class=secno>6.6.12 </span>Aborting a document load</a></ol></li>
+ <li><a href=#offline><span class=secno>6.7 </span>Offline Web applications</a>
<ol>
- <li><a href=#introduction-5><span class=secno>6.6.1 </span>Introduction</a>
+ <li><a href=#introduction-5><span class=secno>6.7.1 </span>Introduction</a>
<ol>
- <li><a href=#appcacheevents><span class=secno>6.6.1.1 </span>Event summary</a></ol></li>
- <li><a href=#appcache><span class=secno>6.6.2 </span>Application caches</a></li>
- <li><a href=#manifests><span class=secno>6.6.3 </span>The cache manifest syntax</a>
+ <li><a href=#appcacheevents><span class=secno>6.7.1.1 </span>Event summary</a></ol></li>
+ <li><a href=#appcache><span class=secno>6.7.2 </span>Application caches</a></li>
+ <li><a href=#manifests><span class=secno>6.7.3 </span>The cache manifest syntax</a>
<ol>
- <li><a href=#some-sample-manifests><span class=secno>6.6.3.1 </span>Some sample manifests</a></li>
- <li><a href=#writing-cache-manifests><span class=secno>6.6.3.2 </span>Writing cache manifests</a></li>
- <li><a href=#parsing-cache-manifests><span class=secno>6.6.3.3 </span>Parsing cache manifests</a></ol></li>
- <li><a href=#downloading-or-updating-an-application-cache><span class=secno>6.6.4 </span>Downloading or updating an application cache</a></li>
- <li><a href=#the-application-cache-selection-algorithm><span class=secno>6.6.5 </span>The application cache selection algorithm</a></li>
- <li><a href=#changesToNetworkingModel><span class=secno>6.6.6 </span>Changes to the networking model</a></li>
- <li><a href=#expiring-application-caches><span class=secno>6.6.7 </span>Expiring application caches</a></li>
- <li><a href=#disk-space><span class=secno>6.6.8 </span>Disk space</a></li>
- <li><a href=#application-cache-api><span class=secno>6.6.9 </span>Application cache API</a></li>
- <li><a href=#browser-state><span class=secno>6.6.10 </span>Browser state</a></ol></ol></li>
+ <li><a href=#some-sample-manifests><span class=secno>6.7.3.1 </span>Some sample manifests</a></li>
+ <li><a href=#writing-cache-manifests><span class=secno>6.7.3.2 </span>Writing cache manifests</a></li>
+ <li><a href=#parsing-cache-manifests><span class=secno>6.7.3.3 </span>Parsing cache manifests</a></ol></li>
+ <li><a href=#downloading-or-updating-an-application-cache><span class=secno>6.7.4 </span>Downloading or updating an application cache</a></li>
+ <li><a href=#the-application-cache-selection-algorithm><span class=secno>6.7.5 </span>The application cache selection algorithm</a></li>
+ <li><a href=#changesToNetworkingModel><span class=secno>6.7.6 </span>Changes to the networking model</a></li>
+ <li><a href=#expiring-application-caches><span class=secno>6.7.7 </span>Expiring application caches</a></li>
+ <li><a href=#disk-space><span class=secno>6.7.8 </span>Disk space</a></li>
+ <li><a href=#application-cache-api><span class=secno>6.7.9 </span>Application cache API</a></li>
+ <li><a href=#browser-state><span class=secno>6.7.10 </span>Browser state</a></ol></ol></li>
<li><a href=#webappapis><span class=secno>7 </span>Web application APIs</a>
<ol>
<li><a href=#scripting><span class=secno>7.1 </span>Scripting</a>
@@ -10031,7 +10032,7 @@
<p>Can be set, to add a new cookie to the element's set of HTTP
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
- context flag">sandboxed into a unique origin</a> (in an
+ context flag">sandboxed into a unique origin</a> (e.g. in an
<code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
@@ -15425,9 +15426,9 @@
<p>After the refresh has come due (as defined below), if the
user has not canceled the redirect and if the
<code><a href=#the-meta-element>meta</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
- automatic features browsing context flag</a> set when the
- <code><a href=#document>Document</a></code> was created, <a href=#navigate title=navigate>navigate</a><!--DONAV meta refresh--> the
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</a> set, <a href=#navigate title=navigate>navigate</a><!--DONAV meta refresh--> the
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> to <var title="">url</var>, with <a href=#replacement-enabled>replacement enabled</a>, and
with the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a>
as the <a href=#source-browsing-context>source browsing context</a>.</p>
@@ -25359,102 +25360,34 @@
<p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
attribute is specified, the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a> must have the flags given in
- the following list set. In addition, any browsing contexts <a href=#nested-browsing-context title="nested browsing context">nested</a> within an
- <code><a href=#the-iframe-element>iframe</a></code>, either directly or indirectly, must have all
- the flags set on them as were set on the <code><a href=#the-iframe-element>iframe</a></code>'s
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> when the
- <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code> was created.</p>
+ <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code>
+ sandboxing flag set</a> must have the flags given in the
+ following list set.</p>
- <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
+ <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a></li>
- <dd>
-
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
- protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
- context flag</a> defined next).</p>
-
- <p>This flag also <a href=#sandboxWindowOpen>prevents content
- from creating new auxiliary browsing contexts</a>, e.g. using the
- <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
- <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
- flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
+ flag</a>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
<a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
found to have the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
+ <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a></li>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a></li>
- <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
- context</a>, but other <a href=#browsing-context title="browsing context">browsing
- contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> defined above.</p>
+ <li>
- </dd>
+ <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>, unless
+ the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
+ value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
+ spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
+ keyword set</p>
-
- <dt>The <dfn id=sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
- <a href=#sandboxPluginApplet>the <code>applet</code>
- element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
- descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
-
- <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
-
- <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</dfn>, unless
- the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
- value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
- spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
- keyword set</dt>
-
- <dd>
-
- <p>This flag <a href=#sandboxOrigin>forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <a href=#origin>origin</a>.</p>
-
- <p>This flag also <a href=#sandboxCookies>prevents script from
- reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
- attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
- </p>
-
<div class=note>
<p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- attribute is intended for two cases.</p>
+ keyword is intended for two cases.</p>
<p>First, it can be used to allow content from the same site to
be sandboxed to disable scripting, while still allowing access to
@@ -25468,57 +25401,37 @@
</div>
- </dd>
+ </li>
-
- <dt>The <dfn id=sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</dfn>, unless
+ <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>, unless
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
-
- <p>This flag <a href=#sandboxSubmitBlocked>blocks form
- submission</a>.</p>
-
- </dd>
-
-
- <dt>The <dfn id=sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</dfn>, unless
+ <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>, unless
the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
- keyword set</dt>
+ keyword set</li>
- <dd>
+ <li>
- <p>This flag <a href=#sandboxScriptBlocked>blocks script
- execution</a>.</p>
+ <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</a>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
+ <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
+ found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+ keyword (defined above) set</p>
- </dd>
-
-
- <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
- flag</dfn>, unless the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's value, when
- <a href=#split-a-string-on-spaces title="split a string on spaces">split on spaces</a>, is
- found to have the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword (defined above) set</dt>
-
- <dd>
-
- <p>This flag blocks features that trigger automatically, such as
- <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
- video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
- focusing a form control</a>. It is relaxed by the same flag as
+ <p class=note>This flag is relaxed by the same flag as
scripts, because when scripts are enabled these features are
trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than
allowing them to use the declarative features.</p>
- </dd>
+ </li>
- </dl><p>These flags must not be set unless the conditions listed above
+ </ul><p>These flags must not be set unless the conditions listed above
define them as being set.</p>
<p class=warning>These flags only take effect when the
@@ -25628,18 +25541,17 @@
be part of the containing document (seamlessly included in the
parent document). <span class=impl>Specifically, when the
attribute is set on an <code><a href=#the-iframe-element>iframe</a></code> element whose owner
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> did not have
- the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set when that
- <code><a href=#document>Document</a></code> was created, and while either the
- <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> has the
- <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's
- document, or the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>'s <em><a href="#the-document's-address" title="the document's
- address">address</a></em> has the <a href=#same-origin>same origin</a> as the
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does
+ not have the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
+ while either the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
+ document</a> has the <a href=#same-origin>same origin</a> as the
<code><a href=#the-iframe-element>iframe</a></code> element's document, or the <a href=#browsing-context>browsing
- context</a>'s <a href=#active-document>active document</a> is <a href=#an-iframe-srcdoc-document>an
- <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
- document</a>, the following requirements apply:</span></p>
+ context</a>'s <a href=#active-document>active document</a>'s <em><a href="#the-document's-address" title="the
+ document's address">address</a></em> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's document, or the
+ <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> is
+ <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>, the
+ following requirements apply:</span></p>
<div class=impl>
@@ -25961,10 +25873,9 @@
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
- context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
- <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
- <code><a href=#document>Document</a></code> was created, then the user agent must not
+ plugins browsing context flag</a> is set on the
+ <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a>, then the user agent must not
instantiate the <a href=#plugin>plugin</a>, and must instead render the
<code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
<a href=#plugin>plugin</a> was disabled. The user agent may offer the user
@@ -26771,9 +26682,9 @@
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the
- <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> when the <code><a href=#document>Document</a></code> was created.</p>
+ plugins browsing context flag</a> is set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a>.</p>
<p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
@@ -29867,16 +29778,15 @@
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
- <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and the
- <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
+ <p>If the <a href=#autoplaying-flag>autoplaying flag</a> is true, and the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute is true, and
+ the <a href=#media-element>media element</a> has an <code title=attr-media-autoplay><a href=#attr-media-autoplay>autoplay</a></code> attribute specified,
and the <a href=#media-element>media element</a>'s <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> did not have the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed
- automatic features browsing context flag</a> set when the
- <code><a href=#document>Document</a></code> was created, then the user agent may also
- set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to
- false, <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple
- event</a> named <code title=event-media-play><a href=#event-media-play>play</a></code>, and
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
+ <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>
+ set, then the user agent may also set the <code title=dom-media-paused><a href=#dom-media-paused>paused</a></code> attribute to false,
<a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
+ named <code title=event-media-play><a href=#event-media-play>play</a></code>, and
+ <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
named <code title=event-media-playing><a href=#event-media-playing>playing</a></code>.</p>
<p class=note>User agents do not need to support autoplay,
@@ -53106,10 +53016,9 @@
it is a <a href=#nested-browsing-context>nested browsing context</a> with no <a href=#parent-browsing-context>parent
browsing context</a>), abort these steps.</li>
- <li><p>If <var title="">target</var>'s <a href=#browsing-context>browsing
- context</a> had the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing
- context flag</a> set when <var title="">target</var> was
- created, abort these steps.</li>
+ <li><p>If <var title="">target</var>'s <a href=#active-sandboxing-flag-set>active sandboxing
+ flag set</a> has the <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features
+ browsing context flag</a>, abort these steps.</li>
<li><p>If <var title="">target</var>'s <a href=#origin>origin</a> is not
the <a href=#same-origin title="same origin">same</a> as the
@@ -54100,9 +54009,9 @@
<li id=sandboxSubmitBlocked><p>If <var title="">form
document</var> has no associated <a href=#browsing-context>browsing context</a> or
- its <a href=#browsing-context>browsing context</a> had its <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms
- browsing context flag</a> set when the <code><a href=#document>Document</a></code> was
- created, then abort these steps without doing anything.</li>
+ its <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a> set, then abort
+ these steps without doing anything.</li>
<li><p>Let <var title="">form browsing context</var> be the
<a href=#browsing-context>browsing context</a> of <var title="">form
@@ -64164,9 +64073,10 @@
— it is determined by the rules given for the first
applicable option from the following list:</p>
- <dl class=switch><dt id=sandboxWindowOpen>If the current browsing context had
- the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set
- when its <a href=#active-document>active document</a> was created.</dt>
+ <dl class=switch><dt id=sandboxWindowOpen>If the current browsing context's
+ <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> has the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context
+ flag</a> set.</dt>
<dd><p>The user agent may offer to create a new <a href=#top-level-browsing-context>top-level
browsing context</a> or reuse an existing <a href=#top-level-browsing-context>top-level
@@ -65141,10 +65051,9 @@
<dd>
- <dl class=switch><dt id=sandboxOrigin>If a <code><a href=#document>Document</a></code> is in a
- <a href=#browsing-context>browsing context</a> whose <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
- browsing context flag</a> was set when the
- <code><a href=#document>Document</a></code> was created</dt>
+ <dl class=switch><dt id=sandboxOrigin>If a <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active
+ sandboxing flag set</a> has its <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin
+ browsing context flag</a> set</dt>
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -65517,10 +65426,145 @@
<!--TOPIC:HTML-->
- <h3 id=history><span class=secno>6.4 </span>Session history and navigation</h3>
- <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.4.1 </span>The session history of browsing contexts</h4>
+ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
+
+ <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the
+ following flags, which are used to restrict the abilities that
+ potentially untrusted resources have:</p>
+
+ <dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxLinks>prevents content from
+ navigating browsing contexts other than the sandboxed browsing
+ context itself</a> (or browsing contexts further nested inside
+ it), and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
+ protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
+ context flag</a> defined next).</p>
+
+ <p>This flag also <a href=#sandboxWindowOpen>prevents content
+ from creating new auxiliary browsing contexts</a>, e.g. using the
+ <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
+ <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxLinks>prevents content from
+ navigating their <span>top-level browsing context</span></a>.</p>
+
+ <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
+ is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
+ context</a>, but other <a href=#browsing-context title="browsing context">browsing
+ contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
+ navigation browsing context flag</a> defined above.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
+ <a href=#sandboxPluginApplet>the <code>applet</code>
+ element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
+ browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
+ descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
+
+ <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+ keyword from using a CSS-selector-based method of probing the DOM
+ of other pages on the same site (in particular, pages that contain
+ user-sensitive information).</p>
+
+ <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxOrigin>forces content into a unique
+ origin</a>, thus preventing it from accessing other content from
+ the same <a href=#origin>origin</a>.</p>
+
+ <p>This flag also <a href=#sandboxCookies>prevents script from
+ reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
+ attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
+ </p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxSubmitBlocked>blocks form
+ submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href=#sandboxScriptBlocked>blocks script
+ execution</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
+ video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
+ focusing a form control</a>.</p>
+
+ </dd>
+
+ </dl><p>Every <a href=#nested-browsing-context>nested browsing context</a> has an
+ <dfn id=iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</dfn>, which is a
+ <a href=#sandboxing-flag-set>sandboxing flag set</a>. Which flags in a <a href=#nested-browsing-context>nested
+ browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag
+ set</a> are set at any particular time is determined by the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+ <p>Every <code><a href=#document>Document</a></code> has an <dfn id=active-sandboxing-flag-set>active sandboxing flag
+ set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag set</a>. When the
+ <code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
+
+
+
+ <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
+ <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
+
<p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
context</a> is its <dfn id=session-history>session history</dfn>.</p>
@@ -65667,7 +65711,7 @@
<!--TOPIC:DOM APIs-->
- <h4 id=the-history-interface><span class=secno>6.4.2 </span>The <code><a href=#history-0>History</a></code> interface</h4>
+ <h4 id=the-history-interface><span class=secno>6.5.2 </span>The <code><a href=#history-0>History</a></code> interface</h4>
<pre class=idl>interface <dfn id=history-0>History</dfn> {
readonly attribute long <a href=#dom-history-length title=dom-history-length>length</a>;
@@ -66087,7 +66131,7 @@
- <h4 id=the-location-interface><span class=secno>6.4.3 </span>The <code><a href=#location>Location</a></code> interface</h4>
+ <h4 id=the-location-interface><span class=secno>6.5.3 </span>The <code><a href=#location>Location</a></code> interface</h4>
<p>Each <code><a href=#document>Document</a></code> object in a <a href=#browsing-context>browsing
context</a>'s session history is associated with a unique
@@ -66287,7 +66331,7 @@
<!--ADD-TOPIC:Security-->
<div class=impl>
- <h5 id=security-location><span class=secno>6.4.3.1 </span>Security</h5>
+ <h5 id=security-location><span class=secno>6.5.3.1 </span>Security</h5>
<p id=security-3>User agents must throw a
<code><a href=#securityerror>SecurityError</a></code> exception whenever any of the members of a
@@ -66313,7 +66357,7 @@
<div class=impl>
- <h4 id=history-notes><span class=secno>6.4.4 </span>Implementation notes for session history</h4>
+ <h4 id=history-notes><span class=secno>6.5.4 </span>Implementation notes for session history</h4>
<!-- don't change the ID without updating multiple internal links -->
<p><i>This section is non-normative.</i></p>
@@ -66354,11 +66398,11 @@
</div>
- <h3 id=browsing-the-web><span class=secno>6.5 </span>Browsing the Web</h3>
+ <h3 id=browsing-the-web><span class=secno>6.6 </span>Browsing the Web</h3>
<div class=impl>
- <h4 id=navigating-across-documents><span class=secno>6.5.1 </span>Navigating across documents</h4>
+ <h4 id=navigating-across-documents><span class=secno>6.6.1 </span>Navigating across documents</h4>
<p>Certain actions cause the <a href=#browsing-context>browsing context</a> to
<i><a href=#navigate>navigate</a></i> to a new resource. Navigation always involves
@@ -66387,22 +66431,23 @@
the <a href=#browsing-context>browsing context</a> being navigated, and the
<a href=#source-browsing-context>source browsing context</a> is not one of the <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#browsing-context>browsing context</a> being
- navigated, and the <a href=#browsing-context>browsing context</a> being navigated is
- not both a <a href=#top-level-browsing-context>top-level browsing context</a> and one of the
- <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
+ navigated, and the <a href=#browsing-context>browsing context</a> being navigated
+ is not both a <a href=#top-level-browsing-context>top-level browsing context</a> and one of
+ the <a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#source-browsing-context>source browsing context</a>, and
- the <a href=#source-browsing-context>source browsing context</a> had its <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> set when its <a href=#active-document>active
- document</a> was created, then abort these steps.</p>
+ the <a href=#source-browsing-context>source browsing context</a>'s <a href=#active-document>active
+ document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set, then
+ abort these steps.</p>
<p>Otherwise, if the <a href=#browsing-context>browsing context</a> being navigated
is a <a href=#top-level-browsing-context>top-level browsing context</a>, and is one of the
<a href=#ancestor-browsing-context title="ancestor browsing context">ancestor browsing
contexts</a> of the <a href=#source-browsing-context>source browsing context</a>, and
- the <a href=#source-browsing-context>source browsing context</a> had its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
- top-level navigation browsing context flag</a> set when its
- <a href=#active-document>active document</a> was created, then abort these
- steps.</p>
+ the <a href=#source-browsing-context>source browsing context</a>'s <code><a href=#document>Document</a></code>'s
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed
+ top-level navigation browsing context flag</a> set, then abort
+ these steps.</p>
<p>In both cases, the user agent may additionally offer to open
the new resource in a new <a href=#top-level-browsing-context>top-level browsing context</a>
@@ -66769,20 +66814,54 @@
<code>javascript:</code> URL</a>.</p>
<p><dfn id=create-a-document-object title="create a Document object">Creating a new
- <code>Document</code> object</dfn>: When a <code><a href=#document>Document</a></code>
- is created as part of the above steps, a new <code><a href=#window>Window</a></code>
- object must be created and associated with the
- <code><a href=#document>Document</a></code>, with one exception: if the <a href=#browsing-context>browsing
- context</a>'s only entry in its <a href=#session-history>session history</a> is
- the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> that was added
- when the <a href=#browsing-context>browsing context</a> was created, and navigation
- is occurring with <a href=#replacement-enabled>replacement enabled</a>, and that
- <code><a href=#document>Document</a></code> has the <a href=#same-origin>same origin</a> as the new
- <code><a href=#document>Document</a></code>, then the <code><a href=#window>Window</a></code> object of that
- <code><a href=#document>Document</a></code> must be used instead, and the <code title=dom-document><a href=#dom-document-0>document</a></code> attribute of the
+ <code>Document</code> object</dfn>: when a <code><a href=#document>Document</a></code>
+ is created as part of the above steps, the user agent has a couple
+ of additional requirements to follow as part of creating the new
+ object:</p>
+
+ <p>First, a new <code><a href=#window>Window</a></code> object must be created and
+ associated with the <code><a href=#document>Document</a></code>, with one exception: if
+ the <a href=#browsing-context>browsing context</a>'s only entry in its
+ <a href=#session-history>session history</a> is the <code><a href=#about:blank>about:blank</a></code>
+ <code><a href=#document>Document</a></code> that was added when the <a href=#browsing-context>browsing
+ context</a> was created, and navigation is occurring with
+ <a href=#replacement-enabled>replacement enabled</a>, and that <code><a href=#document>Document</a></code>
+ has the <a href=#same-origin>same origin</a> as the new <code><a href=#document>Document</a></code>,
+ then the <code><a href=#window>Window</a></code> object of that <code><a href=#document>Document</a></code>
+ must be used instead, and the <code title=dom-document><a href=#dom-document-0>document</a></code> attribute of the
<code><a href=#window>Window</a></code> object must be changed to point to the new
<code><a href=#document>Document</a></code> instead.</p>
+ <p>Second, the <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing
+ flag set</a> must be populated with the union of the flags that
+ are present in the following <a href=#sandboxing-flag-set title="sandboxing flag
+ set">sandboxing flag sets</a> at the time the
+ <code><a href=#document>Document</a></code> object is created:</p>
+
+ <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
+ the flags set on the <a href=#browsing-context>browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
+ the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
+ browsing context</a>'s <a href=#active-document>active document</a>'s
+ <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+ <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
+ flag set</a>.</li>
+
+ </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set> forced
+ sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other specifications
+ can define that certain flags are set.</p>
+
+ <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href=#refsCSP>[CSP]</a></p>
+
</li>
<li id=navigate-non-Document>
@@ -66906,7 +66985,7 @@
source</a>.</p>
- <h4 id=read-html><span class=secno>6.5.2 </span><dfn title=navigate-html>Page load processing model for HTML files</dfn></h4>
+ <h4 id=read-html><span class=secno>6.6.2 </span><dfn title=navigate-html>Page load processing model for HTML files</dfn></h4>
<p>When an HTML document is to be loaded in a <a href=#browsing-context>browsing
context</a>, the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -66945,7 +67024,7 @@
- <h4 id=read-xml><span class=secno>6.5.3 </span><dfn title=navigate-xml>Page load processing model for XML files</dfn></h4>
+ <h4 id=read-xml><span class=secno>6.6.3 </span><dfn title=navigate-xml>Page load processing model for XML files</dfn></h4>
<p>When faced with displaying an XML file inline, user agents must
first <a href=#create-a-document-object>create a <code>Document</code> object</a>, following
@@ -67004,7 +67083,7 @@
<code><a href=#document>Document</a></code>.</p>
- <h4 id=read-text><span class=secno>6.5.4 </span><dfn title=navigate-text>Page load processing model for text files</dfn></h4>
+ <h4 id=read-text><span class=secno>6.6.4 </span><dfn title=navigate-text>Page load processing model for text files</dfn></h4>
<p>When a plain text document is to be loaded in a <a href=#browsing-context>browsing
context</a>, the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -67063,7 +67142,7 @@
section must be the <a href=#networking-task-source>networking task source</a>.</p>
- <h4 id=read-multipart-x-mixed-replace><span class=secno>6.5.5 </span><dfn title=navigate-multipart-x-mixed-replace>Page load processing model for <code>multipart/x-mixed-replace</code> resources</dfn></h4>
+ <h4 id=read-multipart-x-mixed-replace><span class=secno>6.6.5 </span><dfn title=navigate-multipart-x-mixed-replace>Page load processing model for <code>multipart/x-mixed-replace</code> resources</dfn></h4>
<p>When a resource with the type
<code><a href=#multipart/x-mixed-replace>multipart/x-mixed-replace</a></code> is to be loaded in a
@@ -67090,7 +67169,7 @@
events) do fire for each body part loaded.</p>
- <h4 id=read-media><span class=secno>6.5.6 </span><dfn title=navigate-media>Page load processing model for media</dfn></h4>
+ <h4 id=read-media><span class=secno>6.6.6 </span><dfn title=navigate-media>Page load processing model for media</dfn></h4>
<p>When an image, video, or audio resource is to be loaded in a
<a href=#browsing-context>browsing context</a>, the user agent should <a href=#create-a-document-object>create a
@@ -67142,7 +67221,7 @@
<code><a href=#the-title-element>title</a></code>, to make the media <a href=#attr-media-autoplay title=attr-media-autoplay>autoplay</a>, etc.</p>
- <h4 id=read-plugin><span class=secno>6.5.7 </span><dfn title=navigate-plugin>Page load processing model for content that uses plugins</dfn></h4>
+ <h4 id=read-plugin><span class=secno>6.6.7 </span><dfn title=navigate-plugin>Page load processing model for content that uses plugins</dfn></h4>
<p>When a resource that requires an external resource to be rendered
is to be loaded in a <a href=#browsing-context>browsing context</a>, the user agent
@@ -67178,14 +67257,14 @@
element, e.g. to link to a style sheet or an XBL binding, or to give
the document a <code><a href=#the-title-element>title</a></code>.</p>
- <p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
- plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
- context</a> when the <code><a href=#document>Document</a></code> was created, the
+ <p class=note id=sandboxPluginNavigate>If the
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has
+ its <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set, the
synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
- <h4 id=read-ua-inline><span class=secno>6.5.8 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
+ <h4 id=read-ua-inline><span class=secno>6.6.8 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
<p>When the user agent is to display a user agent page inline in a
<a href=#browsing-context>browsing context</a>, the user agent should <a href=#create-a-document-object>create a
@@ -67212,7 +67291,7 @@
- <h4 id=scroll-to-fragid><span class=secno>6.5.9 </span><dfn title=navigate-fragid>Navigating to a fragment identifier</dfn></h4>
+ <h4 id=scroll-to-fragid><span class=secno>6.6.9 </span><dfn title=navigate-fragid>Navigating to a fragment identifier</dfn></h4>
<p>When a user agent is supposed to navigate to a fragment
identifier, then the user agent must <a href=#queue-a-task>queue a task</a> to
@@ -67314,7 +67393,7 @@
- <h4 id=history-traversal><span class=secno>6.5.10 </span>History traversal</h4> <!-- session history -->
+ <h4 id=history-traversal><span class=secno>6.6.10 </span>History traversal</h4> <!-- session history -->
<div class=impl>
@@ -67494,7 +67573,7 @@
<a href=#dom-manipulation-task-source>DOM manipulation task source</a>.</p>
- <h5 id=event-definitions-0><span class=secno>6.5.10.1 </span>Event definitions</h5>
+ <h5 id=event-definitions-0><span class=secno>6.6.10.1 </span>Event definitions</h5>
</div>
@@ -67618,7 +67697,7 @@
- <h4 id=unloading-documents><span class=secno>6.5.11 </span>Unloading documents</h4>
+ <h4 id=unloading-documents><span class=secno>6.6.11 </span>Unloading documents</h4>
<div class=impl>
@@ -67807,7 +67886,7 @@
false, empty the <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>'s
<a href=#list-of-active-timers>list of active timers</a>.</li>
- </ol><h5 id=event-definition><span class=secno>6.5.11.1 </span>Event definition</h5>
+ </ol><h5 id=event-definition><span class=secno>6.6.11.1 </span>Event definition</h5>
</div>
@@ -67841,7 +67920,7 @@
<div class=impl>
- <h4 id=aborting-a-document-load><span class=secno>6.5.12 </span>Aborting a document load</h4>
+ <h4 id=aborting-a-document-load><span class=secno>6.6.12 </span>Aborting a document load</h4>
<p>If a <code><a href=#document>Document</a></code> is <dfn id=abort-a-document title="abort a
document">aborted</dfn>, the user agent must run the following
@@ -67880,7 +67959,7 @@
<!--TOPIC:Offline Web Applications-->
- <h3 id=offline><span class=secno>6.6 </span>Offline Web applications</h3>
+ <h3 id=offline><span class=secno>6.7 </span>Offline Web applications</h3>
<!-- v2 ideas for appcache:
@@ -67928,7 +68007,7 @@
-->
- <h4 id=introduction-5><span class=secno>6.6.1 </span>Introduction</h4>
+ <h4 id=introduction-5><span class=secno>6.7.1 </span>Introduction</h4>
<p><i>This section is non-normative.</i></p>
@@ -68015,7 +68094,7 @@
- <h5 id=appcacheevents><span class=secno>6.6.1.1 </span>Event summary</h5>
+ <h5 id=appcacheevents><span class=secno>6.7.1.1 </span>Event summary</h5>
<p><i>This section is non-normative.</i></p>
@@ -68072,7 +68151,7 @@
<td> The user agent will try fetching the files again momentarily.
</table><div class=impl>
- <h4 id=appcache><span class=secno>6.6.2 </span>Application caches</h4>
+ <h4 id=appcache><span class=secno>6.7.2 </span>Application caches</h4>
<p>An <dfn id=application-cache>application cache</dfn> is a set of cached resources
consisting of:</p>
@@ -68266,10 +68345,10 @@
- <h4 id=manifests><span class=secno>6.6.3 </span>The cache manifest syntax</h4>
+ <h4 id=manifests><span class=secno>6.7.3 </span>The cache manifest syntax</h4>
- <h5 id=some-sample-manifests><span class=secno>6.6.3.1 </span>Some sample manifests</h5>
+ <h5 id=some-sample-manifests><span class=secno>6.7.3.1 </span>Some sample manifests</h5>
<p><i>This section is non-normative.</i></p>
@@ -68365,7 +68444,7 @@
- <h5 id=writing-cache-manifests><span class=secno>6.6.3.2 </span>Writing cache manifests</h5>
+ <h5 id=writing-cache-manifests><span class=secno>6.7.3.2 </span>Writing cache manifests</h5>
<p>Manifests must be served using the
<code><a href=#text/cache-manifest>text/cache-manifest</a></code> <a href=#mime-type>MIME type</a>. All
@@ -68517,7 +68596,7 @@
<div class=impl>
- <h5 id=parsing-cache-manifests><span class=secno>6.6.3.3 </span>Parsing cache manifests</h5>
+ <h5 id=parsing-cache-manifests><span class=secno>6.7.3.3 </span>Parsing cache manifests</h5>
<p>When a user agent is to <dfn id=parse-a-manifest>parse a manifest</dfn>, it means
that the user agent must run the following steps:</p>
@@ -68790,7 +68869,7 @@
</div>
- <h4 id=downloading-or-updating-an-application-cache><span class=secno>6.6.4 </span>Downloading or updating an application cache</h4>
+ <h4 id=downloading-or-updating-an-application-cache><span class=secno>6.7.4 </span>Downloading or updating an application cache</h4>
<p>When the user agent is required (by other parts of this
specification) to start the <dfn id=application-cache-download-process>application cache download
@@ -69577,7 +69656,7 @@
- <h4 id=the-application-cache-selection-algorithm><span class=secno>6.6.5 </span>The application cache selection algorithm</h4>
+ <h4 id=the-application-cache-selection-algorithm><span class=secno>6.7.5 </span>The application cache selection algorithm</h4>
<p>When the <dfn id=concept-appcache-init title=concept-appcache-init>application cache
selection algorithm</dfn> algorithm is invoked with a
@@ -69665,7 +69744,7 @@
</dd>
- </dl><h4 id=changesToNetworkingModel><span class=secno>6.6.6 </span>Changes to the networking model</h4>
+ </dl><h4 id=changesToNetworkingModel><span class=secno>6.7.6 </span>Changes to the networking model</h4>
<p>When a <a href=#cache-host>cache host</a> is associated with an
<a href=#application-cache>application cache</a> whose <a href=#concept-appcache-completeness title=concept-appcache-completeness>completeness flag</a> is
@@ -69734,7 +69813,7 @@
<div class=impl>
- <h4 id=expiring-application-caches><span class=secno>6.6.7 </span>Expiring application caches</h4>
+ <h4 id=expiring-application-caches><span class=secno>6.7.7 </span>Expiring application caches</h4>
<p>As a general rule, user agents should not expire application
caches, except on request from the user, or after having been left
@@ -69758,7 +69837,7 @@
<div class=impl>
- <h4 id=disk-space><span class=secno>6.6.8 </span>Disk space</h4>
+ <h4 id=disk-space><span class=secno>6.7.8 </span>Disk space</h4>
<p>User agents should consider applying constraints on disk usage of
<a href=#application-cache title="application cache">application caches</a>, and care
@@ -69781,7 +69860,7 @@
- <h4 id=application-cache-api><span class=secno>6.6.9 </span>Application cache API</h4>
+ <h4 id=application-cache-api><span class=secno>6.7.9 </span>Application cache API</h4>
<pre class=idl>interface <dfn id=applicationcache>ApplicationCache</dfn> : <a href=#eventtarget>EventTarget</a> {
@@ -70039,7 +70118,7 @@
</table></div>
- <h4 id=browser-state><span class=secno>6.6.10 </span>Browser state</h4>
+ <h4 id=browser-state><span class=secno>6.7.10 </span>Browser state</h4>
<pre class=idl>[NoInterfaceObject]
interface <dfn id=navigatoronline>NavigatorOnLine</dfn> {
@@ -70151,10 +70230,10 @@
the option to disable scripting globally, or in a finer-grained
manner, e.g. on a per-origin basis.)</li>
- <li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a> did
- not have the <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>
- set when the <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> was created.</li>
+ <li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a>'s
+ <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> does not have its <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing
+ context flag</a> set.</li>
</ul><p><dfn id=concept-bc-noscript title=concept-bc-noscript>Scripting is disabled</dfn> in a
<a href=#browsing-context>browsing context</a> when any of the above conditions are
@@ -72397,10 +72476,10 @@
<li>
- <p>If the current browsing context had the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> set when its <a href=#active-document>active
- document</a> was created, then return the empty string and
- abort these steps.</p>
+ <p>If the current browsing context's <a href=#active-document>active
+ document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a> set, then
+ return the empty string and abort these steps.</p>
</li>
@@ -95618,15 +95697,14 @@
or <a href=#xml-parser>XML parser</a>, and when the element is not <a href=#in-a-document>in a
<code>Document</code></a>, and when the element's document is not
<a href=#fully-active>fully active</a>, and when the element's
- <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
- <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element has an
- ancestor <a href=#media-element>media element</a>, and when the element has an
- ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
- its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
- <a href=#plugin>plugin</a> is available, and when one <em>is</em> available
- but it is disabled, the element <a href=#represents>represents</a> its
- contents.</p>
+ <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has
+ its <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set, and
+ when the element has an ancestor <a href=#media-element>media element</a>, and
+ when the element has an ancestor <code><a href=#the-object-element>object</a></code> element that is
+ <em>not</em> showing its <a href=#fallback-content>fallback content</a>, and when no
+ Java Language runtime <a href=#plugin>plugin</a> is available, and when one
+ <em>is</em> available but it is disabled, the element
+ <a href=#represents>represents</a> its contents.</p>
<!-- we assume here that the Java plugin can't be <span
title="concept-plugin-secure">secured</span>; if anyone does end up
@@ -100660,6 +100738,9 @@
such, but there's a western bias to these references for
consistency. sorry. -->
+ <dt id=refsCSP>[CSS]</dt>
+ <dd>(Non-normative) <cite><a href=http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>Content Security Policy</a></cite>, B. Sterne, A. Barth. W3C.</dd>
+
<dt id=refsCSS>[CSS]</dt>
<dd><cite><a href=http://www.w3.org/TR/CSS/>Cascading Style Sheets Level 2
Revision 1</a></cite>, B. Bos, T. Çelik, I.
Modified: source
===================================================================
--- source 2012-04-11 23:22:15 UTC (rev 7051)
+++ source 2012-04-13 22:55:46 UTC (rev 7052)
@@ -10237,7 +10237,7 @@
<p>Can be set, to add a new cookie to the element's set of HTTP
cookies.</p>
<p>If the contents are <span title="sandboxed origin browsing
- context flag">sandboxed into a unique origin</span> (in an
+ context flag">sandboxed into a unique origin</span> (e.g. in an
<code>iframe</code> with the <code
title="attr-iframe-sandbox">sandbox</code> attribute), a
<code>SecurityError</code> exception will be thrown on getting and
@@ -16429,9 +16429,9 @@
<p>After the refresh has come due (as defined below), if the
user has not canceled the redirect and if the
<code>meta</code> element's <code>Document</code>'s
- <span>browsing context</span> did not have the <span>sandboxed
- automatic features browsing context flag</span> set when the
- <code>Document</code> was created, <span
+ <span>active sandboxing flag set</span> does not have the
+ <span>sandboxed automatic features browsing context
+ flag</span> set, <span
title="navigate">navigate</span><!--DONAV meta refresh--> the
<code>Document</code>'s <span>browsing context</span> to <var
title="">url</var>, with <span>replacement enabled</span>, and
@@ -27245,124 +27245,40 @@
<p>While the <code title="attr-iframe-sandbox">sandbox</code>
attribute is specified, the <code>iframe</code> element's
- <span>nested browsing context</span> must have the flags given in
- the following list set. In addition, any browsing contexts <span
- title="nested browsing context">nested</span> within an
- <code>iframe</code>, either directly or indirectly, must have all
- the flags set on them as were set on the <code>iframe</code>'s
- <code>Document</code>'s <span>browsing context</span> when the
- <code>iframe</code>'s <code>Document</code> was created.</p>
+ <span>nested browsing context</span>'s <span><code>iframe</code>
+ sandboxing flag set</span> must have the flags given in the
+ following list set.</p>
- <dl>
+ <ul>
- <dt>The <dfn>sandboxed navigation browsing context flag</dfn></dt>
+ <li><p>The <span>sandboxed navigation browsing context flag</span></p></li>
- <dd>
-
- <p>This flag <a href="#sandboxLinks">prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), and the <span>top-level browsing context</span> (which is
- protected by the <span>sandboxed top-level navigation browsing
- context flag</span> defined next).</p>
-
- <p>This flag also <a href="#sandboxWindowOpen">prevents content
- from creating new auxiliary browsing contexts</a>, e.g. using the
- <code title="attr-hyperlink-target">target</code> attribute, the
- <code title="dom-open">window.open()</code> method, or the <code
- title="dom-showModalDialog">showModalDialog()</code> method.</p>
-
- </dd>
-
-
- <dt>The <dfn>sandboxed top-level navigation browsing context
- flag</dfn>, unless the <code
+ <li><p>The <span>sandboxed top-level navigation browsing context
+ flag</span>, unless the <code
title="attr-iframe-sandbox">sandbox</code> attribute's value, when
<span title="split a string on spaces">split on spaces</span>, is
found to have the <dfn
title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
- keyword set</dt>
+ keyword set</p></li>
- <dd>
+ <li><p>The <span>sandboxed plugins browsing context flag</span></p></li>
- <p>This flag <a href="#sandboxLinks">prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <li><p>The <span>sandboxed seamless iframes flag</span></p></li>
- <p>When the <code
- title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
- is set, content can navigate its <span>top-level browsing
- context</span>, but other <span title="browsing context">browsing
- contexts</span> are still protected by the <span>sandboxed
- navigation browsing context flag</span> defined above.</p>
+ <li>
- </dd>
+ <p>The <span>sandboxed origin browsing context flag</span>, unless
+ the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+ value, when <span title="split a string on spaces">split on
+ spaces</span>, is found to have the <dfn
+ title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
+ keyword set</p>
-
- <dt>The <dfn>sandboxed plugins browsing context flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from instantiating <span
- title="plugin">plugins</span>, whether using <a
- href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
- href="#sandboxPluginObject">the <code>object</code> element</a>,
- <a href="#sandboxPluginApplet">the <code>applet</code>
- element</a>, or through <a
- href="#sandboxPluginNavigate">navigation</a> of a <span>nested
- browsing context</span>, unless those <span
- title="plugin">plugins</span> can be <span
- title="concept-plugin-secure">secured</span>.</p>
-
- </dd>
-
-
- <dt>The <dfn>sandboxed seamless iframes flag</dfn></dt>
-
- <dd>
-
- <p>This flag prevents content from using the <code
- title="attr-iframe-seamless">seamless</code> attribute on
- descendant <code>iframe</code> elements.</p>
-
- <p class="note">This prevents a page inserted using the <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
-
- <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
-
- </dd>
-
-
- <dt>The <dfn>sandboxed origin browsing context flag</dfn>, unless
- the <code title="attr-iframe-sandbox">sandbox</code> attribute's
- value, when <span title="split a string on spaces">split on
- spaces</span>, is found to have the <dfn
- title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
- keyword set</dt>
-
- <dd>
-
- <p>This flag <a href="#sandboxOrigin">forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <span>origin</span>.</p>
-
- <p>This flag also <a href="#sandboxCookies">prevents script from
- reading from or writing to the <code
- title="dom-document-cookie">document.cookie</code> IDL
- attribute</a>, and blocks access to <code
- title="dom-localStorage">localStorage</code>.
- <!--END complete-->
- <a href="#refsWEBSTORAGE">[WEBSTORAGE]</a>
- <!--START complete-->
- </p>
-
<div class="note">
<p>The <code
title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- attribute is intended for two cases.</p>
+ keyword is intended for two cases.</p>
<p>First, it can be used to allow content from the same site to
be sandboxed to disable scripting, while still allowing access to
@@ -27376,61 +27292,41 @@
</div>
- </dd>
+ </li>
-
- <dt>The <dfn>sandboxed forms browsing context flag</dfn>, unless
+ <li><p>The <span>sandboxed forms browsing context flag</span>, unless
the <code title="attr-iframe-sandbox">sandbox</code> attribute's
value, when <span title="split a string on spaces">split on
spaces</span>, is found to have the <dfn
title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
- keyword set</dt>
+ keyword set</p></li>
- <dd>
-
- <p>This flag <a href="#sandboxSubmitBlocked">blocks form
- submission</a>.</p>
-
- </dd>
-
-
- <dt>The <dfn>sandboxed scripts browsing context flag</dfn>, unless
+ <li><p>The <span>sandboxed scripts browsing context flag</span>, unless
the <code title="attr-iframe-sandbox">sandbox</code> attribute's
value, when <span title="split a string on spaces">split on
spaces</span>, is found to have the <dfn
title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
- keyword set</dt>
+ keyword set</p></li>
- <dd>
+ <li>
- <p>This flag <a href="#sandboxScriptBlocked">blocks script
- execution</a>.</p>
+ <p>The <span>sandboxed automatic features browsing context
+ flag</span>, unless the <code
+ title="attr-iframe-sandbox">sandbox</code> attribute's value, when
+ <span title="split a string on spaces">split on spaces</span>, is
+ found to have the <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
+ keyword (defined above) set</p>
- </dd>
-
-
- <dt>The <dfn>sandboxed automatic features browsing context
- flag</dfn>, unless the <code
- title="attr-iframe-sandbox">sandbox</code> attribute's value, when
- <span title="split a string on spaces">split on spaces</span>, is
- found to have the <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- keyword (defined above) set</dt>
-
- <dd>
-
- <p>This flag blocks features that trigger automatically, such as
- <span title="attr-media-autoplay">automatically playing a
- video</span> or <span title="attr-fe-autofocus">automatically
- focusing a form control</span>. It is relaxed by the same flag as
+ <p class="note">This flag is relaxed by the same flag as
scripts, because when scripts are enabled these features are
trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than
allowing them to use the declarative features.</p>
- </dd>
+ </li>
- </dl>
+ </ul>
<p>These flags must not be set unless the conditions listed above
define them as being set.</p>
@@ -27557,18 +27453,18 @@
be part of the containing document (seamlessly included in the
parent document). <span class="impl">Specifically, when the
attribute is set on an <code>iframe</code> element whose owner
- <code>Document</code>'s <span>browsing context</span> did not have
- the <span>sandboxed seamless iframes flag</span> set when that
- <code>Document</code> was created, and while either the
- <span>browsing context</span>'s <span>active document</span> has the
- <span>same origin</span> as the <code>iframe</code> element's
- document, or the <span>browsing context</span>'s <span>active
- document</span>'s <em><span title="the document's
- address">address</span></em> has the <span>same origin</span> as the
+ <code>Document</code>'s <span>active sandboxing flag set</span> does
+ not have the <span>sandboxed seamless iframes flag</span> set, and
+ while either the <span>browsing context</span>'s <span>active
+ document</span> has the <span>same origin</span> as the
<code>iframe</code> element's document, or the <span>browsing
- context</span>'s <span>active document</span> is <span>an
- <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code>
- document</span>, the following requirements apply:</span></p>
+ context</span>'s <span>active document</span>'s <em><span title="the
+ document's address">address</span></em> has the <span>same
+ origin</span> as the <code>iframe</code> element's document, or the
+ <span>browsing context</span>'s <span>active document</span> is
+ <span>an <code>iframe</code> <code
+ title="attr-iframe-srcdoc">srcdoc</code> document</span>, the
+ following requirements apply:</span></p>
<div class="impl">
@@ -27933,10 +27829,9 @@
<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
instantiated but it cannot be <span
title="concept-plugin-secure">secured</span> and the <span>sandboxed
- plugins browsing context flag</span> was set on the <span>browsing
- context</span> for which the <code>embed</code> element's
- <code>Document</code> is the <span>active document</span> when that
- <code>Document</code> was created, then the user agent must not
+ plugins browsing context flag</span> is set on the
+ <code>embed</code> element's <code>Document</code>'s <span>active
+ sandboxing flag set</span>, then the user agent must not
instantiate the <span>plugin</span>, and must instead render the
<code>embed</code> element in a manner that conveys that the
<span>plugin</span> was disabled. The user agent may offer the user
@@ -28836,9 +28731,9 @@
<p id="sandboxPluginObject">Plugins are considered sandboxed for the
purpose of an <code>object</code> element if the <span>sandboxed
- plugins browsing context flag</span> was set on the
- <code>object</code> element's <code>Document</code>'s <span>browsing
- context</span> when the <code>Document</code> was created.</p>
+ plugins browsing context flag</span> is set on the
+ <code>object</code> element's <code>Document</code>'s <span>active
+ sandboxing flag set</span>.</p>
<p class="note">The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
@@ -32461,17 +32356,17 @@
named <code title="event-media-playing">playing</code>.</p>
<p>If the <span>autoplaying flag</span> is true, and the <code
- title="dom-media-paused">paused</code> attribute is true, and the
- <span>media element</span> has an <code
+ title="dom-media-paused">paused</code> attribute is true, and
+ the <span>media element</span> has an <code
title="attr-media-autoplay">autoplay</code> attribute specified,
and the <span>media element</span>'s <code>Document</code>'s
- <span>browsing context</span> did not have the <span>sandboxed
- automatic features browsing context flag</span> set when the
- <code>Document</code> was created, then the user agent may also
- set the <code title="dom-media-paused">paused</code> attribute to
- false, <span>queue a task</span> to <span>fire a simple
- event</span> named <code title="event-media-play">play</code>, and
+ <span>active sandboxing flag set</span> does not have the
+ <span>sandboxed automatic features browsing context flag</span>
+ set, then the user agent may also set the <code
+ title="dom-media-paused">paused</code> attribute to false,
<span>queue a task</span> to <span>fire a simple event</span>
+ named <code title="event-media-play">play</code>, and
+ <span>queue a task</span> to <span>fire a simple event</span>
named <code title="event-media-playing">playing</code>.</p>
<p class="note">User agents do not need to support autoplay,
@@ -61911,10 +61806,9 @@
it is a <span>nested browsing context</span> with no <span>parent
browsing context</span>), abort these steps.</p></li>
- <li><p>If <var title="">target</var>'s <span>browsing
- context</span> had the <span>sandboxed automatic features browsing
- context flag</span> set when <var title="">target</var> was
- created, abort these steps.</p></li>
+ <li><p>If <var title="">target</var>'s <span>active sandboxing
+ flag set</span> has the <span>sandboxed automatic features
+ browsing context flag</span>, abort these steps.</p></li>
<li><p>If <var title="">target</var>'s <span>origin</span> is not
the <span title="same origin">same</span> as the
@@ -63077,9 +62971,9 @@
<li id="sandboxSubmitBlocked"><p>If <var title="">form
document</var> has no associated <span>browsing context</span> or
- its <span>browsing context</span> had its <span>sandboxed forms
- browsing context flag</span> set when the <code>Document</code> was
- created, then abort these steps without doing anything.</p></li>
+ its <span>active sandboxing flag set</span> has its
+ <span>sandboxed forms browsing context flag</span> set, then abort
+ these steps without doing anything.</p></li>
<li><p>Let <var title="">form browsing context</var> be the
<span>browsing context</span> of <var title="">form
@@ -75149,9 +75043,10 @@
<dl class="switch">
- <dt id="sandboxWindowOpen">If the current browsing context had
- the <span>sandboxed navigation browsing context flag</span> set
- when its <span>active document</span> was created.</dt>
+ <dt id="sandboxWindowOpen">If the current browsing context's
+ <span>active document</span>'s <span>active sandboxing flag
+ set</span> has the <span>sandboxed navigation browsing context
+ flag</span> set.</dt>
<dd><p>The user agent may offer to create a new <span>top-level
browsing context</span> or reuse an existing <span>top-level
@@ -76253,10 +76148,9 @@
<dl class="switch">
- <dt id="sandboxOrigin">If a <code>Document</code> is in a
- <span>browsing context</span> whose <span>sandboxed origin
- browsing context flag</span> was set when the
- <code>Document</code> was created</dt>
+ <dt id="sandboxOrigin">If a <code>Document</code>'s <span>active
+ sandboxing flag set</span> has its <span>sandboxed origin
+ browsing context flag</span> set</dt>
<dd>The <span>origin</span> is a globally unique identifier
assigned when the <code>Document</code> is created.</dd>
@@ -76693,6 +76587,162 @@
<!--TOPIC:HTML-->
+
+
+ <h3>Sandboxing</h3>
+
+ <p>A <dfn>sandboxing flag set</dfn> is a set of zero or more of the
+ following flags, which are used to restrict the abilities that
+ potentially untrusted resources have:</p>
+
+ <dl>
+
+ <dt>The <dfn>sandboxed navigation browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href="#sandboxLinks">prevents content from
+ navigating browsing contexts other than the sandboxed browsing
+ context itself</a> (or browsing contexts further nested inside
+ it), and the <span>top-level browsing context</span> (which is
+ protected by the <span>sandboxed top-level navigation browsing
+ context flag</span> defined next).</p>
+
+ <p>This flag also <a href="#sandboxWindowOpen">prevents content
+ from creating new auxiliary browsing contexts</a>, e.g. using the
+ <code title="attr-hyperlink-target">target</code> attribute, the
+ <code title="dom-open">window.open()</code> method, or the <code
+ title="dom-showModalDialog">showModalDialog()</code> method.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed top-level navigation browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href="#sandboxLinks">prevents content from
+ navigating their <span>top-level browsing context</span></a>.</p>
+
+ <p>When the <code
+ title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
+ is set, content can navigate its <span>top-level browsing
+ context</span>, but other <span title="browsing context">browsing
+ contexts</span> are still protected by the <span>sandboxed
+ navigation browsing context flag</span> defined above.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed plugins browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from instantiating <span
+ title="plugin">plugins</span>, whether using <a
+ href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
+ href="#sandboxPluginObject">the <code>object</code> element</a>,
+ <a href="#sandboxPluginApplet">the <code>applet</code>
+ element</a>, or through <a
+ href="#sandboxPluginNavigate">navigation</a> of a <span>nested
+ browsing context</span>, unless those <span
+ title="plugin">plugins</span> can be <span
+ title="concept-plugin-secure">secured</span>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed seamless iframes flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code
+ title="attr-iframe-seamless">seamless</code> attribute on
+ descendant <code>iframe</code> elements.</p>
+
+ <p class="note">This prevents a page inserted using the <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+ keyword from using a CSS-selector-based method of probing the DOM
+ of other pages on the same site (in particular, pages that contain
+ user-sensitive information).</p>
+
+ <!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed origin browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href="#sandboxOrigin">forces content into a unique
+ origin</a>, thus preventing it from accessing other content from
+ the same <span>origin</span>.</p>
+
+ <p>This flag also <a href="#sandboxCookies">prevents script from
+ reading from or writing to the <code
+ title="dom-document-cookie">document.cookie</code> IDL
+ attribute</a>, and blocks access to <code
+ title="dom-localStorage">localStorage</code>.
+ <!--END complete-->
+ <a href="#refsWEBSTORAGE">[WEBSTORAGE]</a>
+ <!--START complete-->
+ </p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed forms browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href="#sandboxSubmitBlocked">blocks form
+ submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed scripts browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag <a href="#sandboxScriptBlocked">blocks script
+ execution</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed automatic features browsing context
+ flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag blocks features that trigger automatically, such as
+ <span title="attr-media-autoplay">automatically playing a
+ video</span> or <span title="attr-fe-autofocus">automatically
+ focusing a form control</span>.</p>
+
+ </dd>
+
+ </dl>
+
+ <p>Every <span>nested browsing context</span> has an
+ <dfn><code>iframe</code> sandboxing flag set</dfn>, which is a
+ <span>sandboxing flag set</span>. Which flags in a <span>nested
+ browsing context</span>'s <span><code>iframe</code> sandboxing flag
+ set</span> are set at any particular time is determined by the
+ <code>iframe</code> element's <code
+ title="attr-iframe-sandbox">sandbox</code> attribute.</p>
+
+ <p>Every <code>Document</code> has an <dfn>active sandboxing flag
+ set</dfn>, which is a <span>sandboxing flag set</span>. When the
+ <code>Document</code> is created, its <span>active sandboxing flag
+ set</span> must be empty. It is populated by the <span
+ title="navigate">navigation algorithm</span>.</p>
+
+
+
<h3 id="history">Session history and navigation</h3>
<h4>The session history of browsing contexts</h4>
@@ -77679,22 +77729,23 @@
<span>source browsing context</span> is not one of the <span
title="ancestor browsing context">ancestor browsing
contexts</span> of the <span>browsing context</span> being
- navigated, and the <span>browsing context</span> being navigated is
- not both a <span>top-level browsing context</span> and one of the
- <span title="ancestor browsing context">ancestor browsing
+ navigated, and the <span>browsing context</span> being navigated
+ is not both a <span>top-level browsing context</span> and one of
+ the <span title="ancestor browsing context">ancestor browsing
contexts</span> of the <span>source browsing context</span>, and
- the <span>source browsing context</span> had its <span>sandboxed
- navigation browsing context flag</span> set when its <span>active
- document</span> was created, then abort these steps.</p>
+ the <span>source browsing context</span>'s <span>active
+ document</span>'s <span>active sandboxing flag set</span> has its
+ <span>sandboxed navigation browsing context flag</span> set, then
+ abort these steps.</p>
<p>Otherwise, if the <span>browsing context</span> being navigated
is a <span>top-level browsing context</span>, and is one of the
<span title="ancestor browsing context">ancestor browsing
contexts</span> of the <span>source browsing context</span>, and
- the <span>source browsing context</span> had its <span>sandboxed
- top-level navigation browsing context flag</span> set when its
- <span>active document</span> was created, then abort these
- steps.</p>
+ the <span>source browsing context</span>'s <code>Document</code>'s
+ <Span>active sandboxing flag set</span> has its <span>sandboxed
+ top-level navigation browsing context flag</span> set, then abort
+ these steps.</p>
<p>In both cases, the user agent may additionally offer to open
the new resource in a new <span>top-level browsing context</span>
@@ -78098,21 +78149,60 @@
<code>javascript:</code> URL</span>.</p>
<p><dfn title="create a Document object">Creating a new
- <code>Document</code> object</dfn>: When a <code>Document</code>
- is created as part of the above steps, a new <code>Window</code>
- object must be created and associated with the
- <code>Document</code>, with one exception: if the <span>browsing
- context</span>'s only entry in its <span>session history</span> is
- the <code>about:blank</code> <code>Document</code> that was added
- when the <span>browsing context</span> was created, and navigation
- is occurring with <span>replacement enabled</span>, and that
- <code>Document</code> has the <span>same origin</span> as the new
- <code>Document</code>, then the <code>Window</code> object of that
- <code>Document</code> must be used instead, and the <code
+ <code>Document</code> object</dfn>: when a <code>Document</code>
+ is created as part of the above steps, the user agent has a couple
+ of additional requirements to follow as part of creating the new
+ object:</p>
+
+ <p>First, a new <code>Window</code> object must be created and
+ associated with the <code>Document</code>, with one exception: if
+ the <span>browsing context</span>'s only entry in its
+ <span>session history</span> is the <code>about:blank</code>
+ <code>Document</code> that was added when the <span>browsing
+ context</span> was created, and navigation is occurring with
+ <span>replacement enabled</span>, and that <code>Document</code>
+ has the <span>same origin</span> as the new <code>Document</code>,
+ then the <code>Window</code> object of that <code>Document</code>
+ must be used instead, and the <code
title="dom-document">document</code> attribute of the
<code>Window</code> object must be changed to point to the new
<code>Document</code> instead.</p>
+ <p>Second, the <code>Document</code>'s <span>active sandboxing
+ flag set</span> must be populated with the union of the flags that
+ are present in the following <span title="sandboxing flag
+ set">sandboxing flag sets</span> at the time the
+ <code>Document</code> object is created:</p>
+
+ <ul>
+
+ <li><p>If the <code>Document</code>'s <span>browsing
+ context</span> is a <span>nested browsing context</span>, then:
+ the flags set on the <span>browsing context</span>'s
+ <span><code>iframe</code> sandboxing flag set</span>.</p></li>
+
+ <li><p>If the <code>Document</code>'s <span>browsing
+ context</span> is a <span>nested browsing context</span>, then:
+ the flags set on the <span>browsing context</span>'s <span>parent
+ browsing context</span>'s <span>active document</span>'s
+ <span>active sandboxing flag set</span>.</p></li>
+
+ <li><p>The flags set on the resource's <span>forced sandboxing
+ flag set</span>.</p></li>
+
+ </ul>
+
+ <p>Each resource obtained by this <span
+ title="navigate">navigation algorithm</span> has a <dfn> forced
+ sandboxing flag set</dfn>, which is a <span>sandboxing flag
+ set</span>. A resource by default has no flags set in its
+ <span>forced sandboxing flag set</span>, but other specifications
+ can define that certain flags are set.</p>
+
+ <p class="note">In particular, the <span>forced sandboxing flag
+ set</span> is used by the Content Security Policy specification.
+ <a href="#refsCSP">[CSP]</a></p>
+
</li>
<li id="navigate-non-Document">
@@ -78561,9 +78651,9 @@
element, e.g. to link to a style sheet or an XBL binding, or to give
the document a <code>title</code>.</p>
- <p class="note" id="sandboxPluginNavigate">If the <span>sandboxed
- plugins browsing context flag</span> was set on the <span>browsing
- context</span> when the <code>Document</code> was created, the
+ <p class="note" id="sandboxPluginNavigate">If the
+ <code>Document</code>'s <span>active sandboxing flag set</span> has
+ its <span>sandboxed plugins browsing context flag</span> set, the
synthesized <code>embed</code> element will <a
href="#sandboxPluginEmbed">fail to render the content</a> if the
relevant <span>plugin</span> cannot be <span
@@ -82048,10 +82138,10 @@
the option to disable scripting globally, or in a finer-grained
manner, e.g. on a per-origin basis.)</li>
- <li id="sandboxScriptBlocked">The <span>browsing context</span> did
- not have the <span>sandboxed scripts browsing context flag</span>
- set when the <span>browsing context</span>'s <span>active
- document</span> was created.</li>
+ <li id="sandboxScriptBlocked">The <span>browsing context</span>'s
+ <span>active document</span>'s <span>active sandboxing flag
+ set</span> does not have its <span>sandboxed scripts browsing
+ context flag</span> set.</li>
</ul>
@@ -84686,10 +84776,10 @@
<li>
- <p>If the current browsing context had the <span>sandboxed
- navigation browsing context flag</span> set when its <span>active
- document</span> was created, then return the empty string and
- abort these steps.</p>
+ <p>If the current browsing context's <span>active
+ document</span>'s <span>active sandboxing flag set</span> has its
+ <span>sandboxed navigation browsing context flag</span> set, then
+ return the empty string and abort these steps.</p>
</li>
@@ -111527,15 +111617,14 @@
or <span>XML parser</span>, and when the element is not <span>in a
<code>Document</code></span>, and when the element's document is not
<span>fully active</span>, and when the element's
- <code>Document</code>'s <span>browsing context</span> had its
- <span>sandboxed plugins browsing context flag</span> when that
- <code>Document</code> was created, and when the element has an
- ancestor <span>media element</span>, and when the element has an
- ancestor <code>object</code> element that is <em>not</em> showing
- its <span>fallback content</span>, and when no Java Language runtime
- <span>plugin</span> is available, and when one <em>is</em> available
- but it is disabled, the element <span>represents</span> its
- contents.</p>
+ <code>Document</code>'s <span>active sandboxing flag set</span> has
+ its <span>sandboxed plugins browsing context flag</span> set, and
+ when the element has an ancestor <span>media element</span>, and
+ when the element has an ancestor <code>object</code> element that is
+ <em>not</em> showing its <span>fallback content</span>, and when no
+ Java Language runtime <span>plugin</span> is available, and when one
+ <em>is</em> available but it is disabled, the element
+ <span>represents</span> its contents.</p>
<!-- we assume here that the Java plugin can't be <span
title="concept-plugin-secure">secured</span>; if anyone does end up
@@ -117907,6 +117996,9 @@
such, but there's a western bias to these references for
consistency. sorry. -->
+ <dt id="refsCSP">[CSS]</dt>
+ <dd>(Non-normative) <cite><a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">Content Security Policy</a></cite>, B. Sterne, A. Barth. W3C.</dd>
+
<dt id="refsCSS">[CSS]</dt>
<dd><cite><a href="http://www.w3.org/TR/CSS/">Cascading Style Sheets Level 2
Revision 1</a></cite>, B. Bos, T. Çelik, I.
More information about the Commit-Watchers
mailing list