[html5] r7406 - [e] (0) Bit of editorial cleanup for <iframe>. Should have no normative effect. [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue Sep 25 20:27:08 PDT 2012
Author: ianh
Date: 2012-09-25 20:27:07 -0700 (Tue, 25 Sep 2012)
New Revision: 7406
Modified:
complete.html
index
source
Log:
[e] (0) Bit of editorial cleanup for <iframe>. Should have no normative effect.
Affected topics: HTML
Modified: complete.html
===================================================================
--- complete.html 2012-09-26 00:22:32 UTC (rev 7405)
+++ complete.html 2012-09-26 03:27:07 UTC (rev 7406)
@@ -1471,12 +1471,7 @@
publication policies</a>.</li>
-->
- <li>The W3C HTML specification omits an example that references the
- schema.org microdata vocabulary as part of a compromise intended to
- resolve larger issues of divergence between the specifications.
- (Many other examples that reference schema.org and microdata are
- included apparently without issue, however.)</li><!-- "I put a bike
- bell on his bike." -->
+ <li>The W3C HTML specification omits mentions of microdata.</li>
<li>The W3C HTML specification defines conformance for documents in
a more traditional (version-orientated) way, because of <a href=http://lists.w3.org/Archives/Public/public-html/2011Mar/0574.html>a
@@ -26582,112 +26577,134 @@
readonly attribute <a href=#windowproxy>WindowProxy</a>? <a href=#dom-iframe-contentwindow title=dom-iframe-contentWindow>contentWindow</a>;
};</pre>
</dd>
- </dl><!--TOPIC:HTML--><p>The <code><a href=#the-iframe-element>iframe</a></code> element <a href=#represents>represents</a> a
- <a href=#nested-browsing-context>nested browsing context</a>.</p>
+ </dl><!--TOPIC:HTML--><!-- INTRO --><p>The <code><a href=#the-iframe-element>iframe</a></code> element <a href=#represents>represents</a> a <a href=#nested-browsing-context>nested browsing
+ context</a>.</p>
- <p>The <dfn id=attr-iframe-src title=attr-iframe-src><code>src</code></dfn> attribute
- gives the address of a page that the <a href=#nested-browsing-context>nested browsing
- context</a> is to contain. The attribute, if present, must be a
- <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty URL potentially surrounded by
- spaces</a>.</p>
-<!--MD-->
- <p>If the <code title=attr-itemprop><a href=#names:-the-itemprop-attribute>itemprop</a></code> is specified
- on an <code><a href=#the-iframe-element>iframe</a></code> element, then the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute must also be
- specified.</p>
-<!--MD-->
+ <!-- SRC/SRCDOC -->
- <p>The <dfn id=attr-iframe-srcdoc title=attr-iframe-srcdoc><code>srcdoc</code></dfn>
- attribute gives the content of the page that the <a href=#nested-browsing-context>nested
- browsing context</a> is to contain. The value of the attribute is
- the source of <dfn id=an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</dfn>.</p>
+ <p>The <dfn id=attr-iframe-src title=attr-iframe-src><code>src</code></dfn> attribute gives the address of a page
+ that the <a href=#nested-browsing-context>nested browsing context</a> is to contain. The attribute, if present, must be a
+ <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty URL potentially surrounded by spaces</a>. If the <code title=attr-itemprop><a href=#names:-the-itemprop-attribute>itemprop</a></code> is specified on an <code><a href=#the-iframe-element>iframe</a></code> element, then the
+ <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute must also be specified.</p>
- <p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#html-documents>HTML documents</a>,
- the attribute, if present, must have a value using <a href=#syntax>the HTML
- syntax</a> that consists of the following syntactic components,
- in the given order:</p>
+ <p>The <dfn id=attr-iframe-srcdoc title=attr-iframe-srcdoc><code>srcdoc</code></dfn> attribute gives the content of
+ the page that the <a href=#nested-browsing-context>nested browsing context</a> is to contain. The value of the attribute
+ is the source of <dfn id=an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
+ document</dfn>.</p>
- <ol><li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#html-documents>HTML documents</a>, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, if present, must have a value using <a href=#syntax>the
+ HTML syntax</a> that consists of the following syntactic components, in the given order:</p>
+ <ol><li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
+
<li>Optionally, a <a href=#syntax-doctype title=syntax-doctype>DOCTYPE</a>.
- <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
<li>The root element, in the form of an <code><a href=#the-html-element>html</a></code> <a href=#syntax-elements title=syntax-elements>element</a>.</li>
- <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
- </ol><p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#xml-documents>XML documents</a>,
- the attribute, if present, must have a value that matches the
- production labeled <code title="">document</code> in the XML
- specification. <a href=#refsXML>[XML]</a></p>
+ </ol><p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#xml-documents>XML documents</a>, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, if present, must have a value that matches the
+ production labeled <code title="">document</code> in the XML specification. <a href=#refsXML>[XML]</a></p>
- <p>If the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute and the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute are both
- specified together, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code>
- attribute takes priority. This allows authors to provide a fallback
- <a href=#url>URL</a> for legacy user agents that do not support the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute.</p>
+ <div class=example>
+ <p>Here a blog uses the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute in conjunction
+ with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> and <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attributes described below to provide users of user
+ agents that support this feature with an extra layer of protection from script injection in the
+ blog post comments:</p>
+
+ <pre><article>
+ <h1>I got my own magazine!</h1>
+ <p>After much effort, I've finally found a publisher, and so now I
+ have my own magazine! Isn't that awesome?! The first issue will come
+ out in September, and we have articles about getting food, and about
+ getting in boxes, it's going to be great!</p>
+ <footer>
+ <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
+ </footer>
+ <article>
+ <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
+ </article>
+ <article>
+ <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
+ </article>
+ <article>
+ <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
+<p>you should get earl&amp;me on the next cover."></iframe>
+ </article></pre>
+
+ <p>Notice the way that quotes have to be escaped (otherwise the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute would end prematurely), and the way raw
+ ampersands (e.g. in URLs or in prose) mentioned in the sandboxed content have to be
+ <em>doubly</em> escaped — once so that the ampersand is preserved when originally parsing
+ the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, and once more to prevent the
+ ampersand from being misinterpreted when parsing the sandboxed content.</p>
+
+ </div>
+
+ <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only remember to use U+0022
+ QUOTATION MARK characters (") to wrap the attribute contents and then to escape all U+0022
+ QUOTATION MARK (") and U+0026 AMPERSAND (&) characters, and to specify the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, to ensure safe embedding of content.</p>
+
+ <p class=note>Due to restrictions of <a href=#the-xhtml-syntax>the XHTML syntax</a>, in XML the U+003C LESS-THAN
+ SIGN character (<) needs to be escaped as well. In order to prevent <a href=http://www.w3.org/TR/REC-xml/#AVNormalize>attribute-value normalization</a>, some of XML's
+ whitespace characters — specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
+ (LF), and U+000D CARRIAGE RETURN (CR) — also need to be escaped. <a href=#refsXML>[XML]</a></p>
+
+ <p class=note>If the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute and the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute are both specified together, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute takes priority. This allows authors to provide
+ a fallback <a href=#url>URL</a> for legacy user agents that do not support the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute.</p>
+
+
<div class=impl>
- <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#insert-an-element-into-a-document title="insert an
- element into a document">inserted into a document</a>, the user
- agent must create a <a href=#nested-browsing-context>nested browsing context</a>, and then
- <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a> for the
- first time.</p>
+ <hr><!-- SRC/SRCDOC PROCESSING MODEL --><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#insert-an-element-into-a-document title="insert an element into a document">inserted
+ into a document</a>, the user agent must create a <a href=#nested-browsing-context>nested browsing context</a>, and
+ then <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a> for the first time.</p>
- <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#remove-an-element-from-a-document title="remove an
- element from a document">removed from a document</a>, the user
- agent must <a href=#a-browsing-context-is-discarded title="a browsing context is
- discarded">discard</a> the <a href=#nested-browsing-context>nested browsing
- context</a>.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#remove-an-element-from-a-document title="remove an element from a document">removed
+ from a document</a>, the user agent must <a href=#a-browsing-context-is-discarded title="a browsing context is
+ discarded">discard</a> the <a href=#nested-browsing-context>nested browsing context</a>.</p>
- <p class=note>This happens without any <code title=event-unload>unload</code> events firing (the <a href=#nested-browsing-context>nested
- browsing context</a> and its <code><a href=#document>Document</a></code> are <em title="a browsing context is discarded">discarded</em>, not <em title="unload a document">unloaded</em>).</p>
+ <p class=note>This happens without any <code title=event-unload>unload</code> events firing
+ (the <a href=#nested-browsing-context>nested browsing context</a> and its <code><a href=#document>Document</a></code> are <em title="a browsing
+ context is discarded">discarded</em>, not <em title="unload a document">unloaded</em>).</p>
<!-- START of section that's very similar to <frame> -->
- <p>Whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested
- browsing context</a> has its <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute set, changed, or
- removed, the user agent must <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a>.</p>
+ <p>Whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested browsing context</a> has its
+ <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute set, changed, or removed, the user agent
+ must <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>.</p>
- <p>Similarly, whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a
- <a href=#nested-browsing-context>nested browsing context</a> but with no <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute specified has its
- <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute set, changed, or
- removed, the user agent must <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a>.</p> <!-- It doesn't happen when the base URL is
- changed, though. -->
+ <p>Similarly, whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested browsing context</a>
+ but with no <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute specified has its <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute set, changed, or removed, the user agent must
+ <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>.</p> <!-- It doesn't happen when the base
+ URL is changed, though. -->
- <p>When the user agent is to <dfn id=process-the-iframe-attributes>process the <code>iframe</code>
- attributes</dfn>, it must run the first appropriate steps from the
- following list:</p>
+ <p>When the user agent is to <dfn id=process-the-iframe-attributes>process the <code>iframe</code> attributes</dfn>, it must run
+ the first appropriate steps from the following list:</p>
- <dl class=switch><dt>If the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute
- is specified</dt>
+ <dl class=switch><dt>If the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is specified</dt>
- <dd><p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's
- <a href=#child-browsing-context>child browsing context</a> to a resource whose
- <a href=#content-type>Content-Type</a> is <code><a href=#text/html>text/html</a></code>, whose
- <a href=#url>URL</a> is <code><a href=#about:srcdoc>about:srcdoc</a></code>, and whose data
- consists of the value of the attribute. The resulting
- <code><a href=#document>Document</a></code> must be considered <a href=#an-iframe-srcdoc-document>an
- <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
- document</a>.</dd>
+ <dd><p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's <a href=#child-browsing-context>child browsing context</a>
+ to a resource whose <a href=#content-type>Content-Type</a> is <code><a href=#text/html>text/html</a></code>, whose <a href=#url>URL</a>
+ is <code><a href=#about:srcdoc>about:srcdoc</a></code>, and whose data consists of the value of the attribute. The
+ resulting <code><a href=#document>Document</a></code> must be considered <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.</dd>
- <dt>Otherwise, if the element has no <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute specified, and the
- user agent is processing the <code><a href=#the-iframe-element>iframe</a></code>'s attributes for
- the first time</dt>
+ <dt>Otherwise, if the element has no <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute
+ specified, and the user agent is processing the <code><a href=#the-iframe-element>iframe</a></code>'s attributes for the first
+ time</dt>
<dd>
- <p><a href=#queue-a-task>Queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
- named <code title=event-load>load</code> at the
- <code><a href=#the-iframe-element>iframe</a></code> element.</p>
+ <p><a href=#queue-a-task>Queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-load>load</code> at the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
</dd>
@@ -26697,207 +26714,118 @@
<ol><li>
- <p>If the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code>
- attribute is the empty string, let <var title="">url</var> be
- the string "<code><a href=#about:blank>about:blank</a></code>".</p>
+ <p>If the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is the empty string,
+ let <var title="">url</var> be the string "<code><a href=#about:blank>about:blank</a></code>".</p>
- <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the
- value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute,
- relative to the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
+ <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute, relative to the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
- <p>If that is not successful, then let <var title="">url</var>
- be the string "<code><a href=#about:blank>about:blank</a></code>". Otherwise, let <var title="">url</var> be the resulting <a href=#absolute-url>absolute
- URL</a>.</p>
+ <p>If that is not successful, then let <var title="">url</var> be the string
+ "<code><a href=#about:blank>about:blank</a></code>". Otherwise, let <var title="">url</var> be the resulting
+ <a href=#absolute-url>absolute URL</a>.</p>
</li>
<li>
- <p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's
- <a href=#child-browsing-context>child browsing context</a> to <var title="">url</var>.</p>
+ <p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's <a href=#child-browsing-context>child browsing context</a>
+ to <var title="">url</var>.</p>
</li>
</ol></dd>
- </dl><p>Any <a href=#navigate title=navigate>navigation</a> required of the user
- agent in the <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>
- algorithm must be completed as an <a href=#explicit-self-navigation-override>explicit self-navigation
- override</a> and with the <code><a href=#the-iframe-element>iframe</a></code> element's
- document's <a href=#browsing-context>browsing context</a> as the <a href=#source-browsing-context>source
- browsing context</a>.</p>
+ </dl><p>Any <a href=#navigate title=navigate>navigation</a> required of the user agent in the <a href=#process-the-iframe-attributes>process
+ the <code>iframe</code> attributes</a> algorithm must be completed as an <a href=#explicit-self-navigation-override>explicit
+ self-navigation override</a> and with the <code><a href=#the-iframe-element>iframe</a></code> element's document's
+ <a href=#browsing-context>browsing context</a> as the <a href=#source-browsing-context>source browsing context</a>.</p>
- <p>Furthermore, if the <a href=#active-document>active document</a> of the element's
- <a href=#child-browsing-context>child browsing context</a> before such a <a href=#navigate title=navigate>navigation</a> was not <a href=#completely-loaded>completely
- loaded</a> at the time of the new <a href=#navigate title=navigate>navigation</a>, then the <a href=#navigate title=navigate>navigation</a> must be completed with
- <a href=#replacement-enabled>replacement enabled</a>.</p>
+ <p>Furthermore, if the <a href=#active-document>active document</a> of the element's <a href=#child-browsing-context>child browsing
+ context</a> before such a <a href=#navigate title=navigate>navigation</a> was not <a href=#completely-loaded>completely
+ loaded</a> at the time of the new <a href=#navigate title=navigate>navigation</a>, then the <a href=#navigate title=navigate>navigation</a> must be completed with <a href=#replacement-enabled>replacement enabled</a>.</p>
- <p>Similarly, if the <a href=#child-browsing-context>child browsing context</a>'s
- <a href=#session-history>session history</a> contained only one
- <code><a href=#document>Document</a></code> when the <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a> algorithm was invoked, and that was the
- <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> created when the
- <a href=#child-browsing-context>child browsing context</a> was created, then any <a href=#navigate title=navigate>navigation</a> required of the user agent in
- that algorithm must be completed with <a href=#replacement-enabled>replacement
- enabled</a>.</p> <!-- see also the note near similar text for the
+ <p>Similarly, if the <a href=#child-browsing-context>child browsing context</a>'s <a href=#session-history>session history</a> contained
+ only one <code><a href=#document>Document</a></code> when the <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>
+ algorithm was invoked, and that was the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> created
+ when the <a href=#child-browsing-context>child browsing context</a> was created, then any <a href=#navigate title=navigate>navigation</a> required of the user agent in that algorithm must be completed
+ with <a href=#replacement-enabled>replacement enabled</a>.</p> <!-- see also the note near similar text for the
location.assign() method -->
- </div>
+ <p>When content loads in an <code><a href=#the-iframe-element>iframe</a></code>, after any <code title=event-load>load</code>
+ events are fired within the content itself, <!-- XXX bug 16829 --> the user agent must <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-load>load</code> at
+ the <code><a href=#the-iframe-element>iframe</a></code> element. When content whose <a href=#url>URL</a> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code> fails to load (e.g. due
+ to a DNS error, network error, or if the server returned a 4xx or 5xx status code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>), then the user agent must <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at
+ the element instead. (This event does not fire for <a href=#parse-error title="parse error">parse errors</a>,
+ script errors, or any errors for cross-origin resources.)</p>
- <!-- END of section that's very similar to <frame> -->
+ <p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <a href=#dom-manipulation-task-source>DOM
+ manipulation task source</a>.</p>
- <p class=note>If, when the element is created, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is not set, and
- the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is either
- also not set or set but its value cannot be <a href=#resolve-a-url title="resolve a
- url">resolved</a>, the browsing context will remain at the
- initial <code><a href=#about:blank>about:blank</a></code> page.</p>
+ <p class=note>A <code title=event-load>load</code> event is also fired at the
+ <code><a href=#the-iframe-element>iframe</a></code> element when it is created if no other data is loaded in it.</p>
- <p class=note>If the user <a href=#navigate title=navigate>navigates</a>
- away from this page, the <code><a href=#the-iframe-element>iframe</a></code>'s corresponding
- <code><a href=#windowproxy>WindowProxy</a></code> object will proxy new <code><a href=#window>Window</a></code>
- objects for new <code><a href=#document>Document</a></code> objects, but the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute will not change.</p>
+ <p>When the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#active-document>active document</a> is not <a href=#ready-for-post-load-tasks>ready for post-load
+ tasks</a>, and when anything in the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#delay-the-load-event title="delay the load
+ event">delaying the load event</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing context</a>'s
+ <a href=#active-document>active document</a>, the <code><a href=#the-iframe-element>iframe</a></code> must <a href=#delay-the-load-event>delay the load event</a> of
+ its document.</p>
- <div class=example>
+ <p class=note>If, during the handling of the <code title=event-load>load</code> event, the
+ <a href=#browsing-context>browsing context</a> in the <code><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate title=navigate>navigated</a>, that will further <a href=#delay-the-load-event>delay the load event</a>.</p>
- <p>Here a blog uses the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute in conjunction
- with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> and <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attributes described
- below to provide users of user agents that support this feature
- with an extra layer of protection from script injection in the blog
- post comments:</p>
+ </div>
- <pre><article>
- <h1>I got my own magazine!</h1>
- <p>After much effort, I've finally found a publisher, and so now I
- have my own magazine! Isn't that awesome?! The first issue will come
- out in September, and we have articles about getting food, and about
- getting in boxes, it's going to be great!</p>
- <footer>
- <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
- </footer>
- <article>
- <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
- </article>
- <article>
- <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
- </article>
- <article>
- <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
-<p>you should get earl&amp;me on the next cover."></iframe>
- </article></pre>
+ <!-- END of section that's very similar to <frame> -->
- <p>Notice the way that quotes have to be escaped (otherwise the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute would end
- prematurely), and the way raw ampersands (e.g. in URLs or in prose)
- mentioned in the sandboxed content have to be <em>doubly</em>
- escaped — once so that the ampersand is preserved when
- originally parsing the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, and once more
- to prevent the ampersand from being misinterpreted when parsing the
- sandboxed content.</p>
+ <p class=note>If, when the element is created, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is not set, and the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is either also not set or set but its value cannot be
+ <a href=#resolve-a-url title="resolve a url">resolved</a>, the browsing context will remain at the initial
+ <code><a href=#about:blank>about:blank</a></code> page.</p>
- </div>
+ <p class=note>If the user <a href=#navigate title=navigate>navigates</a> away from this page, the
+ <code><a href=#the-iframe-element>iframe</a></code>'s corresponding <code><a href=#windowproxy>WindowProxy</a></code> object will proxy new
+ <code><a href=#window>Window</a></code> objects for new <code><a href=#document>Document</a></code> objects, but the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute will not change.</p>
- <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only
- remember to use U+0022 QUOTATION MARK characters (") to wrap the
- attribute contents and then to escape all U+0022 QUOTATION MARK (")
- and U+0026 AMPERSAND (&) characters, and to specify the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, to ensure safe
- embedding of content.</p>
- <p class=note>Due to restrictions of <a href=#the-xhtml-syntax>the XHTML
- syntax</a>, in XML the U+003C LESS-THAN SIGN character (<)
- needs to be escaped as well. In order to prevent <a href=http://www.w3.org/TR/REC-xml/#AVNormalize>attribute-value
- normalization</a>, some of XML's whitespace characters —
- specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
- (LF), and U+000D CARRIAGE RETURN (CR) — also need to be
- escaped. <a href=#refsXML>[XML]</a></p>
+ <hr><!-- NAME --><p>The <dfn id=attr-iframe-name title=attr-iframe-name><code>name</code></dfn> attribute, if present, must be a
+ <a href=#valid-browsing-context-name>valid browsing context name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
+ browsing context</a>. <span class=impl>When the browsing context is created, if the attribute
+ is present, the <a href=#browsing-context-name>browsing context name</a> must be set to the value of this attribute;
+ otherwise, the <a href=#browsing-context-name>browsing context name</a> must be set to the empty string.</span></p>
- <hr><p>The <dfn id=attr-iframe-name title=attr-iframe-name><code>name</code></dfn>
- attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
- name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
- browsing context</a>. <span class=impl>When the browsing
- context is created, if the attribute is present, the <a href=#browsing-context-name>browsing
- context name</a> must be set to the value of this attribute;
- otherwise, the <a href=#browsing-context-name>browsing context name</a> must be set to the
- empty string.</span></p>
-
<div class=impl>
- <p>Whenever the <code title=attr-iframe-name><a href=#attr-iframe-name>name</a></code> attribute
- is set, the nested <a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-name title="browsing context name">name</a> must be changed to the new
- value. If the attribute is removed, the <a href=#browsing-context-name>browsing context
- name</a> must be set to the empty string.</p>
+ <p>Whenever the <code title=attr-iframe-name><a href=#attr-iframe-name>name</a></code> attribute is set, the nested
+ <a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-name title="browsing context name">name</a> must be changed to
+ the new value. If the attribute is removed, the <a href=#browsing-context-name>browsing context name</a> must be set to
+ the empty string.</p>
- <p>When content loads in an <code><a href=#the-iframe-element>iframe</a></code>, after any <code title=event-load>load</code> events are fired within the content
- itself, the user agent must <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire
- a simple event</a> named <code title=event-load>load</code> at
- the <code><a href=#the-iframe-element>iframe</a></code> element. When content whose <a href=#url>URL</a>
- has the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>
- element's <code><a href=#document>Document</a></code> fails to load (e.g. due to a DNS
- error, network error, or if the server returned a 4xx or 5xx status
- code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or
- equivalent</a>), then the user agent must <a href=#queue-a-task>queue a
- task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at the element instead. (This event
- does not fire for <a href=#parse-error title="parse error">parse errors</a>,
- script errors, or any errors for cross-origin resources.)</p>
-
- <p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <a href=#dom-manipulation-task-source>DOM manipulation
- task source</a>.</p>
-
- <p class=note>A <code title=event-load>load</code> event is also
- fired at the <code><a href=#the-iframe-element>iframe</a></code> element when it is created if no
- other data is loaded in it.</p>
-
- <p>When the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#active-document>active document</a> is
- not <a href=#ready-for-post-load-tasks>ready for post-load tasks</a>, and when anything in the
- <code><a href=#the-iframe-element>iframe</a></code> is <a href=#delay-the-load-event title="delay the load event">delaying
- the load event</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing
- context</a>'s <a href=#active-document>active document</a>, the
- <code><a href=#the-iframe-element>iframe</a></code> must <a href=#delay-the-load-event>delay the load event</a> of its
- document.</p>
-
- <p class=note>If, during the handling of the <code title=event-load>load</code> event, the <a href=#browsing-context>browsing
- context</a> in the <code><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate title=navigate>navigated</a>, that will further <a href=#delay-the-load-event>delay the
- load event</a>.</p>
-
</div>
- <hr><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn>
- attribute, when specified, enables a set of extra restrictions on
- any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value must be an
- <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are
- <a href=#ascii-case-insensitive>ASCII case-insensitive</a>. The allowed values are
- <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>,
- <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>,
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>,
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and
- <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.
- When the attribute is set, the content is treated as being from a
- unique <a href=#origin>origin</a>, forms and scripts are disabled, links
- are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are secured. The
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword allows the content to be treated as being from the same
- origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- keyword allows the content to <a href=#navigate>navigate</a> its
- <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keywords re-enable forms, popups, and scripts respectively.</p>
+ <hr><!-- SANDBOX --><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn> attribute, when specified,
+ enables a set of extra restrictions on any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value
+ must be an <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are <a href=#ascii-case-insensitive>ASCII
+ case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
- <p class=warning>Setting both the
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keywords together when the embedded page has the <a href=#same-origin>same
- origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code> allows
- the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p>When the attribute is set, the content is treated as being from a unique <a href=#origin>origin</a>,
+ forms and scripts are disabled, links are prevented from targeting other <a href=#browsing-context title="browsing
+ context">browsing contexts</a>, and plugins are secured. The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows the content
+ to be treated as being from the same origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code> keyword allows the
+ content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, popups,
+ and scripts respectively.</p>
- <p class=warning>Sandboxing hostile content is of minimal help if
- an attacker can convince the user to just visit the hostile content
- directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
- damage that can be caused by hostile HTML content, it should be
- served from a separate dedicated domain.</p>
+ <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
+ embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
+ allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
+ <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
+ user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
+ the damage that can be caused by hostile HTML content, it should be served from a separate
+ dedicated domain.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26907,50 +26835,42 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute is set or changed, the user agent must <a href=#parse-a-sandboxing-directive title="parse
- a sandboxing directive">parse the sandboxing directive</a> using
- the attribute's value as the <var title="">input</var> and the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
- <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
+ <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
+ user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
+ using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
+ <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
output.</p>
- <p class=warning>These flags only take effect when the
- <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code> is
- <a href=#navigate title=navigate>navigated</a>. Removing them, or removing
- the entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute, has no effect on an already-loaded page.</p>
+ <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+ the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+ entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
</div>
<div class=example>
- <p>In this example, some completely-unknown, potentially hostile,
- user-provided HTML content is embedded in a page. Because it is
- served from a separate domain, it is affected by all the normal
- cross-site restrictions. In addition, the embedded page has
- scripting disabled, plugins disabled, forms disabled, and it cannot
- navigate any frames or windows other than itself (or any frames or
+ <p>In this example, some completely-unknown, potentially hostile, user-provided HTML content is
+ embedded in a page. Because it is served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has scripting disabled, plugins disabled,
+ forms disabled, and it cannot navigate any frames or windows other than itself (or any frames or
windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p class=warning>It is important to use a separate domain so that
- if the attacker convinces the user to visit that page directly, the
- page doesn't run in the context of the site's origin, which would
- make the user vulnerable to any attack found in the page.</p>
+ <p class=warning>It is important to use a separate domain so that if the attacker convinces the
+ user to visit that page directly, the page doesn't run in the context of the site's origin, which
+ would make the user vulnerable to any attack found in the page.</p>
</div>
<div class=example>
- <p>In this example, a gadget from another site is embedded. The
- gadget has scripting and forms enabled, and the origin sandbox
- restrictions are lifted, allowing the gadget to communicate with
- its originating server. The sandbox is still useful, however, as it
- disables plugins and popups, thus reducing the risk of the user
- being exposed to malware and other annoyances.</p>
+ <p>In this example, a gadget from another site is embedded. The gadget has scripting and forms
+ enabled, and the origin sandbox restrictions are lifted, allowing the gadget to communicate with
+ its originating server. The sandbox is still useful, however, as it disables plugins and popups,
+ thus reducing the risk of the user being exposed to malware and other annoyances.</p>
<pre><iframe sandbox="allow-same-origin allow-forms allow-scripts"
src="http://maps.example.com/embedded.html"></iframe></pre>
@@ -26971,270 +26891,218 @@
<pre><a href=D>Link</a></pre>
- <p>For this example, suppose all the files were served as
- <code><a href=#text/html>text/html</a></code>.</p>
+ <p>For this example, suppose all the files were served as <code><a href=#text/html>text/html</a></code>.</p>
- <p>Page C in this scenario has all the sandboxing flags
- set. Scripts are disabled, because the <code><a href=#the-iframe-element>iframe</a></code> in A has
- scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword set on the <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also
- disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B) does not
- have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
+ <p>Page C in this scenario has all the sandboxing flags set. Scripts are disabled, because the
+ <code><a href=#the-iframe-element>iframe</a></code> in A has scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword set on the
+ <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B)
+ does not have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
set.</p>
- <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A
- <!--grammar-check-override--> and B. This would change nothing
- immediately. If the user clicked the link in C, loading page D into
- the <code><a href=#the-iframe-element>iframe</a></code> in B, page D would now act as if the
- <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords
- set, because that was the state of the <a href=#nested-browsing-context>nested browsing
- context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
+ <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A <!--grammar-check-override--> and B.
+ This would change nothing immediately. If the user clicked the link in C, loading page D into the
+ <code><a href=#the-iframe-element>iframe</a></code> in B, page D would now act as if the <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords set, because that was the
+ state of the <a href=#nested-browsing-context>nested browsing context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
loaded.</p>
- <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
- ill-advised, because it can make it quite hard to reason about what
- will be allowed and what will not.</p>
+ <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is ill-advised, because it can make it quite
+ hard to reason about what will be allowed and what will not.</p>
</div>
- <p class=note>Potentially hostile files should not be served from
- the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
- element. Using a different domain ensures that scripts in the files
- are unable to attack the site, even if the user is tricked into
- visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword, and the file is from the <a href=#same-origin>same origin</a> as the
- <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a script in the
- "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then
- reload itself, effectively breaking out of the sandbox
- altogether.</p>
+ keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
+ from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
+ script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
+ out of the sandbox altogether.</p>
- <hr><!-- v2: Might be interesting to have a value on seamless that
- allowed event propagation of some sort, maybe based on the WICD
- work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn>
- attribute is a <a href=#boolean-attribute>boolean attribute</a>. When specified, it
- indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#browsing-context>browsing
- context</a> is to be rendered in a manner that makes it appear to
- be part of the containing document (seamlessly included in the
- parent document).</p>
+ <hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
+ sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
+ attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
+ <a href=#browsing-context>browsing context</a> is to be rendered in a manner that makes it appear to be part of the
+ containing document (seamlessly included in the parent document).</p>
<div class=impl>
- <p>An <code><a href=#the-iframe-element>iframe</a></code> element is said to be <dfn id=in-seamless-mode>in seamless
- mode</dfn> when all of the following conditions are met:</p>
+ <p>An <code><a href=#the-iframe-element>iframe</a></code> element is said to be <dfn id=in-seamless-mode>in seamless mode</dfn> when all of the
+ following conditions are met:</p>
- <ul><li>The <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
- attribute is set on the <code><a href=#the-iframe-element>iframe</a></code> element, and
+ <ul><li>The <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute is set on the
+ <code><a href=#the-iframe-element>iframe</a></code> element, and
- <li>The <code><a href=#the-iframe-element>iframe</a></code> element's owner <code><a href=#document>Document</a></code>'s
- <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
- <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
+ <li>The <code><a href=#the-iframe-element>iframe</a></code> element's owner <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> does not have the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
<li>Either:
- <ul><li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> has the <a href=#same-origin>same origin</a> as the
+ <ul><li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
+
+ <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a>'s <em><a href="#the-document's-address" title="the
+ document's address">address</a></em> has the <a href=#same-origin>same origin</a> as the
<code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
- <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>'s <em><a href="#the-document's-address" title="the document's
- address">address</a></em> has the <a href=#same-origin>same origin</a> as
- the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
+ <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> is <a href=#an-iframe-srcdoc-document>an
+ <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.
- <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.
-
</ul></li>
- </ul><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#in-seamless-mode>in seamless
- mode</a>, the following requirements apply:</p>
+ </ul><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#in-seamless-mode>in seamless mode</a>, the following
+ requirements apply:</p>
- <ul><li><p>The user agent must set the <dfn id=seamless-browsing-context-flag>seamless browsing context
- flag</dfn> to true for that <a href=#browsing-context>browsing context</a>. This
- will <a href=#seamlessLinks>cause links to open in the parent
- browsing context</a> unless an <a href=#explicit-self-navigation-override>explicit self-navigation
- override</a> is used (<code title="">target="_self"</code>).</li>
+ <ul><li><p>The user agent must set the <dfn id=seamless-browsing-context-flag>seamless browsing context flag</dfn> to true for that
+ <a href=#browsing-context>browsing context</a>. This will <a href=#seamlessLinks>cause links to open in the
+ parent browsing context</a> unless an <a href=#explicit-self-navigation-override>explicit self-navigation override</a> is used
+ (<code title="">target="_self"</code>).</li>
- <li><p>Media queries in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s
- <a href=#browsing-context>browsing context</a> (e.g. on <code title=attr-style-media><a href=#attr-style-media>media</a></code> attributes of
- <code><a href=#the-style-element>style</a></code> elements in <code><a href=#document>Document</a></code>s in that
- <code><a href=#the-iframe-element>iframe</a></code>) must be evaluated with respect to the nearest
- <a href=#ancestor-browsing-context>ancestor browsing context</a> that is not itself being
- <a href=#browsing-context-nested-through title="browsing context nested through">nested through</a>
- an <code><a href=#the-iframe-element>iframe</a></code> that is <a href=#in-seamless-mode>in seamless
+ <li><p>Media queries in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing context</a>
+ (e.g. on <code title=attr-style-media><a href=#attr-style-media>media</a></code> attributes of <code><a href=#the-style-element>style</a></code> elements in
+ <code><a href=#document>Document</a></code>s in that <code><a href=#the-iframe-element>iframe</a></code>) must be evaluated with respect to the nearest
+ <a href=#ancestor-browsing-context>ancestor browsing context</a> that is not itself being <a href=#browsing-context-nested-through title="browsing context
+ nested through">nested through</a> an <code><a href=#the-iframe-element>iframe</a></code> that is <a href=#in-seamless-mode>in seamless
mode</a>. <a href=#refsMQ>[MQ]</a></li>
- <li><p>In a CSS-supporting user agent: the user agent must add all
- the style sheets that apply to the <code><a href=#the-iframe-element>iframe</a></code> element to
- the cascade of the <a href=#active-document>active document</a> of the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>,
- at the appropriate cascade levels, before any style sheets
- specified by the document itself.</li>
+ <li><p>In a CSS-supporting user agent: the user agent must add all the style sheets that apply to
+ the <code><a href=#the-iframe-element>iframe</a></code> element to the cascade of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>, at the appropriate cascade
+ levels, before any style sheets specified by the document itself.</li>
- <li><p>In a CSS-supporting user agent: the user agent must, for the
- purpose of CSS property inheritance only, treat the root element of
- the <a href=#active-document>active document</a> of the <code><a href=#the-iframe-element>iframe</a></code>
- element's <a href=#nested-browsing-context>nested browsing context</a> as being a child of
- the <code><a href=#the-iframe-element>iframe</a></code> element. (Thus inherited properties on the
- root element of the document in the <code><a href=#the-iframe-element>iframe</a></code> will
- inherit the computed values of those properties on the
- <code><a href=#the-iframe-element>iframe</a></code> element instead of taking their initial
- values.)</li>
+ <li><p>In a CSS-supporting user agent: the user agent must, for the purpose of CSS property
+ inheritance only, treat the root element of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a> as being a child of the
+ <code><a href=#the-iframe-element>iframe</a></code> element. (Thus inherited properties on the root element of the document in
+ the <code><a href=#the-iframe-element>iframe</a></code> will inherit the computed values of those properties on the
+ <code><a href=#the-iframe-element>iframe</a></code> element instead of taking their initial values.)</li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic width of the <code><a href=#the-iframe-element>iframe</a></code> to
- the width that the element would have if it was a non-replaced
- block-level element with 'width: auto', unless that width would be
- zero (e.g. if the element is floating or absolutely positioned), in
- which case the user agent should set the intrinsic width of the
- <code><a href=#the-iframe-element>iframe</a></code> to the shrink-to-fit width of the root element
- (if any) of the content rendered in the
- <code><a href=#the-iframe-element>iframe</a></code>.</li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ width of the <code><a href=#the-iframe-element>iframe</a></code> to the width that the element would have if it was a
+ non-replaced block-level element with 'width: auto', unless that width would be zero (e.g. if the
+ element is floating or absolutely positioned), in which case the user agent should set the
+ intrinsic width of the <code><a href=#the-iframe-element>iframe</a></code> to the shrink-to-fit width of the root element (if
+ any) of the content rendered in the <code><a href=#the-iframe-element>iframe</a></code>.</li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic height of the <code><a href=#the-iframe-element>iframe</a></code> to
- the shortest height that would make the content rendered in the
- <code><a href=#the-iframe-element>iframe</a></code> at its current width (as given in the previous
- bullet point) have no scrollable overflow at its bottom edge<!--,
- if the scrolling position was such that the top of the viewport for
- the content rendered in the <code>iframe</code> was aligned with
- the origin of that content's canvas-->. Scrollable overflow is any
- overflow that would increase the range to which a scrollbar or
- other scrolling mechanism can scroll.</li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ height of the <code><a href=#the-iframe-element>iframe</a></code> to the shortest height that would make the content rendered in
+ the <code><a href=#the-iframe-element>iframe</a></code> at its current width (as given in the previous bullet point) have no
+ scrollable overflow at its bottom edge<!--, if the scrolling position was such that the top of
+ the viewport for the content rendered in the <code>iframe</code> was aligned with the origin of
+ that content's canvas-->. Scrollable overflow is any overflow that would increase the range to
+ which a scrollbar or other scrolling mechanism can scroll.</li>
<li>
- <p>In visual media, in a CSS-supporting user agent: the user agent
- must force the height of the initial containing block of the
- <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing
+ <p>In visual media, in a CSS-supporting user agent: the user agent must force the height of the
+ initial containing block of the <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing
context</a> of the <code><a href=#the-iframe-element>iframe</a></code> to zero.</p>
- <p class=note>This is intended to get around the otherwise
- circular dependency of percentage dimensions that depend on the
- height of the containing block, thus affecting the height of the
- document's bounding box, thus affecting the height of the
- viewport, thus affecting the size of the initial containing
- block.</p>
+ <p class=note>This is intended to get around the otherwise circular dependency of percentage
+ dimensions that depend on the height of the containing block, thus affecting the height of the
+ document's bounding box, thus affecting the height of the viewport, thus affecting the size of
+ the initial containing block.</p>
</li>
- <li><p>In speech media, the user agent should render the <a href=#nested-browsing-context>nested
- browsing context</a> without announcing that it is a separate
- document.</li>
+ <li><p>In speech media, the user agent should render the <a href=#nested-browsing-context>nested browsing context</a>
+ without announcing that it is a separate document.</li>
<li>
- <p>User agents should, in general, act as if the <a href=#active-document>active
- document</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#nested-browsing-context>nested browsing
- context</a> was part of the document that the
+ <p>User agents should, in general, act as if the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#nested-browsing-context>nested browsing context</a> was part of the document that the
<code><a href=#the-iframe-element>iframe</a></code> is in, if any.</p>
- <p class=example>For example if the user agent supports listing
- all the links in a document, links in "seamlessly" nested
- documents would be included in that list without being
+ <p class=example>For example if the user agent supports listing all the links in a document,
+ links in "seamlessly" nested documents would be included in that list without being
significantly distinguished from links in the document itself.</p>
</li>
- </ul><p>If the attribute is not specified, or if the <a href=#origin>origin</a>
- conditions listed above are not met, then the user agent should
- render the <a href=#nested-browsing-context>nested browsing context</a> in a manner that is
- clearly distinguishable as a separate <a href=#browsing-context>browsing context</a>,
- and the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> must be set to
- false for that <a href=#browsing-context>browsing context</a>.</p>
+ </ul><p>If the attribute is not specified, or if the <a href=#origin>origin</a> conditions listed above are
+ not met, then the user agent should render the <a href=#nested-browsing-context>nested browsing context</a> in a manner
+ that is clearly distinguishable as a separate <a href=#browsing-context>browsing context</a>, and the
+ <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> must be set to false for that <a href=#browsing-context>browsing
+ context</a>.</p>
- <p class=warning>It is important that user agents recheck the
- above conditions whenever the <a href=#active-document>active document</a> of the
- <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code>
- changes, such that the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a>
- gets unset if the <a href=#nested-browsing-context>nested browsing context</a> is <a href=#navigate title=navigate>navigated</a> to another origin.</p>
+ <p class=warning>It is important that user agents recheck the above conditions whenever the
+ <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing context</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> changes, such that the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> gets unset
+ if the <a href=#nested-browsing-context>nested browsing context</a> is <a href=#navigate title=navigate>navigated</a> to another
+ origin.</p>
</div>
- <p class=note>The attribute can be set or removed dynamically,
- with the rendering updating in tandem.</p>
+ <p class=note>The attribute can be set or removed dynamically, with the rendering updating in
+ tandem.</p>
<div class=example>
- <p>In this example, the site's navigation is embedded using a
- client-side include using an <code><a href=#the-iframe-element>iframe</a></code>. Any links in the
- <code><a href=#the-iframe-element>iframe</a></code> will, in new user agents, be automatically
- opened in the <code><a href=#the-iframe-element>iframe</a></code>'s parent browsing context; for
- legacy user agents, the site could also include a <code><a href=#the-base-element>base</a></code>
- element with a <code title=attr-base-target><a href=#attr-base-target>target</a></code>
- attribute with the value <code title="">_parent</code>. Similarly,
- in new user agents the styles of the parent page will be
- automatically applied to the contents of the frame, but to support
- legacy user agents authors might wish to include the styles
+ <p>In this example, the site's navigation is embedded using a client-side include using an
+ <code><a href=#the-iframe-element>iframe</a></code>. Any links in the <code><a href=#the-iframe-element>iframe</a></code> will, in new user agents, be
+ automatically opened in the <code><a href=#the-iframe-element>iframe</a></code>'s parent browsing context; for legacy user
+ agents, the site could also include a <code><a href=#the-base-element>base</a></code> element with a <code title=attr-base-target><a href=#attr-base-target>target</a></code> attribute with the value <code title="">_parent</code>.
+ Similarly, in new user agents the styles of the parent page will be automatically applied to the
+ contents of the frame, but to support legacy user agents authors might wish to include the styles
explicitly.</p>
<pre><nav><iframe seamless src="nav.include.html"></iframe></nav></pre>
</div>
- <p class=note>The <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> attribute does
- not propagate into <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
- <code><a href=#the-iframe-element>iframe</a></code>s.</p>
+ <p class=note>The <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> attribute does not
+ propagate into <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> <code><a href=#the-iframe-element>iframe</a></code>s.</p>
- <hr><p>The <code><a href=#the-iframe-element>iframe</a></code> element supports <a href=#dimension-attributes>dimension
- attributes</a> for cases where the embedded content has specific
- dimensions (e.g. ad units have well-defined dimensions).</p>
- <p>An <code><a href=#the-iframe-element>iframe</a></code> element never has <a href=#fallback-content>fallback
- content</a>, as it will always create a nested <a href=#browsing-context>browsing
- context</a>, regardless of whether the specified initial contents
- are successfully used.</p>
+ <hr><!-- DIM ATTRIBUTES --><p>The <code><a href=#the-iframe-element>iframe</a></code> element supports <a href=#dimension-attributes>dimension attributes</a> for cases where the
+ embedded content has specific dimensions (e.g. ad units have well-defined dimensions).</p>
- <p>Descendants of <code><a href=#the-iframe-element>iframe</a></code> elements represent
- nothing. (In legacy user agents that do not support
- <code><a href=#the-iframe-element>iframe</a></code> elements, the contents would be parsed as markup
- that could act as fallback content.)</p>
+ <p>An <code><a href=#the-iframe-element>iframe</a></code> element never has <a href=#fallback-content>fallback content</a>, as it will always
+ create a nested <a href=#browsing-context>browsing context</a>, regardless of whether the specified initial
+ contents are successfully used.</p>
- <p id=iframe-content-model>When used in <a href=#html-documents>HTML
- documents</a>, the allowed content model of <code><a href=#the-iframe-element>iframe</a></code>
- elements is text, except that invoking the <a href=#html-fragment-parsing-algorithm>HTML fragment
- parsing algorithm</a> with the <code><a href=#the-iframe-element>iframe</a></code> element as the
- <var title=concept-frag-parse-context><a href=#concept-frag-parse-context>context</a></var> element and
- the text contents as the <var title="">input</var> must result in a
- list of nodes that are all <a href=#phrasing-content>phrasing content</a>, with no
- <a href=#parse-error title="parse error">parse errors</a> having occurred, with
- no <code><a href=#the-script-element>script</a></code> elements being anywhere in the list or as
- descendants of elements in the list, and with all the elements in
- the list (including their descendants) being themselves
- conforming.</p>
- <p>The <code><a href=#the-iframe-element>iframe</a></code> element must be empty in <a href=#xml-documents>XML
- documents</a>.</p>
+ <hr><!-- FALLBACK --><p>Descendants of <code><a href=#the-iframe-element>iframe</a></code> elements represent nothing. (In legacy user agents that do
+ not support <code><a href=#the-iframe-element>iframe</a></code> elements, the contents would be parsed as markup that could act as
+ fallback content.)</p>
- <p class=note>The <a href=#html-parser>HTML parser</a> treats markup inside
- <code><a href=#the-iframe-element>iframe</a></code> elements as text.</p>
+ <p id=iframe-content-model>When used in <a href=#html-documents>HTML documents</a>, the allowed content model
+ of <code><a href=#the-iframe-element>iframe</a></code> elements is text, except that invoking the <a href=#html-fragment-parsing-algorithm>HTML fragment parsing
+ algorithm</a> with the <code><a href=#the-iframe-element>iframe</a></code> element as the <var title=concept-frag-parse-context><a href=#concept-frag-parse-context>context</a></var> element and the text contents as the <var title="">input</var> must result in a list of nodes that are all <a href=#phrasing-content>phrasing content</a>,
+ with no <a href=#parse-error title="parse error">parse errors</a> having occurred, with no <code><a href=#the-script-element>script</a></code>
+ elements being anywhere in the list or as descendants of elements in the list, and with all the
+ elements in the list (including their descendants) being themselves conforming.</p>
+ <p>The <code><a href=#the-iframe-element>iframe</a></code> element must be empty in <a href=#xml-documents>XML documents</a>.</p>
+
+ <p class=note>The <a href=#html-parser>HTML parser</a> treats markup inside <code><a href=#the-iframe-element>iframe</a></code> elements as
+ text.</p>
+
+
<div class=impl>
- <p>The IDL attributes <dfn id=dom-iframe-src title=dom-iframe-src><code>src</code></dfn>, <dfn id=dom-iframe-srcdoc title=dom-iframe-srcdoc><code>srcdoc</code></dfn>, <dfn id=dom-iframe-name title=dom-iframe-name><code>name</code></dfn>, <dfn id=dom-iframe-sandbox title=dom-iframe-sandbox><code>sandbox</code></dfn>, and <dfn id=dom-iframe-seamless title=dom-iframe-seamless><code>seamless</code></dfn> must
- <a href=#reflect>reflect</a> the respective content attributes of the same
- name.</p>
+ <hr><!-- DOM --><p>The IDL attributes <dfn id=dom-iframe-src title=dom-iframe-src><code>src</code></dfn>, <dfn id=dom-iframe-srcdoc title=dom-iframe-srcdoc><code>srcdoc</code></dfn>, <dfn id=dom-iframe-name title=dom-iframe-name><code>name</code></dfn>, <dfn id=dom-iframe-sandbox title=dom-iframe-sandbox><code>sandbox</code></dfn>, and <dfn id=dom-iframe-seamless title=dom-iframe-seamless><code>seamless</code></dfn> must <a href=#reflect>reflect</a> the respective
+ content attributes of the same name.</p>
- <p>The <dfn id=dom-iframe-contentdocument title=dom-iframe-contentDocument><code>contentDocument</code></dfn>
- IDL attribute must return the <code><a href=#document>Document</a></code> object of the
- <a href=#active-document>active document</a> of the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a>, if any, or null otherwise.</p>
+ <p>The <dfn id=dom-iframe-contentdocument title=dom-iframe-contentDocument><code>contentDocument</code></dfn> IDL attribute
+ must return the <code><a href=#document>Document</a></code> object of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>, if any, or null otherwise.</p>
- <p>The <dfn id=dom-iframe-contentwindow title=dom-iframe-contentWindow><code>contentWindow</code></dfn>
- IDL attribute must return the <code><a href=#windowproxy>WindowProxy</a></code> object of the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing
- context</a>, if any, or null otherwise.</p>
+ <p>The <dfn id=dom-iframe-contentwindow title=dom-iframe-contentWindow><code>contentWindow</code></dfn> IDL attribute must
+ return the <code><a href=#windowproxy>WindowProxy</a></code> object of the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested
+ browsing context</a>, if any, or null otherwise.</p>
</div>
<div class=example>
- <p>Here is an example of a page using an <code><a href=#the-iframe-element>iframe</a></code> to
- include advertising from an advertising broker:</p>
+ <p>Here is an example of a page using an <code><a href=#the-iframe-element>iframe</a></code> to include advertising from an
+ advertising broker:</p>
<pre><iframe src="http://ads.example.com/?customerid=923513721&format=banner"
width="468" height="60"></iframe></pre>
Modified: index
===================================================================
--- index 2012-09-26 00:22:32 UTC (rev 7405)
+++ index 2012-09-26 03:27:07 UTC (rev 7406)
@@ -1471,12 +1471,7 @@
publication policies</a>.</li>
-->
- <li>The W3C HTML specification omits an example that references the
- schema.org microdata vocabulary as part of a compromise intended to
- resolve larger issues of divergence between the specifications.
- (Many other examples that reference schema.org and microdata are
- included apparently without issue, however.)</li><!-- "I put a bike
- bell on his bike." -->
+ <li>The W3C HTML specification omits mentions of microdata.</li>
<li>The W3C HTML specification defines conformance for documents in
a more traditional (version-orientated) way, because of <a href=http://lists.w3.org/Archives/Public/public-html/2011Mar/0574.html>a
@@ -26582,112 +26577,134 @@
readonly attribute <a href=#windowproxy>WindowProxy</a>? <a href=#dom-iframe-contentwindow title=dom-iframe-contentWindow>contentWindow</a>;
};</pre>
</dd>
- </dl><!--TOPIC:HTML--><p>The <code><a href=#the-iframe-element>iframe</a></code> element <a href=#represents>represents</a> a
- <a href=#nested-browsing-context>nested browsing context</a>.</p>
+ </dl><!--TOPIC:HTML--><!-- INTRO --><p>The <code><a href=#the-iframe-element>iframe</a></code> element <a href=#represents>represents</a> a <a href=#nested-browsing-context>nested browsing
+ context</a>.</p>
- <p>The <dfn id=attr-iframe-src title=attr-iframe-src><code>src</code></dfn> attribute
- gives the address of a page that the <a href=#nested-browsing-context>nested browsing
- context</a> is to contain. The attribute, if present, must be a
- <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty URL potentially surrounded by
- spaces</a>.</p>
-<!--MD-->
- <p>If the <code title=attr-itemprop><a href=#names:-the-itemprop-attribute>itemprop</a></code> is specified
- on an <code><a href=#the-iframe-element>iframe</a></code> element, then the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute must also be
- specified.</p>
-<!--MD-->
+ <!-- SRC/SRCDOC -->
- <p>The <dfn id=attr-iframe-srcdoc title=attr-iframe-srcdoc><code>srcdoc</code></dfn>
- attribute gives the content of the page that the <a href=#nested-browsing-context>nested
- browsing context</a> is to contain. The value of the attribute is
- the source of <dfn id=an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</dfn>.</p>
+ <p>The <dfn id=attr-iframe-src title=attr-iframe-src><code>src</code></dfn> attribute gives the address of a page
+ that the <a href=#nested-browsing-context>nested browsing context</a> is to contain. The attribute, if present, must be a
+ <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty URL potentially surrounded by spaces</a>. If the <code title=attr-itemprop><a href=#names:-the-itemprop-attribute>itemprop</a></code> is specified on an <code><a href=#the-iframe-element>iframe</a></code> element, then the
+ <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute must also be specified.</p>
- <p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#html-documents>HTML documents</a>,
- the attribute, if present, must have a value using <a href=#syntax>the HTML
- syntax</a> that consists of the following syntactic components,
- in the given order:</p>
+ <p>The <dfn id=attr-iframe-srcdoc title=attr-iframe-srcdoc><code>srcdoc</code></dfn> attribute gives the content of
+ the page that the <a href=#nested-browsing-context>nested browsing context</a> is to contain. The value of the attribute
+ is the source of <dfn id=an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
+ document</dfn>.</p>
- <ol><li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#html-documents>HTML documents</a>, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, if present, must have a value using <a href=#syntax>the
+ HTML syntax</a> that consists of the following syntactic components, in the given order:</p>
+ <ol><li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
+
<li>Optionally, a <a href=#syntax-doctype title=syntax-doctype>DOCTYPE</a>.
- <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
<li>The root element, in the form of an <code><a href=#the-html-element>html</a></code> <a href=#syntax-elements title=syntax-elements>element</a>.</li>
- <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and
- <a href=#space-character title="space character">space characters</a>.</li>
+ <li>Any number of <a href=#syntax-comments title=syntax-comments>comments</a> and <a href=#space-character title="space
+ character">space characters</a>.</li>
- </ol><p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#xml-documents>XML documents</a>,
- the attribute, if present, must have a value that matches the
- production labeled <code title="">document</code> in the XML
- specification. <a href=#refsXML>[XML]</a></p>
+ </ol><p>For <code><a href=#the-iframe-element>iframe</a></code> elements in <a href=#xml-documents>XML documents</a>, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, if present, must have a value that matches the
+ production labeled <code title="">document</code> in the XML specification. <a href=#refsXML>[XML]</a></p>
- <p>If the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute and the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute are both
- specified together, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code>
- attribute takes priority. This allows authors to provide a fallback
- <a href=#url>URL</a> for legacy user agents that do not support the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute.</p>
+ <div class=example>
+ <p>Here a blog uses the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute in conjunction
+ with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> and <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attributes described below to provide users of user
+ agents that support this feature with an extra layer of protection from script injection in the
+ blog post comments:</p>
+
+ <pre><article>
+ <h1>I got my own magazine!</h1>
+ <p>After much effort, I've finally found a publisher, and so now I
+ have my own magazine! Isn't that awesome?! The first issue will come
+ out in September, and we have articles about getting food, and about
+ getting in boxes, it's going to be great!</p>
+ <footer>
+ <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
+ </footer>
+ <article>
+ <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
+ </article>
+ <article>
+ <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
+ </article>
+ <article>
+ <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
+<p>you should get earl&amp;me on the next cover."></iframe>
+ </article></pre>
+
+ <p>Notice the way that quotes have to be escaped (otherwise the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute would end prematurely), and the way raw
+ ampersands (e.g. in URLs or in prose) mentioned in the sandboxed content have to be
+ <em>doubly</em> escaped — once so that the ampersand is preserved when originally parsing
+ the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, and once more to prevent the
+ ampersand from being misinterpreted when parsing the sandboxed content.</p>
+
+ </div>
+
+ <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only remember to use U+0022
+ QUOTATION MARK characters (") to wrap the attribute contents and then to escape all U+0022
+ QUOTATION MARK (") and U+0026 AMPERSAND (&) characters, and to specify the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, to ensure safe embedding of content.</p>
+
+ <p class=note>Due to restrictions of <a href=#the-xhtml-syntax>the XHTML syntax</a>, in XML the U+003C LESS-THAN
+ SIGN character (<) needs to be escaped as well. In order to prevent <a href=http://www.w3.org/TR/REC-xml/#AVNormalize>attribute-value normalization</a>, some of XML's
+ whitespace characters — specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
+ (LF), and U+000D CARRIAGE RETURN (CR) — also need to be escaped. <a href=#refsXML>[XML]</a></p>
+
+ <p class=note>If the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute and the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute are both specified together, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute takes priority. This allows authors to provide
+ a fallback <a href=#url>URL</a> for legacy user agents that do not support the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute.</p>
+
+
<div class=impl>
- <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#insert-an-element-into-a-document title="insert an
- element into a document">inserted into a document</a>, the user
- agent must create a <a href=#nested-browsing-context>nested browsing context</a>, and then
- <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a> for the
- first time.</p>
+ <hr><!-- SRC/SRCDOC PROCESSING MODEL --><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#insert-an-element-into-a-document title="insert an element into a document">inserted
+ into a document</a>, the user agent must create a <a href=#nested-browsing-context>nested browsing context</a>, and
+ then <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a> for the first time.</p>
- <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#remove-an-element-from-a-document title="remove an
- element from a document">removed from a document</a>, the user
- agent must <a href=#a-browsing-context-is-discarded title="a browsing context is
- discarded">discard</a> the <a href=#nested-browsing-context>nested browsing
- context</a>.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#remove-an-element-from-a-document title="remove an element from a document">removed
+ from a document</a>, the user agent must <a href=#a-browsing-context-is-discarded title="a browsing context is
+ discarded">discard</a> the <a href=#nested-browsing-context>nested browsing context</a>.</p>
- <p class=note>This happens without any <code title=event-unload>unload</code> events firing (the <a href=#nested-browsing-context>nested
- browsing context</a> and its <code><a href=#document>Document</a></code> are <em title="a browsing context is discarded">discarded</em>, not <em title="unload a document">unloaded</em>).</p>
+ <p class=note>This happens without any <code title=event-unload>unload</code> events firing
+ (the <a href=#nested-browsing-context>nested browsing context</a> and its <code><a href=#document>Document</a></code> are <em title="a browsing
+ context is discarded">discarded</em>, not <em title="unload a document">unloaded</em>).</p>
<!-- START of section that's very similar to <frame> -->
- <p>Whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested
- browsing context</a> has its <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute set, changed, or
- removed, the user agent must <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a>.</p>
+ <p>Whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested browsing context</a> has its
+ <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute set, changed, or removed, the user agent
+ must <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>.</p>
- <p>Similarly, whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a
- <a href=#nested-browsing-context>nested browsing context</a> but with no <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute specified has its
- <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute set, changed, or
- removed, the user agent must <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a>.</p> <!-- It doesn't happen when the base URL is
- changed, though. -->
+ <p>Similarly, whenever an <code><a href=#the-iframe-element>iframe</a></code> element with a <a href=#nested-browsing-context>nested browsing context</a>
+ but with no <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute specified has its <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute set, changed, or removed, the user agent must
+ <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>.</p> <!-- It doesn't happen when the base
+ URL is changed, though. -->
- <p>When the user agent is to <dfn id=process-the-iframe-attributes>process the <code>iframe</code>
- attributes</dfn>, it must run the first appropriate steps from the
- following list:</p>
+ <p>When the user agent is to <dfn id=process-the-iframe-attributes>process the <code>iframe</code> attributes</dfn>, it must run
+ the first appropriate steps from the following list:</p>
- <dl class=switch><dt>If the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute
- is specified</dt>
+ <dl class=switch><dt>If the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is specified</dt>
- <dd><p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's
- <a href=#child-browsing-context>child browsing context</a> to a resource whose
- <a href=#content-type>Content-Type</a> is <code><a href=#text/html>text/html</a></code>, whose
- <a href=#url>URL</a> is <code><a href=#about:srcdoc>about:srcdoc</a></code>, and whose data
- consists of the value of the attribute. The resulting
- <code><a href=#document>Document</a></code> must be considered <a href=#an-iframe-srcdoc-document>an
- <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code>
- document</a>.</dd>
+ <dd><p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's <a href=#child-browsing-context>child browsing context</a>
+ to a resource whose <a href=#content-type>Content-Type</a> is <code><a href=#text/html>text/html</a></code>, whose <a href=#url>URL</a>
+ is <code><a href=#about:srcdoc>about:srcdoc</a></code>, and whose data consists of the value of the attribute. The
+ resulting <code><a href=#document>Document</a></code> must be considered <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.</dd>
- <dt>Otherwise, if the element has no <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute specified, and the
- user agent is processing the <code><a href=#the-iframe-element>iframe</a></code>'s attributes for
- the first time</dt>
+ <dt>Otherwise, if the element has no <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute
+ specified, and the user agent is processing the <code><a href=#the-iframe-element>iframe</a></code>'s attributes for the first
+ time</dt>
<dd>
- <p><a href=#queue-a-task>Queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a>
- named <code title=event-load>load</code> at the
- <code><a href=#the-iframe-element>iframe</a></code> element.</p>
+ <p><a href=#queue-a-task>Queue a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-load>load</code> at the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
</dd>
@@ -26697,207 +26714,118 @@
<ol><li>
- <p>If the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code>
- attribute is the empty string, let <var title="">url</var> be
- the string "<code><a href=#about:blank>about:blank</a></code>".</p>
+ <p>If the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is the empty string,
+ let <var title="">url</var> be the string "<code><a href=#about:blank>about:blank</a></code>".</p>
- <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the
- value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute,
- relative to the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
+ <p>Otherwise, <a href=#resolve-a-url title="resolve a url">resolve</a> the value of the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute, relative to the <code><a href=#the-iframe-element>iframe</a></code> element.</p>
- <p>If that is not successful, then let <var title="">url</var>
- be the string "<code><a href=#about:blank>about:blank</a></code>". Otherwise, let <var title="">url</var> be the resulting <a href=#absolute-url>absolute
- URL</a>.</p>
+ <p>If that is not successful, then let <var title="">url</var> be the string
+ "<code><a href=#about:blank>about:blank</a></code>". Otherwise, let <var title="">url</var> be the resulting
+ <a href=#absolute-url>absolute URL</a>.</p>
</li>
<li>
- <p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's
- <a href=#child-browsing-context>child browsing context</a> to <var title="">url</var>.</p>
+ <p><a href=#navigate>Navigate</a><!--DONAV iframe--> the element's <a href=#child-browsing-context>child browsing context</a>
+ to <var title="">url</var>.</p>
</li>
</ol></dd>
- </dl><p>Any <a href=#navigate title=navigate>navigation</a> required of the user
- agent in the <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>
- algorithm must be completed as an <a href=#explicit-self-navigation-override>explicit self-navigation
- override</a> and with the <code><a href=#the-iframe-element>iframe</a></code> element's
- document's <a href=#browsing-context>browsing context</a> as the <a href=#source-browsing-context>source
- browsing context</a>.</p>
+ </dl><p>Any <a href=#navigate title=navigate>navigation</a> required of the user agent in the <a href=#process-the-iframe-attributes>process
+ the <code>iframe</code> attributes</a> algorithm must be completed as an <a href=#explicit-self-navigation-override>explicit
+ self-navigation override</a> and with the <code><a href=#the-iframe-element>iframe</a></code> element's document's
+ <a href=#browsing-context>browsing context</a> as the <a href=#source-browsing-context>source browsing context</a>.</p>
- <p>Furthermore, if the <a href=#active-document>active document</a> of the element's
- <a href=#child-browsing-context>child browsing context</a> before such a <a href=#navigate title=navigate>navigation</a> was not <a href=#completely-loaded>completely
- loaded</a> at the time of the new <a href=#navigate title=navigate>navigation</a>, then the <a href=#navigate title=navigate>navigation</a> must be completed with
- <a href=#replacement-enabled>replacement enabled</a>.</p>
+ <p>Furthermore, if the <a href=#active-document>active document</a> of the element's <a href=#child-browsing-context>child browsing
+ context</a> before such a <a href=#navigate title=navigate>navigation</a> was not <a href=#completely-loaded>completely
+ loaded</a> at the time of the new <a href=#navigate title=navigate>navigation</a>, then the <a href=#navigate title=navigate>navigation</a> must be completed with <a href=#replacement-enabled>replacement enabled</a>.</p>
- <p>Similarly, if the <a href=#child-browsing-context>child browsing context</a>'s
- <a href=#session-history>session history</a> contained only one
- <code><a href=#document>Document</a></code> when the <a href=#process-the-iframe-attributes>process the <code>iframe</code>
- attributes</a> algorithm was invoked, and that was the
- <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> created when the
- <a href=#child-browsing-context>child browsing context</a> was created, then any <a href=#navigate title=navigate>navigation</a> required of the user agent in
- that algorithm must be completed with <a href=#replacement-enabled>replacement
- enabled</a>.</p> <!-- see also the note near similar text for the
+ <p>Similarly, if the <a href=#child-browsing-context>child browsing context</a>'s <a href=#session-history>session history</a> contained
+ only one <code><a href=#document>Document</a></code> when the <a href=#process-the-iframe-attributes>process the <code>iframe</code> attributes</a>
+ algorithm was invoked, and that was the <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> created
+ when the <a href=#child-browsing-context>child browsing context</a> was created, then any <a href=#navigate title=navigate>navigation</a> required of the user agent in that algorithm must be completed
+ with <a href=#replacement-enabled>replacement enabled</a>.</p> <!-- see also the note near similar text for the
location.assign() method -->
- </div>
+ <p>When content loads in an <code><a href=#the-iframe-element>iframe</a></code>, after any <code title=event-load>load</code>
+ events are fired within the content itself, <!-- XXX bug 16829 --> the user agent must <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-load>load</code> at
+ the <code><a href=#the-iframe-element>iframe</a></code> element. When content whose <a href=#url>URL</a> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code> fails to load (e.g. due
+ to a DNS error, network error, or if the server returned a 4xx or 5xx status code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or equivalent</a>), then the user agent must <a href=#queue-a-task>queue
+ a task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at
+ the element instead. (This event does not fire for <a href=#parse-error title="parse error">parse errors</a>,
+ script errors, or any errors for cross-origin resources.)</p>
- <!-- END of section that's very similar to <frame> -->
+ <p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <a href=#dom-manipulation-task-source>DOM
+ manipulation task source</a>.</p>
- <p class=note>If, when the element is created, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is not set, and
- the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is either
- also not set or set but its value cannot be <a href=#resolve-a-url title="resolve a
- url">resolved</a>, the browsing context will remain at the
- initial <code><a href=#about:blank>about:blank</a></code> page.</p>
+ <p class=note>A <code title=event-load>load</code> event is also fired at the
+ <code><a href=#the-iframe-element>iframe</a></code> element when it is created if no other data is loaded in it.</p>
- <p class=note>If the user <a href=#navigate title=navigate>navigates</a>
- away from this page, the <code><a href=#the-iframe-element>iframe</a></code>'s corresponding
- <code><a href=#windowproxy>WindowProxy</a></code> object will proxy new <code><a href=#window>Window</a></code>
- objects for new <code><a href=#document>Document</a></code> objects, but the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute will not change.</p>
+ <p>When the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#active-document>active document</a> is not <a href=#ready-for-post-load-tasks>ready for post-load
+ tasks</a>, and when anything in the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#delay-the-load-event title="delay the load
+ event">delaying the load event</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing context</a>'s
+ <a href=#active-document>active document</a>, the <code><a href=#the-iframe-element>iframe</a></code> must <a href=#delay-the-load-event>delay the load event</a> of
+ its document.</p>
- <div class=example>
+ <p class=note>If, during the handling of the <code title=event-load>load</code> event, the
+ <a href=#browsing-context>browsing context</a> in the <code><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate title=navigate>navigated</a>, that will further <a href=#delay-the-load-event>delay the load event</a>.</p>
- <p>Here a blog uses the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute in conjunction
- with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> and <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attributes described
- below to provide users of user agents that support this feature
- with an extra layer of protection from script injection in the blog
- post comments:</p>
+ </div>
- <pre><article>
- <h1>I got my own magazine!</h1>
- <p>After much effort, I've finally found a publisher, and so now I
- have my own magazine! Isn't that awesome?! The first issue will come
- out in September, and we have articles about getting food, and about
- getting in boxes, it's going to be great!</p>
- <footer>
- <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
- </footer>
- <article>
- <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
- </article>
- <article>
- <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
- </article>
- <article>
- <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
-<p>you should get earl&amp;me on the next cover."></iframe>
- </article></pre>
+ <!-- END of section that's very similar to <frame> -->
- <p>Notice the way that quotes have to be escaped (otherwise the
- <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute would end
- prematurely), and the way raw ampersands (e.g. in URLs or in prose)
- mentioned in the sandboxed content have to be <em>doubly</em>
- escaped — once so that the ampersand is preserved when
- originally parsing the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute, and once more
- to prevent the ampersand from being misinterpreted when parsing the
- sandboxed content.</p>
+ <p class=note>If, when the element is created, the <code title=attr-iframe-srcdoc><a href=#attr-iframe-srcdoc>srcdoc</a></code> attribute is not set, and the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute is either also not set or set but its value cannot be
+ <a href=#resolve-a-url title="resolve a url">resolved</a>, the browsing context will remain at the initial
+ <code><a href=#about:blank>about:blank</a></code> page.</p>
- </div>
+ <p class=note>If the user <a href=#navigate title=navigate>navigates</a> away from this page, the
+ <code><a href=#the-iframe-element>iframe</a></code>'s corresponding <code><a href=#windowproxy>WindowProxy</a></code> object will proxy new
+ <code><a href=#window>Window</a></code> objects for new <code><a href=#document>Document</a></code> objects, but the <code title=attr-iframe-src><a href=#attr-iframe-src>src</a></code> attribute will not change.</p>
- <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only
- remember to use U+0022 QUOTATION MARK characters (") to wrap the
- attribute contents and then to escape all U+0022 QUOTATION MARK (")
- and U+0026 AMPERSAND (&) characters, and to specify the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, to ensure safe
- embedding of content.</p>
- <p class=note>Due to restrictions of <a href=#the-xhtml-syntax>the XHTML
- syntax</a>, in XML the U+003C LESS-THAN SIGN character (<)
- needs to be escaped as well. In order to prevent <a href=http://www.w3.org/TR/REC-xml/#AVNormalize>attribute-value
- normalization</a>, some of XML's whitespace characters —
- specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
- (LF), and U+000D CARRIAGE RETURN (CR) — also need to be
- escaped. <a href=#refsXML>[XML]</a></p>
+ <hr><!-- NAME --><p>The <dfn id=attr-iframe-name title=attr-iframe-name><code>name</code></dfn> attribute, if present, must be a
+ <a href=#valid-browsing-context-name>valid browsing context name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
+ browsing context</a>. <span class=impl>When the browsing context is created, if the attribute
+ is present, the <a href=#browsing-context-name>browsing context name</a> must be set to the value of this attribute;
+ otherwise, the <a href=#browsing-context-name>browsing context name</a> must be set to the empty string.</span></p>
- <hr><p>The <dfn id=attr-iframe-name title=attr-iframe-name><code>name</code></dfn>
- attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
- name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
- browsing context</a>. <span class=impl>When the browsing
- context is created, if the attribute is present, the <a href=#browsing-context-name>browsing
- context name</a> must be set to the value of this attribute;
- otherwise, the <a href=#browsing-context-name>browsing context name</a> must be set to the
- empty string.</span></p>
-
<div class=impl>
- <p>Whenever the <code title=attr-iframe-name><a href=#attr-iframe-name>name</a></code> attribute
- is set, the nested <a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-name title="browsing context name">name</a> must be changed to the new
- value. If the attribute is removed, the <a href=#browsing-context-name>browsing context
- name</a> must be set to the empty string.</p>
+ <p>Whenever the <code title=attr-iframe-name><a href=#attr-iframe-name>name</a></code> attribute is set, the nested
+ <a href=#browsing-context>browsing context</a>'s <a href=#browsing-context-name title="browsing context name">name</a> must be changed to
+ the new value. If the attribute is removed, the <a href=#browsing-context-name>browsing context name</a> must be set to
+ the empty string.</p>
- <p>When content loads in an <code><a href=#the-iframe-element>iframe</a></code>, after any <code title=event-load>load</code> events are fired within the content
- itself, the user agent must <a href=#queue-a-task>queue a task</a> to <a href=#fire-a-simple-event>fire
- a simple event</a> named <code title=event-load>load</code> at
- the <code><a href=#the-iframe-element>iframe</a></code> element. When content whose <a href=#url>URL</a>
- has the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>
- element's <code><a href=#document>Document</a></code> fails to load (e.g. due to a DNS
- error, network error, or if the server returned a 4xx or 5xx status
- code <a href=#concept-http-equivalent-codes title=concept-http-equivalent-codes>or
- equivalent</a>), then the user agent must <a href=#queue-a-task>queue a
- task</a> to <a href=#fire-a-simple-event>fire a simple event</a> named <code title=event-error>error</code> at the element instead. (This event
- does not fire for <a href=#parse-error title="parse error">parse errors</a>,
- script errors, or any errors for cross-origin resources.)</p>
-
- <p>The <a href=#task-source>task source</a> for these <a href=#concept-task title=concept-task>tasks</a> is the <a href=#dom-manipulation-task-source>DOM manipulation
- task source</a>.</p>
-
- <p class=note>A <code title=event-load>load</code> event is also
- fired at the <code><a href=#the-iframe-element>iframe</a></code> element when it is created if no
- other data is loaded in it.</p>
-
- <p>When the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#active-document>active document</a> is
- not <a href=#ready-for-post-load-tasks>ready for post-load tasks</a>, and when anything in the
- <code><a href=#the-iframe-element>iframe</a></code> is <a href=#delay-the-load-event title="delay the load event">delaying
- the load event</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing
- context</a>'s <a href=#active-document>active document</a>, the
- <code><a href=#the-iframe-element>iframe</a></code> must <a href=#delay-the-load-event>delay the load event</a> of its
- document.</p>
-
- <p class=note>If, during the handling of the <code title=event-load>load</code> event, the <a href=#browsing-context>browsing
- context</a> in the <code><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate title=navigate>navigated</a>, that will further <a href=#delay-the-load-event>delay the
- load event</a>.</p>
-
</div>
- <hr><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn>
- attribute, when specified, enables a set of extra restrictions on
- any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value must be an
- <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are
- <a href=#ascii-case-insensitive>ASCII case-insensitive</a>. The allowed values are
- <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>,
- <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>,
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>,
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and
- <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.
- When the attribute is set, the content is treated as being from a
- unique <a href=#origin>origin</a>, forms and scripts are disabled, links
- are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are secured. The
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword allows the content to be treated as being from the same
- origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- keyword allows the content to <a href=#navigate>navigate</a> its
- <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keywords re-enable forms, popups, and scripts respectively.</p>
+ <hr><!-- SANDBOX --><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn> attribute, when specified,
+ enables a set of extra restrictions on any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value
+ must be an <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are <a href=#ascii-case-insensitive>ASCII
+ case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
- <p class=warning>Setting both the
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
- <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keywords together when the embedded page has the <a href=#same-origin>same
- origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code> allows
- the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p>When the attribute is set, the content is treated as being from a unique <a href=#origin>origin</a>,
+ forms and scripts are disabled, links are prevented from targeting other <a href=#browsing-context title="browsing
+ context">browsing contexts</a>, and plugins are secured. The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows the content
+ to be treated as being from the same origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code> keyword allows the
+ content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, popups,
+ and scripts respectively.</p>
- <p class=warning>Sandboxing hostile content is of minimal help if
- an attacker can convince the user to just visit the hostile content
- directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
- damage that can be caused by hostile HTML content, it should be
- served from a separate dedicated domain.</p>
+ <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
+ embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
+ allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
+ <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
+ user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
+ the damage that can be caused by hostile HTML content, it should be served from a separate
+ dedicated domain.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26907,50 +26835,42 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute is set or changed, the user agent must <a href=#parse-a-sandboxing-directive title="parse
- a sandboxing directive">parse the sandboxing directive</a> using
- the attribute's value as the <var title="">input</var> and the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
- <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
+ <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
+ user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
+ using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
+ <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
output.</p>
- <p class=warning>These flags only take effect when the
- <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code> is
- <a href=#navigate title=navigate>navigated</a>. Removing them, or removing
- the entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute, has no effect on an already-loaded page.</p>
+ <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+ the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+ entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
</div>
<div class=example>
- <p>In this example, some completely-unknown, potentially hostile,
- user-provided HTML content is embedded in a page. Because it is
- served from a separate domain, it is affected by all the normal
- cross-site restrictions. In addition, the embedded page has
- scripting disabled, plugins disabled, forms disabled, and it cannot
- navigate any frames or windows other than itself (or any frames or
+ <p>In this example, some completely-unknown, potentially hostile, user-provided HTML content is
+ embedded in a page. Because it is served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has scripting disabled, plugins disabled,
+ forms disabled, and it cannot navigate any frames or windows other than itself (or any frames or
windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p class=warning>It is important to use a separate domain so that
- if the attacker convinces the user to visit that page directly, the
- page doesn't run in the context of the site's origin, which would
- make the user vulnerable to any attack found in the page.</p>
+ <p class=warning>It is important to use a separate domain so that if the attacker convinces the
+ user to visit that page directly, the page doesn't run in the context of the site's origin, which
+ would make the user vulnerable to any attack found in the page.</p>
</div>
<div class=example>
- <p>In this example, a gadget from another site is embedded. The
- gadget has scripting and forms enabled, and the origin sandbox
- restrictions are lifted, allowing the gadget to communicate with
- its originating server. The sandbox is still useful, however, as it
- disables plugins and popups, thus reducing the risk of the user
- being exposed to malware and other annoyances.</p>
+ <p>In this example, a gadget from another site is embedded. The gadget has scripting and forms
+ enabled, and the origin sandbox restrictions are lifted, allowing the gadget to communicate with
+ its originating server. The sandbox is still useful, however, as it disables plugins and popups,
+ thus reducing the risk of the user being exposed to malware and other annoyances.</p>
<pre><iframe sandbox="allow-same-origin allow-forms allow-scripts"
src="http://maps.example.com/embedded.html"></iframe></pre>
@@ -26971,270 +26891,218 @@
<pre><a href=D>Link</a></pre>
- <p>For this example, suppose all the files were served as
- <code><a href=#text/html>text/html</a></code>.</p>
+ <p>For this example, suppose all the files were served as <code><a href=#text/html>text/html</a></code>.</p>
- <p>Page C in this scenario has all the sandboxing flags
- set. Scripts are disabled, because the <code><a href=#the-iframe-element>iframe</a></code> in A has
- scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword set on the <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also
- disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B) does not
- have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
+ <p>Page C in this scenario has all the sandboxing flags set. Scripts are disabled, because the
+ <code><a href=#the-iframe-element>iframe</a></code> in A has scripts disabled, and this overrides the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword set on the
+ <code><a href=#the-iframe-element>iframe</a></code> in B. Forms are also disabled, because the inner <code><a href=#the-iframe-element>iframe</a></code> (in B)
+ does not have the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keyword
set.</p>
- <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A
- <!--grammar-check-override--> and B. This would change nothing
- immediately. If the user clicked the link in C, loading page D into
- the <code><a href=#the-iframe-element>iframe</a></code> in B, page D would now act as if the
- <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords
- set, because that was the state of the <a href=#nested-browsing-context>nested browsing
- context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
+ <p>Suppose now that a script in A removes all the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attributes in A <!--grammar-check-override--> and B.
+ This would change nothing immediately. If the user clicked the link in C, loading page D into the
+ <code><a href=#the-iframe-element>iframe</a></code> in B, page D would now act as if the <code><a href=#the-iframe-element>iframe</a></code> in B had the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> and <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> keywords set, because that was the
+ state of the <a href=#nested-browsing-context>nested browsing context</a> in the <code><a href=#the-iframe-element>iframe</a></code> in A when page B was
loaded.</p>
- <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is
- ill-advised, because it can make it quite hard to reason about what
- will be allowed and what will not.</p>
+ <p>Generally speaking, dynamically removing or changing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is ill-advised, because it can make it quite
+ hard to reason about what will be allowed and what will not.</p>
</div>
- <p class=note>Potentially hostile files should not be served from
- the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
- element. Using a different domain ensures that scripts in the files
- are unable to attack the site, even if the user is tricked into
- visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword, and the file is from the <a href=#same-origin>same origin</a> as the
- <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a script in the
- "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then
- reload itself, effectively breaking out of the sandbox
- altogether.</p>
+ keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
+ from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
+ script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
+ out of the sandbox altogether.</p>
- <hr><!-- v2: Might be interesting to have a value on seamless that
- allowed event propagation of some sort, maybe based on the WICD
- work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn>
- attribute is a <a href=#boolean-attribute>boolean attribute</a>. When specified, it
- indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#browsing-context>browsing
- context</a> is to be rendered in a manner that makes it appear to
- be part of the containing document (seamlessly included in the
- parent document).</p>
+ <hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
+ sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
+ attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
+ <a href=#browsing-context>browsing context</a> is to be rendered in a manner that makes it appear to be part of the
+ containing document (seamlessly included in the parent document).</p>
<div class=impl>
- <p>An <code><a href=#the-iframe-element>iframe</a></code> element is said to be <dfn id=in-seamless-mode>in seamless
- mode</dfn> when all of the following conditions are met:</p>
+ <p>An <code><a href=#the-iframe-element>iframe</a></code> element is said to be <dfn id=in-seamless-mode>in seamless mode</dfn> when all of the
+ following conditions are met:</p>
- <ul><li>The <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
- attribute is set on the <code><a href=#the-iframe-element>iframe</a></code> element, and
+ <ul><li>The <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute is set on the
+ <code><a href=#the-iframe-element>iframe</a></code> element, and
- <li>The <code><a href=#the-iframe-element>iframe</a></code> element's owner <code><a href=#document>Document</a></code>'s
- <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> does not have the
- <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
+ <li>The <code><a href=#the-iframe-element>iframe</a></code> element's owner <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
+ set</a> does not have the <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a> set, and
<li>Either:
- <ul><li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> has the <a href=#same-origin>same origin</a> as the
+ <ul><li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> has the <a href=#same-origin>same
+ origin</a> as the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
+
+ <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a>'s <em><a href="#the-document's-address" title="the
+ document's address">address</a></em> has the <a href=#same-origin>same origin</a> as the
<code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
- <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a>'s <em><a href="#the-document's-address" title="the document's
- address">address</a></em> has the <a href=#same-origin>same origin</a> as
- the <code><a href=#the-iframe-element>iframe</a></code> element's <code><a href=#document>Document</a></code>, or
+ <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active document</a> is <a href=#an-iframe-srcdoc-document>an
+ <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.
- <li>The <a href=#browsing-context>browsing context</a>'s <a href=#active-document>active
- document</a> is <a href=#an-iframe-srcdoc-document>an <code>iframe</code> <code title=attr-iframe-srcdoc>srcdoc</code> document</a>.
-
</ul></li>
- </ul><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#in-seamless-mode>in seamless
- mode</a>, the following requirements apply:</p>
+ </ul><p>When an <code><a href=#the-iframe-element>iframe</a></code> element is <a href=#in-seamless-mode>in seamless mode</a>, the following
+ requirements apply:</p>
- <ul><li><p>The user agent must set the <dfn id=seamless-browsing-context-flag>seamless browsing context
- flag</dfn> to true for that <a href=#browsing-context>browsing context</a>. This
- will <a href=#seamlessLinks>cause links to open in the parent
- browsing context</a> unless an <a href=#explicit-self-navigation-override>explicit self-navigation
- override</a> is used (<code title="">target="_self"</code>).</li>
+ <ul><li><p>The user agent must set the <dfn id=seamless-browsing-context-flag>seamless browsing context flag</dfn> to true for that
+ <a href=#browsing-context>browsing context</a>. This will <a href=#seamlessLinks>cause links to open in the
+ parent browsing context</a> unless an <a href=#explicit-self-navigation-override>explicit self-navigation override</a> is used
+ (<code title="">target="_self"</code>).</li>
- <li><p>Media queries in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s
- <a href=#browsing-context>browsing context</a> (e.g. on <code title=attr-style-media><a href=#attr-style-media>media</a></code> attributes of
- <code><a href=#the-style-element>style</a></code> elements in <code><a href=#document>Document</a></code>s in that
- <code><a href=#the-iframe-element>iframe</a></code>) must be evaluated with respect to the nearest
- <a href=#ancestor-browsing-context>ancestor browsing context</a> that is not itself being
- <a href=#browsing-context-nested-through title="browsing context nested through">nested through</a>
- an <code><a href=#the-iframe-element>iframe</a></code> that is <a href=#in-seamless-mode>in seamless
+ <li><p>Media queries in the context of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context>browsing context</a>
+ (e.g. on <code title=attr-style-media><a href=#attr-style-media>media</a></code> attributes of <code><a href=#the-style-element>style</a></code> elements in
+ <code><a href=#document>Document</a></code>s in that <code><a href=#the-iframe-element>iframe</a></code>) must be evaluated with respect to the nearest
+ <a href=#ancestor-browsing-context>ancestor browsing context</a> that is not itself being <a href=#browsing-context-nested-through title="browsing context
+ nested through">nested through</a> an <code><a href=#the-iframe-element>iframe</a></code> that is <a href=#in-seamless-mode>in seamless
mode</a>. <a href=#refsMQ>[MQ]</a></li>
- <li><p>In a CSS-supporting user agent: the user agent must add all
- the style sheets that apply to the <code><a href=#the-iframe-element>iframe</a></code> element to
- the cascade of the <a href=#active-document>active document</a> of the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>,
- at the appropriate cascade levels, before any style sheets
- specified by the document itself.</li>
+ <li><p>In a CSS-supporting user agent: the user agent must add all the style sheets that apply to
+ the <code><a href=#the-iframe-element>iframe</a></code> element to the cascade of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>, at the appropriate cascade
+ levels, before any style sheets specified by the document itself.</li>
- <li><p>In a CSS-supporting user agent: the user agent must, for the
- purpose of CSS property inheritance only, treat the root element of
- the <a href=#active-document>active document</a> of the <code><a href=#the-iframe-element>iframe</a></code>
- element's <a href=#nested-browsing-context>nested browsing context</a> as being a child of
- the <code><a href=#the-iframe-element>iframe</a></code> element. (Thus inherited properties on the
- root element of the document in the <code><a href=#the-iframe-element>iframe</a></code> will
- inherit the computed values of those properties on the
- <code><a href=#the-iframe-element>iframe</a></code> element instead of taking their initial
- values.)</li>
+ <li><p>In a CSS-supporting user agent: the user agent must, for the purpose of CSS property
+ inheritance only, treat the root element of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a> as being a child of the
+ <code><a href=#the-iframe-element>iframe</a></code> element. (Thus inherited properties on the root element of the document in
+ the <code><a href=#the-iframe-element>iframe</a></code> will inherit the computed values of those properties on the
+ <code><a href=#the-iframe-element>iframe</a></code> element instead of taking their initial values.)</li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic width of the <code><a href=#the-iframe-element>iframe</a></code> to
- the width that the element would have if it was a non-replaced
- block-level element with 'width: auto', unless that width would be
- zero (e.g. if the element is floating or absolutely positioned), in
- which case the user agent should set the intrinsic width of the
- <code><a href=#the-iframe-element>iframe</a></code> to the shrink-to-fit width of the root element
- (if any) of the content rendered in the
- <code><a href=#the-iframe-element>iframe</a></code>.</li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ width of the <code><a href=#the-iframe-element>iframe</a></code> to the width that the element would have if it was a
+ non-replaced block-level element with 'width: auto', unless that width would be zero (e.g. if the
+ element is floating or absolutely positioned), in which case the user agent should set the
+ intrinsic width of the <code><a href=#the-iframe-element>iframe</a></code> to the shrink-to-fit width of the root element (if
+ any) of the content rendered in the <code><a href=#the-iframe-element>iframe</a></code>.</li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic height of the <code><a href=#the-iframe-element>iframe</a></code> to
- the shortest height that would make the content rendered in the
- <code><a href=#the-iframe-element>iframe</a></code> at its current width (as given in the previous
- bullet point) have no scrollable overflow at its bottom edge<!--,
- if the scrolling position was such that the top of the viewport for
- the content rendered in the <code>iframe</code> was aligned with
- the origin of that content's canvas-->. Scrollable overflow is any
- overflow that would increase the range to which a scrollbar or
- other scrolling mechanism can scroll.</li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ height of the <code><a href=#the-iframe-element>iframe</a></code> to the shortest height that would make the content rendered in
+ the <code><a href=#the-iframe-element>iframe</a></code> at its current width (as given in the previous bullet point) have no
+ scrollable overflow at its bottom edge<!--, if the scrolling position was such that the top of
+ the viewport for the content rendered in the <code>iframe</code> was aligned with the origin of
+ that content's canvas-->. Scrollable overflow is any overflow that would increase the range to
+ which a scrollbar or other scrolling mechanism can scroll.</li>
<li>
- <p>In visual media, in a CSS-supporting user agent: the user agent
- must force the height of the initial containing block of the
- <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing
+ <p>In visual media, in a CSS-supporting user agent: the user agent must force the height of the
+ initial containing block of the <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing
context</a> of the <code><a href=#the-iframe-element>iframe</a></code> to zero.</p>
- <p class=note>This is intended to get around the otherwise
- circular dependency of percentage dimensions that depend on the
- height of the containing block, thus affecting the height of the
- document's bounding box, thus affecting the height of the
- viewport, thus affecting the size of the initial containing
- block.</p>
+ <p class=note>This is intended to get around the otherwise circular dependency of percentage
+ dimensions that depend on the height of the containing block, thus affecting the height of the
+ document's bounding box, thus affecting the height of the viewport, thus affecting the size of
+ the initial containing block.</p>
</li>
- <li><p>In speech media, the user agent should render the <a href=#nested-browsing-context>nested
- browsing context</a> without announcing that it is a separate
- document.</li>
+ <li><p>In speech media, the user agent should render the <a href=#nested-browsing-context>nested browsing context</a>
+ without announcing that it is a separate document.</li>
<li>
- <p>User agents should, in general, act as if the <a href=#active-document>active
- document</a> of the <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#nested-browsing-context>nested browsing
- context</a> was part of the document that the
+ <p>User agents should, in general, act as if the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code>'s <a href=#nested-browsing-context>nested browsing context</a> was part of the document that the
<code><a href=#the-iframe-element>iframe</a></code> is in, if any.</p>
- <p class=example>For example if the user agent supports listing
- all the links in a document, links in "seamlessly" nested
- documents would be included in that list without being
+ <p class=example>For example if the user agent supports listing all the links in a document,
+ links in "seamlessly" nested documents would be included in that list without being
significantly distinguished from links in the document itself.</p>
</li>
- </ul><p>If the attribute is not specified, or if the <a href=#origin>origin</a>
- conditions listed above are not met, then the user agent should
- render the <a href=#nested-browsing-context>nested browsing context</a> in a manner that is
- clearly distinguishable as a separate <a href=#browsing-context>browsing context</a>,
- and the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> must be set to
- false for that <a href=#browsing-context>browsing context</a>.</p>
+ </ul><p>If the attribute is not specified, or if the <a href=#origin>origin</a> conditions listed above are
+ not met, then the user agent should render the <a href=#nested-browsing-context>nested browsing context</a> in a manner
+ that is clearly distinguishable as a separate <a href=#browsing-context>browsing context</a>, and the
+ <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> must be set to false for that <a href=#browsing-context>browsing
+ context</a>.</p>
- <p class=warning>It is important that user agents recheck the
- above conditions whenever the <a href=#active-document>active document</a> of the
- <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code>
- changes, such that the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a>
- gets unset if the <a href=#nested-browsing-context>nested browsing context</a> is <a href=#navigate title=navigate>navigated</a> to another origin.</p>
+ <p class=warning>It is important that user agents recheck the above conditions whenever the
+ <a href=#active-document>active document</a> of the <a href=#nested-browsing-context>nested browsing context</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> changes, such that the <a href=#seamless-browsing-context-flag>seamless browsing context flag</a> gets unset
+ if the <a href=#nested-browsing-context>nested browsing context</a> is <a href=#navigate title=navigate>navigated</a> to another
+ origin.</p>
</div>
- <p class=note>The attribute can be set or removed dynamically,
- with the rendering updating in tandem.</p>
+ <p class=note>The attribute can be set or removed dynamically, with the rendering updating in
+ tandem.</p>
<div class=example>
- <p>In this example, the site's navigation is embedded using a
- client-side include using an <code><a href=#the-iframe-element>iframe</a></code>. Any links in the
- <code><a href=#the-iframe-element>iframe</a></code> will, in new user agents, be automatically
- opened in the <code><a href=#the-iframe-element>iframe</a></code>'s parent browsing context; for
- legacy user agents, the site could also include a <code><a href=#the-base-element>base</a></code>
- element with a <code title=attr-base-target><a href=#attr-base-target>target</a></code>
- attribute with the value <code title="">_parent</code>. Similarly,
- in new user agents the styles of the parent page will be
- automatically applied to the contents of the frame, but to support
- legacy user agents authors might wish to include the styles
+ <p>In this example, the site's navigation is embedded using a client-side include using an
+ <code><a href=#the-iframe-element>iframe</a></code>. Any links in the <code><a href=#the-iframe-element>iframe</a></code> will, in new user agents, be
+ automatically opened in the <code><a href=#the-iframe-element>iframe</a></code>'s parent browsing context; for legacy user
+ agents, the site could also include a <code><a href=#the-base-element>base</a></code> element with a <code title=attr-base-target><a href=#attr-base-target>target</a></code> attribute with the value <code title="">_parent</code>.
+ Similarly, in new user agents the styles of the parent page will be automatically applied to the
+ contents of the frame, but to support legacy user agents authors might wish to include the styles
explicitly.</p>
<pre><nav><iframe seamless src="nav.include.html"></iframe></nav></pre>
</div>
- <p class=note>The <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> attribute does
- not propagate into <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
- <code><a href=#the-iframe-element>iframe</a></code>s.</p>
+ <p class=note>The <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> attribute does not
+ propagate into <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> <code><a href=#the-iframe-element>iframe</a></code>s.</p>
- <hr><p>The <code><a href=#the-iframe-element>iframe</a></code> element supports <a href=#dimension-attributes>dimension
- attributes</a> for cases where the embedded content has specific
- dimensions (e.g. ad units have well-defined dimensions).</p>
- <p>An <code><a href=#the-iframe-element>iframe</a></code> element never has <a href=#fallback-content>fallback
- content</a>, as it will always create a nested <a href=#browsing-context>browsing
- context</a>, regardless of whether the specified initial contents
- are successfully used.</p>
+ <hr><!-- DIM ATTRIBUTES --><p>The <code><a href=#the-iframe-element>iframe</a></code> element supports <a href=#dimension-attributes>dimension attributes</a> for cases where the
+ embedded content has specific dimensions (e.g. ad units have well-defined dimensions).</p>
- <p>Descendants of <code><a href=#the-iframe-element>iframe</a></code> elements represent
- nothing. (In legacy user agents that do not support
- <code><a href=#the-iframe-element>iframe</a></code> elements, the contents would be parsed as markup
- that could act as fallback content.)</p>
+ <p>An <code><a href=#the-iframe-element>iframe</a></code> element never has <a href=#fallback-content>fallback content</a>, as it will always
+ create a nested <a href=#browsing-context>browsing context</a>, regardless of whether the specified initial
+ contents are successfully used.</p>
- <p id=iframe-content-model>When used in <a href=#html-documents>HTML
- documents</a>, the allowed content model of <code><a href=#the-iframe-element>iframe</a></code>
- elements is text, except that invoking the <a href=#html-fragment-parsing-algorithm>HTML fragment
- parsing algorithm</a> with the <code><a href=#the-iframe-element>iframe</a></code> element as the
- <var title=concept-frag-parse-context><a href=#concept-frag-parse-context>context</a></var> element and
- the text contents as the <var title="">input</var> must result in a
- list of nodes that are all <a href=#phrasing-content>phrasing content</a>, with no
- <a href=#parse-error title="parse error">parse errors</a> having occurred, with
- no <code><a href=#the-script-element>script</a></code> elements being anywhere in the list or as
- descendants of elements in the list, and with all the elements in
- the list (including their descendants) being themselves
- conforming.</p>
- <p>The <code><a href=#the-iframe-element>iframe</a></code> element must be empty in <a href=#xml-documents>XML
- documents</a>.</p>
+ <hr><!-- FALLBACK --><p>Descendants of <code><a href=#the-iframe-element>iframe</a></code> elements represent nothing. (In legacy user agents that do
+ not support <code><a href=#the-iframe-element>iframe</a></code> elements, the contents would be parsed as markup that could act as
+ fallback content.)</p>
- <p class=note>The <a href=#html-parser>HTML parser</a> treats markup inside
- <code><a href=#the-iframe-element>iframe</a></code> elements as text.</p>
+ <p id=iframe-content-model>When used in <a href=#html-documents>HTML documents</a>, the allowed content model
+ of <code><a href=#the-iframe-element>iframe</a></code> elements is text, except that invoking the <a href=#html-fragment-parsing-algorithm>HTML fragment parsing
+ algorithm</a> with the <code><a href=#the-iframe-element>iframe</a></code> element as the <var title=concept-frag-parse-context><a href=#concept-frag-parse-context>context</a></var> element and the text contents as the <var title="">input</var> must result in a list of nodes that are all <a href=#phrasing-content>phrasing content</a>,
+ with no <a href=#parse-error title="parse error">parse errors</a> having occurred, with no <code><a href=#the-script-element>script</a></code>
+ elements being anywhere in the list or as descendants of elements in the list, and with all the
+ elements in the list (including their descendants) being themselves conforming.</p>
+ <p>The <code><a href=#the-iframe-element>iframe</a></code> element must be empty in <a href=#xml-documents>XML documents</a>.</p>
+
+ <p class=note>The <a href=#html-parser>HTML parser</a> treats markup inside <code><a href=#the-iframe-element>iframe</a></code> elements as
+ text.</p>
+
+
<div class=impl>
- <p>The IDL attributes <dfn id=dom-iframe-src title=dom-iframe-src><code>src</code></dfn>, <dfn id=dom-iframe-srcdoc title=dom-iframe-srcdoc><code>srcdoc</code></dfn>, <dfn id=dom-iframe-name title=dom-iframe-name><code>name</code></dfn>, <dfn id=dom-iframe-sandbox title=dom-iframe-sandbox><code>sandbox</code></dfn>, and <dfn id=dom-iframe-seamless title=dom-iframe-seamless><code>seamless</code></dfn> must
- <a href=#reflect>reflect</a> the respective content attributes of the same
- name.</p>
+ <hr><!-- DOM --><p>The IDL attributes <dfn id=dom-iframe-src title=dom-iframe-src><code>src</code></dfn>, <dfn id=dom-iframe-srcdoc title=dom-iframe-srcdoc><code>srcdoc</code></dfn>, <dfn id=dom-iframe-name title=dom-iframe-name><code>name</code></dfn>, <dfn id=dom-iframe-sandbox title=dom-iframe-sandbox><code>sandbox</code></dfn>, and <dfn id=dom-iframe-seamless title=dom-iframe-seamless><code>seamless</code></dfn> must <a href=#reflect>reflect</a> the respective
+ content attributes of the same name.</p>
- <p>The <dfn id=dom-iframe-contentdocument title=dom-iframe-contentDocument><code>contentDocument</code></dfn>
- IDL attribute must return the <code><a href=#document>Document</a></code> object of the
- <a href=#active-document>active document</a> of the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a>, if any, or null otherwise.</p>
+ <p>The <dfn id=dom-iframe-contentdocument title=dom-iframe-contentDocument><code>contentDocument</code></dfn> IDL attribute
+ must return the <code><a href=#document>Document</a></code> object of the <a href=#active-document>active document</a> of the
+ <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>, if any, or null otherwise.</p>
- <p>The <dfn id=dom-iframe-contentwindow title=dom-iframe-contentWindow><code>contentWindow</code></dfn>
- IDL attribute must return the <code><a href=#windowproxy>WindowProxy</a></code> object of the
- <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing
- context</a>, if any, or null otherwise.</p>
+ <p>The <dfn id=dom-iframe-contentwindow title=dom-iframe-contentWindow><code>contentWindow</code></dfn> IDL attribute must
+ return the <code><a href=#windowproxy>WindowProxy</a></code> object of the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested
+ browsing context</a>, if any, or null otherwise.</p>
</div>
<div class=example>
- <p>Here is an example of a page using an <code><a href=#the-iframe-element>iframe</a></code> to
- include advertising from an advertising broker:</p>
+ <p>Here is an example of a page using an <code><a href=#the-iframe-element>iframe</a></code> to include advertising from an
+ advertising broker:</p>
<pre><iframe src="http://ads.example.com/?customerid=923513721&format=banner"
width="468" height="60"></iframe></pre>
Modified: source
===================================================================
--- source 2012-09-26 00:22:32 UTC (rev 7405)
+++ source 2012-09-26 03:27:07 UTC (rev 7406)
@@ -167,12 +167,7 @@
publication policies</a>.</li>
-->
- <li>The W3C HTML specification omits an example that references the
- schema.org microdata vocabulary as part of a compromise intended to
- resolve larger issues of divergence between the specifications.
- (Many other examples that reference schema.org and microdata are
- included apparently without issue, however.)</li><!-- "I put a bike
- bell on his bike." -->
+ <li>The W3C HTML specification omits mentions of microdata.</li>
<li>The W3C HTML specification defines conformance for documents in
a more traditional (version-orientated) way, because of <a
@@ -28639,127 +28634,160 @@
</dd>
</dl><!--TOPIC:HTML-->
- <p>The <code>iframe</code> element <span>represents</span> a
- <span>nested browsing context</span>.</p>
+ <!-- INTRO -->
- <p>The <dfn title="attr-iframe-src"><code>src</code></dfn> attribute
- gives the address of a page that the <span>nested browsing
- context</span> is to contain. The attribute, if present, must be a
- <span>valid non-empty URL potentially surrounded by
- spaces</span>.</p>
+ <p>The <code>iframe</code> element <span>represents</span> a <span>nested browsing
+ context</span>.</p>
-<!--END w3c-html--><!--MD-->
- <p>If the <code title="attr-itemprop">itemprop</code> is specified
- on an <code>iframe</code> element, then the <code
- title="attr-iframe-src">src</code> attribute must also be
- specified.</p>
-<!--START w3c-html--><!--MD-->
- <p>The <dfn title="attr-iframe-srcdoc"><code>srcdoc</code></dfn>
- attribute gives the content of the page that the <span>nested
- browsing context</span> is to contain. The value of the attribute is
- the source of <dfn>an <code>iframe</code> <code
- title="attr-iframe-srcdoc">srcdoc</code> document</dfn>.</p>
+ <!-- SRC/SRCDOC -->
- <p>For <code>iframe</code> elements in <span>HTML documents</span>,
- the attribute, if present, must have a value using <span>the HTML
- syntax</span> that consists of the following syntactic components,
- in the given order:</p>
+ <p>The <dfn title="attr-iframe-src"><code>src</code></dfn> attribute gives the address of a page
+ that the <span>nested browsing context</span> is to contain. The attribute, if present, must be a
+ <span>valid non-empty URL potentially surrounded by spaces</span>. If the <code
+ title="attr-itemprop">itemprop</code> is specified on an <code>iframe</code> element, then the
+ <code title="attr-iframe-src">src</code> attribute must also be specified.</p>
+ <p>The <dfn title="attr-iframe-srcdoc"><code>srcdoc</code></dfn> attribute gives the content of
+ the page that the <span>nested browsing context</span> is to contain. The value of the attribute
+ is the source of <dfn>an <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code>
+ document</dfn>.</p>
+
+ <p>For <code>iframe</code> elements in <span>HTML documents</span>, the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute, if present, must have a value using <span>the
+ HTML syntax</span> that consists of the following syntactic components, in the given order:</p>
+
<ol>
- <li>Any number of <span title="syntax-comments">comments</span> and
- <span title="space character">space characters</span>.</li>
+ <li>Any number of <span title="syntax-comments">comments</span> and <span title="space
+ character">space characters</span>.</li>
<li>Optionally, a <span title="syntax-doctype">DOCTYPE</span>.
- <li>Any number of <span title="syntax-comments">comments</span> and
- <span title="space character">space characters</span>.</li>
+ <li>Any number of <span title="syntax-comments">comments</span> and <span title="space
+ character">space characters</span>.</li>
<li>The root element, in the form of an <code>html</code> <span
title="syntax-elements">element</span>.</li>
- <li>Any number of <span title="syntax-comments">comments</span> and
- <span title="space character">space characters</span>.</li>
+ <li>Any number of <span title="syntax-comments">comments</span> and <span title="space
+ character">space characters</span>.</li>
</ol>
- <p>For <code>iframe</code> elements in <span>XML documents</span>,
- the attribute, if present, must have a value that matches the
- production labeled <code title="">document</code> in the XML
- specification. <a href="#refsXML">[XML]</a></p>
+ <p>For <code>iframe</code> elements in <span>XML documents</span>, the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute, if present, must have a value that matches the
+ production labeled <code title="">document</code> in the XML specification. <a
+ href="#refsXML">[XML]</a></p>
- <p>If the <code title="attr-iframe-src">src</code> attribute and the
- <code title="attr-iframe-srcdoc">srcdoc</code> attribute are both
- specified together, the <code title="attr-iframe-srcdoc">srcdoc</code>
- attribute takes priority. This allows authors to provide a fallback
- <span>URL</span> for legacy user agents that do not support the
- <code title="attr-iframe-srcdoc">srcdoc</code> attribute.</p>
+ <div class="example">
+ <p>Here a blog uses the <code title="attr-iframe-srcdoc">srcdoc</code> attribute in conjunction
+ with the <code title="attr-iframe-sandbox">sandbox</code> and <code
+ title="attr-iframe-seamless">seamless</code> attributes described below to provide users of user
+ agents that support this feature with an extra layer of protection from script injection in the
+ blog post comments:</p>
+
+ <pre><article>
+ <h1>I got my own magazine!</h1>
+ <p>After much effort, I've finally found a publisher, and so now I
+ have my own magazine! Isn't that awesome?! The first issue will come
+ out in September, and we have articles about getting food, and about
+ getting in boxes, it's going to be great!</p>
+ <footer>
+ <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
+ </footer>
+ <article>
+ <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
+ </article>
+ <article>
+ <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
+ </article>
+ <article>
+ <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
+ <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
+<p>you should get earl&amp;me on the next cover."></iframe>
+ </article></pre>
+
+ <p>Notice the way that quotes have to be escaped (otherwise the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute would end prematurely), and the way raw
+ ampersands (e.g. in URLs or in prose) mentioned in the sandboxed content have to be
+ <em>doubly</em> escaped — once so that the ampersand is preserved when originally parsing
+ the <code title="attr-iframe-srcdoc">srcdoc</code> attribute, and once more to prevent the
+ ampersand from being misinterpreted when parsing the sandboxed content.</p>
+
+ </div>
+
+ <p class="note">In <span>the HTML syntax</span>, authors need only remember to use U+0022
+ QUOTATION MARK characters (") to wrap the attribute contents and then to escape all U+0022
+ QUOTATION MARK (") and U+0026 AMPERSAND (&) characters, and to specify the <code
+ title="attr-iframe-sandbox">sandbox</code> attribute, to ensure safe embedding of content.</p>
+
+ <p class="note">Due to restrictions of <span>the XHTML syntax</span>, in XML the U+003C LESS-THAN
+ SIGN character (<) needs to be escaped as well. In order to prevent <a
+ href="http://www.w3.org/TR/REC-xml/#AVNormalize">attribute-value normalization</a>, some of XML's
+ whitespace characters — specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
+ (LF), and U+000D CARRIAGE RETURN (CR) — also need to be escaped. <a
+ href="#refsXML">[XML]</a></p>
+
+ <p class="note">If the <code title="attr-iframe-src">src</code> attribute and the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute are both specified together, the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute takes priority. This allows authors to provide
+ a fallback <span>URL</span> for legacy user agents that do not support the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute.</p>
+
+
<div class="impl">
- <p>When an <code>iframe</code> element is <span title="insert an
- element into a document">inserted into a document</span>, the user
- agent must create a <span>nested browsing context</span>, and then
- <span>process the <code>iframe</code> attributes</span> for the
- first time.</p>
+ <hr> <!-- SRC/SRCDOC PROCESSING MODEL -->
- <p>When an <code>iframe</code> element is <span title="remove an
- element from a document">removed from a document</span>, the user
- agent must <span title="a browsing context is
- discarded">discard</span> the <span>nested browsing
- context</span>.</p>
+ <p>When an <code>iframe</code> element is <span title="insert an element into a document">inserted
+ into a document</span>, the user agent must create a <span>nested browsing context</span>, and
+ then <span>process the <code>iframe</code> attributes</span> for the first time.</p>
- <p class="note">This happens without any <code
- title="event-unload">unload</code> events firing (the <span>nested
- browsing context</span> and its <code>Document</code> are <em
- title="a browsing context is discarded">discarded</em>, not <em
- title="unload a document">unloaded</em>).</p>
+ <p>When an <code>iframe</code> element is <span title="remove an element from a document">removed
+ from a document</span>, the user agent must <span title="a browsing context is
+ discarded">discard</span> the <span>nested browsing context</span>.</p>
+ <p class="note">This happens without any <code title="event-unload">unload</code> events firing
+ (the <span>nested browsing context</span> and its <code>Document</code> are <em title="a browsing
+ context is discarded">discarded</em>, not <em title="unload a document">unloaded</em>).</p>
+
<!-- START of section that's very similar to <frame> -->
- <p>Whenever an <code>iframe</code> element with a <span>nested
- browsing context</span> has its <code
- title="attr-iframe-srcdoc">srcdoc</code> attribute set, changed, or
- removed, the user agent must <span>process the <code>iframe</code>
- attributes</span>.</p>
+ <p>Whenever an <code>iframe</code> element with a <span>nested browsing context</span> has its
+ <code title="attr-iframe-srcdoc">srcdoc</code> attribute set, changed, or removed, the user agent
+ must <span>process the <code>iframe</code> attributes</span>.</p>
- <p>Similarly, whenever an <code>iframe</code> element with a
- <span>nested browsing context</span> but with no <code
- title="attr-iframe-srcdoc">srcdoc</code> attribute specified has its
- <code title="attr-iframe-src">src</code> attribute set, changed, or
- removed, the user agent must <span>process the <code>iframe</code>
- attributes</span>.</p> <!-- It doesn't happen when the base URL is
- changed, though. -->
+ <p>Similarly, whenever an <code>iframe</code> element with a <span>nested browsing context</span>
+ but with no <code title="attr-iframe-srcdoc">srcdoc</code> attribute specified has its <code
+ title="attr-iframe-src">src</code> attribute set, changed, or removed, the user agent must
+ <span>process the <code>iframe</code> attributes</span>.</p> <!-- It doesn't happen when the base
+ URL is changed, though. -->
- <p>When the user agent is to <dfn>process the <code>iframe</code>
- attributes</dfn>, it must run the first appropriate steps from the
- following list:</p>
+ <p>When the user agent is to <dfn>process the <code>iframe</code> attributes</dfn>, it must run
+ the first appropriate steps from the following list:</p>
<dl class="switch">
- <dt>If the <code title="attr-iframe-srcdoc">srcdoc</code> attribute
- is specified</dt>
+ <dt>If the <code title="attr-iframe-srcdoc">srcdoc</code> attribute is specified</dt>
- <dd><p><span>Navigate</span><!--DONAV iframe--> the element's
- <span>child browsing context</span> to a resource whose
- <span>Content-Type</span> is <code>text/html</code>, whose
- <span>URL</span> is <code>about:srcdoc</code>, and whose data
- consists of the value of the attribute. The resulting
- <code>Document</code> must be considered <span>an
- <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code>
- document</span>.</p></dd>
+ <dd><p><span>Navigate</span><!--DONAV iframe--> the element's <span>child browsing context</span>
+ to a resource whose <span>Content-Type</span> is <code>text/html</code>, whose <span>URL</span>
+ is <code>about:srcdoc</code>, and whose data consists of the value of the attribute. The
+ resulting <code>Document</code> must be considered <span>an <code>iframe</code> <code
+ title="attr-iframe-srcdoc">srcdoc</code> document</span>.</p></dd>
- <dt>Otherwise, if the element has no <code
- title="attr-iframe-src">src</code> attribute specified, and the
- user agent is processing the <code>iframe</code>'s attributes for
- the first time</dt>
+ <dt>Otherwise, if the element has no <code title="attr-iframe-src">src</code> attribute
+ specified, and the user agent is processing the <code>iframe</code>'s attributes for the first
+ time</dt>
<dd>
- <p><span>Queue a task</span> to <span>fire a simple event</span>
- named <code title="event-load">load</code> at the
- <code>iframe</code> element.</p>
+ <p><span>Queue a task</span> to <span>fire a simple event</span> named <code
+ title="event-load">load</code> at the <code>iframe</code> element.</p>
</dd>
@@ -28771,26 +28799,22 @@
<li>
- <p>If the value of the <code title="attr-iframe-src">src</code>
- attribute is the empty string, let <var title="">url</var> be
- the string "<code>about:blank</code>".</p>
+ <p>If the value of the <code title="attr-iframe-src">src</code> attribute is the empty string,
+ let <var title="">url</var> be the string "<code>about:blank</code>".</p>
- <p>Otherwise, <span title="resolve a url">resolve</span> the
- value of the <code title="attr-iframe-src">src</code> attribute,
- relative to the <code>iframe</code> element.</p>
+ <p>Otherwise, <span title="resolve a url">resolve</span> the value of the <code
+ title="attr-iframe-src">src</code> attribute, relative to the <code>iframe</code> element.</p>
- <p>If that is not successful, then let <var title="">url</var>
- be the string "<code>about:blank</code>". Otherwise, let <var
- title="">url</var> be the resulting <span>absolute
- URL</span>.</p>
+ <p>If that is not successful, then let <var title="">url</var> be the string
+ "<code>about:blank</code>". Otherwise, let <var title="">url</var> be the resulting
+ <span>absolute URL</span>.</p>
</li>
<li>
- <p><span>Navigate</span><!--DONAV iframe--> the element's
- <span>child browsing context</span> to <var
- title="">url</var>.</p>
+ <p><span>Navigate</span><!--DONAV iframe--> the element's <span>child browsing context</span>
+ to <var title="">url</var>.</p>
</li>
@@ -28800,210 +28824,120 @@
</dl>
- <p>Any <span title="navigate">navigation</span> required of the user
- agent in the <span>process the <code>iframe</code> attributes</span>
- algorithm must be completed as an <span>explicit self-navigation
- override</span> and with the <code>iframe</code> element's
- document's <span>browsing context</span> as the <span>source
- browsing context</span>.</p>
+ <p>Any <span title="navigate">navigation</span> required of the user agent in the <span>process
+ the <code>iframe</code> attributes</span> algorithm must be completed as an <span>explicit
+ self-navigation override</span> and with the <code>iframe</code> element's document's
+ <span>browsing context</span> as the <span>source browsing context</span>.</p>
- <p>Furthermore, if the <span>active document</span> of the element's
- <span>child browsing context</span> before such a <span
- title="navigate">navigation</span> was not <span>completely
- loaded</span> at the time of the new <span
- title="navigate">navigation</span>, then the <span
- title="navigate">navigation</span> must be completed with
- <span>replacement enabled</span>.</p>
+ <p>Furthermore, if the <span>active document</span> of the element's <span>child browsing
+ context</span> before such a <span title="navigate">navigation</span> was not <span>completely
+ loaded</span> at the time of the new <span title="navigate">navigation</span>, then the <span
+ title="navigate">navigation</span> must be completed with <span>replacement enabled</span>.</p>
- <p>Similarly, if the <span>child browsing context</span>'s
- <span>session history</span> contained only one
- <code>Document</code> when the <span>process the <code>iframe</code>
- attributes</span> algorithm was invoked, and that was the
- <code>about:blank</code> <code>Document</code> created when the
- <span>child browsing context</span> was created, then any <span
- title="navigate">navigation</span> required of the user agent in
- that algorithm must be completed with <span>replacement
- enabled</span>.</p> <!-- see also the note near similar text for the
+ <p>Similarly, if the <span>child browsing context</span>'s <span>session history</span> contained
+ only one <code>Document</code> when the <span>process the <code>iframe</code> attributes</span>
+ algorithm was invoked, and that was the <code>about:blank</code> <code>Document</code> created
+ when the <span>child browsing context</span> was created, then any <span
+ title="navigate">navigation</span> required of the user agent in that algorithm must be completed
+ with <span>replacement enabled</span>.</p> <!-- see also the note near similar text for the
location.assign() method -->
- </div>
+ <p>When content loads in an <code>iframe</code>, after any <code title="event-load">load</code>
+ events are fired within the content itself, <!-- XXX bug 16829 --> the user agent must <span>queue
+ a task</span> to <span>fire a simple event</span> named <code title="event-load">load</code> at
+ the <code>iframe</code> element. When content whose <span>URL</span> has the <span>same
+ origin</span> as the <code>iframe</code> element's <code>Document</code> fails to load (e.g. due
+ to a DNS error, network error, or if the server returned a 4xx or 5xx status code <span
+ title="concept-http-equivalent-codes">or equivalent</span>), then the user agent must <span>queue
+ a task</span> to <span>fire a simple event</span> named <code title="event-error">error</code> at
+ the element instead. (This event does not fire for <span title="parse error">parse errors</span>,
+ script errors, or any errors for cross-origin resources.)</p>
- <!-- END of section that's very similar to <frame> -->
+ <p>The <span>task source</span> for these <span title="concept-task">tasks</span> is the <span>DOM
+ manipulation task source</span>.</p>
- <p class="note">If, when the element is created, the <code
- title="attr-iframe-srcdoc">srcdoc</code> attribute is not set, and
- the <code title="attr-iframe-src">src</code> attribute is either
- also not set or set but its value cannot be <span title="resolve a
- url">resolved</span>, the browsing context will remain at the
- initial <code>about:blank</code> page.</p>
+ <p class="note">A <code title="event-load">load</code> event is also fired at the
+ <code>iframe</code> element when it is created if no other data is loaded in it.</p>
- <p class="note">If the user <span title="navigate">navigates</span>
- away from this page, the <code>iframe</code>'s corresponding
- <code>WindowProxy</code> object will proxy new <code>Window</code>
- objects for new <code>Document</code> objects, but the <code
- title="attr-iframe-src">src</code> attribute will not change.</p>
+ <p>When the <code>iframe</code>'s <span>active document</span> is not <span>ready for post-load
+ tasks</span>, and when anything in the <code>iframe</code> is <span title="delay the load
+ event">delaying the load event</span> of the <code>iframe</code>'s <span>browsing context</span>'s
+ <span>active document</span>, the <code>iframe</code> must <span>delay the load event</span> of
+ its document.</p>
- <div class="example">
+ <p class="note">If, during the handling of the <code title="event-load">load</code> event, the
+ <span>browsing context</span> in the <code>iframe</code> is again <span
+ title="navigate">navigated</span>, that will further <span>delay the load event</span>.</p>
- <p>Here a blog uses the <code
- title="attr-iframe-srcdoc">srcdoc</code> attribute in conjunction
- with the <code title="attr-iframe-sandbox">sandbox</code> and <code
- title="attr-iframe-seamless">seamless</code> attributes described
- below to provide users of user agents that support this feature
- with an extra layer of protection from script injection in the blog
- post comments:</p>
+ </div>
- <pre><article>
- <h1>I got my own magazine!</h1>
- <p>After much effort, I've finally found a publisher, and so now I
- have my own magazine! Isn't that awesome?! The first issue will come
- out in September, and we have articles about getting food, and about
- getting in boxes, it's going to be great!</p>
- <footer>
- <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
- </footer>
- <article>
- <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
- </article>
- <article>
- <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href="/gallery?mode=cover&amp;page=1">in my gallery</a>."></iframe>
- </article>
- <article>
- <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
- <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
-<p>you should get earl&amp;me on the next cover."></iframe>
- </article></pre>
+ <!-- END of section that's very similar to <frame> -->
- <p>Notice the way that quotes have to be escaped (otherwise the
- <code title="attr-iframe-srcdoc">srcdoc</code> attribute would end
- prematurely), and the way raw ampersands (e.g. in URLs or in prose)
- mentioned in the sandboxed content have to be <em>doubly</em>
- escaped — once so that the ampersand is preserved when
- originally parsing the <code
- title="attr-iframe-srcdoc">srcdoc</code> attribute, and once more
- to prevent the ampersand from being misinterpreted when parsing the
- sandboxed content.</p>
+ <p class="note">If, when the element is created, the <code
+ title="attr-iframe-srcdoc">srcdoc</code> attribute is not set, and the <code
+ title="attr-iframe-src">src</code> attribute is either also not set or set but its value cannot be
+ <span title="resolve a url">resolved</span>, the browsing context will remain at the initial
+ <code>about:blank</code> page.</p>
- </div>
+ <p class="note">If the user <span title="navigate">navigates</span> away from this page, the
+ <code>iframe</code>'s corresponding <code>WindowProxy</code> object will proxy new
+ <code>Window</code> objects for new <code>Document</code> objects, but the <code
+ title="attr-iframe-src">src</code> attribute will not change.</p>
- <p class="note">In <span>the HTML syntax</span>, authors need only
- remember to use U+0022 QUOTATION MARK characters (") to wrap the
- attribute contents and then to escape all U+0022 QUOTATION MARK (")
- and U+0026 AMPERSAND (&) characters, and to specify the <code
- title="attr-iframe-sandbox">sandbox</code> attribute, to ensure safe
- embedding of content.</p>
- <p class="note">Due to restrictions of <span>the XHTML
- syntax</span>, in XML the U+003C LESS-THAN SIGN character (<)
- needs to be escaped as well. In order to prevent <a
- href="http://www.w3.org/TR/REC-xml/#AVNormalize">attribute-value
- normalization</a>, some of XML's whitespace characters —
- specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED
- (LF), and U+000D CARRIAGE RETURN (CR) — also need to be
- escaped. <a href="#refsXML">[XML]</a></p>
+ <hr> <!-- NAME -->
- <hr>
+ <p>The <dfn title="attr-iframe-name"><code>name</code></dfn> attribute, if present, must be a
+ <span>valid browsing context name</span>. The given value is used to name the <span>nested
+ browsing context</span>. <span class="impl">When the browsing context is created, if the attribute
+ is present, the <span>browsing context name</span> must be set to the value of this attribute;
+ otherwise, the <span>browsing context name</span> must be set to the empty string.</span></p>
- <p>The <dfn title="attr-iframe-name"><code>name</code></dfn>
- attribute, if present, must be a <span>valid browsing context
- name</span>. The given value is used to name the <span>nested
- browsing context</span>. <span class="impl">When the browsing
- context is created, if the attribute is present, the <span>browsing
- context name</span> must be set to the value of this attribute;
- otherwise, the <span>browsing context name</span> must be set to the
- empty string.</span></p>
-
<div class="impl">
- <p>Whenever the <code title="attr-iframe-name">name</code> attribute
- is set, the nested <span>browsing context</span>'s <span
- title="browsing context name">name</span> must be changed to the new
- value. If the attribute is removed, the <span>browsing context
- name</span> must be set to the empty string.</p>
+ <p>Whenever the <code title="attr-iframe-name">name</code> attribute is set, the nested
+ <span>browsing context</span>'s <span title="browsing context name">name</span> must be changed to
+ the new value. If the attribute is removed, the <span>browsing context name</span> must be set to
+ the empty string.</p>
- <p>When content loads in an <code>iframe</code>, after any <code
- title="event-load">load</code> events are fired within the content
- itself, the user agent must <span>queue a task</span> to <span>fire
- a simple event</span> named <code title="event-load">load</code> at
- the <code>iframe</code> element. When content whose <span>URL</span>
- has the <span>same origin</span> as the <code>iframe</code>
- element's <code>Document</code> fails to load (e.g. due to a DNS
- error, network error, or if the server returned a 4xx or 5xx status
- code <span title="concept-http-equivalent-codes">or
- equivalent</span>), then the user agent must <span>queue a
- task</span> to <span>fire a simple event</span> named <code
- title="event-error">error</code> at the element instead. (This event
- does not fire for <span title="parse error">parse errors</span>,
- script errors, or any errors for cross-origin resources.)</p>
-
- <p>The <span>task source</span> for these <span
- title="concept-task">tasks</span> is the <span>DOM manipulation
- task source</span>.</p>
-
- <p class="note">A <code title="event-load">load</code> event is also
- fired at the <code>iframe</code> element when it is created if no
- other data is loaded in it.</p>
-
- <p>When the <code>iframe</code>'s <span>active document</span> is
- not <span>ready for post-load tasks</span>, and when anything in the
- <code>iframe</code> is <span title="delay the load event">delaying
- the load event</span> of the <code>iframe</code>'s <span>browsing
- context</span>'s <span>active document</span>, the
- <code>iframe</code> must <span>delay the load event</span> of its
- document.</p>
-
- <p class="note">If, during the handling of the <code
- title="event-load">load</code> event, the <span>browsing
- context</span> in the <code>iframe</code> is again <span
- title="navigate">navigated</span>, that will further <span>delay the
- load event</span>.</p>
-
</div>
- <hr>
- <p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn>
- attribute, when specified, enables a set of extra restrictions on
- any content hosted by the <code>iframe</code>. Its value must be an
- <span>unordered set of unique space-separated tokens</span> that are
- <span>ASCII case-insensitive</span>. The allowed values are
- <code title="attr-iframe-sandbox-allow-forms">allow-forms</code>,
- <code title="attr-iframe-sandbox-allow-popups">allow-popups</code>,
- <code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>,
- <code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, and
- <code title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>.
+ <hr> <!-- SANDBOX -->
- When the attribute is set, the content is treated as being from a
- unique <span>origin</span>, forms and scripts are disabled, links
- are prevented from targeting other <span title="browsing
- context">browsing contexts</span>, and plugins are secured. The
- <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keyword allows the content to be treated as being from the same
- origin instead of forcing it into a unique origin, the <code
- title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
- keyword allows the content to <span>navigate</span> its
- <span>top-level browsing context</span>, and the <code
+ <p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn> attribute, when specified,
+ enables a set of extra restrictions on any content hosted by the <code>iframe</code>. Its value
+ must be an <span>unordered set of unique space-separated tokens</span> that are <span>ASCII
+ case-insensitive</span>. The allowed values are <code
title="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
+ title="attr-iframe-sandbox-allow-popups">allow-popups</code>, <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, and <code
+ title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>.</p>
+
+ <p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
+ forms and scripts are disabled, links are prevented from targeting other <span title="browsing
+ context">browsing contexts</span>, and plugins are secured. The <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword allows the content
+ to be treated as being from the same origin instead of forcing it into a unique origin, the <code
+ title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> keyword allows the
+ content to <span>navigate</span> its <span>top-level browsing context</span>, and the <code
+ title="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
title="attr-iframe-sandbox-allow-popups">allow-popups</code> and <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- keywords re-enable forms, popups, and scripts respectively.</p>
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keywords re-enable forms, popups,
+ and scripts respectively.</p>
- <p class="warning">Setting both the
- <code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and
- <code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keywords together when the embedded page has the <span>same
- origin</span> as the page containing the <code>iframe</code> allows
- the embedded page to simply remove the <code
- title="attr-iframe-sandbox">sandbox</code> attribute.</p>
+ <p class="warning">Setting both the <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the
+ embedded page has the <span>same origin</span> as the page containing the <code>iframe</code>
+ allows the embedded page to simply remove the <code title="attr-iframe-sandbox">sandbox</code>
+ attribute.</p>
- <p class="warning">Sandboxing hostile content is of minimal help if
- an attacker can convince the user to just visit the hostile content
- directly, rather than in the <code>iframe</code>. To limit the
- damage that can be caused by hostile HTML content, it should be
- served from a separate dedicated domain.</p>
+ <p class="warning">Sandboxing hostile content is of minimal help if an attacker can convince the
+ user to just visit the hostile content directly, rather than in the <code>iframe</code>. To limit
+ the damage that can be caused by hostile HTML content, it should be served from a separate
+ dedicated domain.</p>
<div class="impl">
@@ -29014,50 +28948,42 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title="attr-iframe-sandbox">sandbox</code>
- attribute is set or changed, the user agent must <span title="parse
- a sandboxing directive">parse the sandboxing directive</span> using
- the attribute's value as the <var title="">input</var> and the
- <code>iframe</code> element's <span>nested browsing context</span>'s
- <span><code>iframe</code> sandboxing flag set</span> as the
+ <p>While the <code title="attr-iframe-sandbox">sandbox</code> attribute is set or changed, the
+ user agent must <span title="parse a sandboxing directive">parse the sandboxing directive</span>
+ using the attribute's value as the <var title="">input</var> and the <code>iframe</code> element's
+ <span>nested browsing context</span>'s <span><code>iframe</code> sandboxing flag set</span> as the
output.</p>
- <p class="warning">These flags only take effect when the
- <span>nested browsing context</span> of the <code>iframe</code> is
- <span title="navigate">navigated</span>. Removing them, or removing
- the entire <code title="attr-iframe-sandbox">sandbox</code>
- attribute, has no effect on an already-loaded page.</p>
+ <p class="warning">These flags only take effect when the <span>nested browsing context</span> of
+ the <code>iframe</code> is <span title="navigate">navigated</span>. Removing them, or removing the
+ entire <code title="attr-iframe-sandbox">sandbox</code> attribute, has no effect on an
+ already-loaded page.</p>
</div>
<div class="example">
- <p>In this example, some completely-unknown, potentially hostile,
- user-provided HTML content is embedded in a page. Because it is
- served from a separate domain, it is affected by all the normal
- cross-site restrictions. In addition, the embedded page has
- scripting disabled, plugins disabled, forms disabled, and it cannot
- navigate any frames or windows other than itself (or any frames or
+ <p>In this example, some completely-unknown, potentially hostile, user-provided HTML content is
+ embedded in a page. Because it is served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has scripting disabled, plugins disabled,
+ forms disabled, and it cannot navigate any frames or windows other than itself (or any frames or
windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p class="warning">It is important to use a separate domain so that
- if the attacker convinces the user to visit that page directly, the
- page doesn't run in the context of the site's origin, which would
- make the user vulnerable to any attack found in the page.</p>
+ <p class="warning">It is important to use a separate domain so that if the attacker convinces the
+ user to visit that page directly, the page doesn't run in the context of the site's origin, which
+ would make the user vulnerable to any attack found in the page.</p>
</div>
<div class="example">
- <p>In this example, a gadget from another site is embedded. The
- gadget has scripting and forms enabled, and the origin sandbox
- restrictions are lifted, allowing the gadget to communicate with
- its originating server. The sandbox is still useful, however, as it
- disables plugins and popups, thus reducing the risk of the user
- being exposed to malware and other annoyances.</p>
+ <p>In this example, a gadget from another site is embedded. The gadget has scripting and forms
+ enabled, and the origin sandbox restrictions are lifted, allowing the gadget to communicate with
+ its originating server. The sandbox is still useful, however, as it disables plugins and popups,
+ thus reducing the risk of the user being exposed to malware and other annoyances.</p>
<pre><iframe sandbox="allow-same-origin allow-forms allow-scripts"
src="http://maps.example.com/embedded.html"></iframe></pre>
@@ -29078,313 +29004,254 @@
<pre><a href=D>Link</a></pre>
- <p>For this example, suppose all the files were served as
- <code>text/html</code>.</p>
+ <p>For this example, suppose all the files were served as <code>text/html</code>.</p>
- <p>Page C in this scenario has all the sandboxing flags
- set. Scripts are disabled, because the <code>iframe</code> in A has
- scripts disabled, and this overrides the <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- keyword set on the <code>iframe</code> in B. Forms are also
- disabled, because the inner <code>iframe</code> (in B) does not
- have the <code
- title="attr-iframe-sandbox-allow-forms">allow-forms</code> keyword
+ <p>Page C in this scenario has all the sandboxing flags set. Scripts are disabled, because the
+ <code>iframe</code> in A has scripts disabled, and this overrides the <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keyword set on the
+ <code>iframe</code> in B. Forms are also disabled, because the inner <code>iframe</code> (in B)
+ does not have the <code title="attr-iframe-sandbox-allow-forms">allow-forms</code> keyword
set.</p>
<p>Suppose now that a script in A removes all the <code
- title="attr-iframe-sandbox">sandbox</code> attributes in A
- <!--grammar-check-override--> and B. This would change nothing
- immediately. If the user clicked the link in C, loading page D into
- the <code>iframe</code> in B, page D would now act as if the
- <code>iframe</code> in B had the <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- and <code
- title="attr-iframe-sandbox-allow-forms">allow-forms</code> keywords
- set, because that was the state of the <span>nested browsing
- context</span> in the <code>iframe</code> in A when page B was
+ title="attr-iframe-sandbox">sandbox</code> attributes in A <!--grammar-check-override--> and B.
+ This would change nothing immediately. If the user clicked the link in C, loading page D into the
+ <code>iframe</code> in B, page D would now act as if the <code>iframe</code> in B had the <code
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> and <code
+ title="attr-iframe-sandbox-allow-forms">allow-forms</code> keywords set, because that was the
+ state of the <span>nested browsing context</span> in the <code>iframe</code> in A when page B was
loaded.</p>
<p>Generally speaking, dynamically removing or changing the <code
- title="attr-iframe-sandbox">sandbox</code> attribute is
- ill-advised, because it can make it quite hard to reason about what
- will be allowed and what will not.</p>
+ title="attr-iframe-sandbox">sandbox</code> attribute is ill-advised, because it can make it quite
+ hard to reason about what will be allowed and what will not.</p>
</div>
- <p class="note">Potentially hostile files should not be served from
- the same server as the file containing the <code>iframe</code>
- element. Using a different domain ensures that scripts in the files
- are unable to attack the site, even if the user is tricked into
- visiting those pages directly, without the protection of the <code
- title="attr-iframe-sandbox">sandbox</code> attribute.</p>
+ <p class="note">Potentially hostile files should not be served from the same server as the file
+ containing the <code>iframe</code> element. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title="attr-iframe-sandbox">sandbox</code>
+ attribute.</p>
- <p class="warning">If the <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
+ <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
keyword is set along with <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keyword, and the file is from the <span>same origin</span> as the
- <code>iframe</code>'s <code>Document</code>, then a script in the
- "sandboxed" iframe could just reach out, remove the <code
- title="attr-iframe-sandbox">sandbox</code> attribute, and then
- reload itself, effectively breaking out of the sandbox
- altogether.</p>
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword, and the file is
+ from the <span>same origin</span> as the <code>iframe</code>'s <code>Document</code>, then a
+ script in the "sandboxed" iframe could just reach out, remove the <code
+ title="attr-iframe-sandbox">sandbox</code> attribute, and then reload itself, effectively breaking
+ out of the sandbox altogether.</p>
- <hr>
+ <hr> <!-- SEAMLESS -->
+ <!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
+ sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ -->
- <!-- v2: Might be interesting to have a value on seamless that
- allowed event propagation of some sort, maybe based on the WICD
- work: http://www.w3.org/TR/WICD/ -->
+ <p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn> attribute is a <span>boolean
+ attribute</span>. When specified, it indicates that the <code>iframe</code> element's
+ <span>browsing context</span> is to be rendered in a manner that makes it appear to be part of the
+ containing document (seamlessly included in the parent document).</p>
- <p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn>
- attribute is a <span>boolean attribute</span>. When specified, it
- indicates that the <code>iframe</code> element's <span>browsing
- context</span> is to be rendered in a manner that makes it appear to
- be part of the containing document (seamlessly included in the
- parent document).</p>
-
<div class="impl">
- <p>An <code>iframe</code> element is said to be <dfn>in seamless
- mode</dfn> when all of the following conditions are met:</p>
+ <p>An <code>iframe</code> element is said to be <dfn>in seamless mode</dfn> when all of the
+ following conditions are met:</p>
<ul>
- <li>The <code title="attr-iframe-seamless">seamless</code>
- attribute is set on the <code>iframe</code> element, and
+ <li>The <code title="attr-iframe-seamless">seamless</code> attribute is set on the
+ <code>iframe</code> element, and
- <li>The <code>iframe</code> element's owner <code>Document</code>'s
- <span>active sandboxing flag set</span> does not have the
- <span>sandboxed seamless iframes flag</span> set, and
+ <li>The <code>iframe</code> element's owner <code>Document</code>'s <span>active sandboxing flag
+ set</span> does not have the <span>sandboxed seamless iframes flag</span> set, and
<li>Either:
<ul>
- <li>The <span>browsing context</span>'s <span>active
- document</span> has the <span>same origin</span> as the
+ <li>The <span>browsing context</span>'s <span>active document</span> has the <span>same
+ origin</span> as the <code>iframe</code> element's <code>Document</code>, or
+
+ <li>The <span>browsing context</span>'s <span>active document</span>'s <em><span title="the
+ document's address">address</span></em> has the <span>same origin</span> as the
<code>iframe</code> element's <code>Document</code>, or
- <li>The <span>browsing context</span>'s <span>active
- document</span>'s <em><span title="the document's
- address">address</span></em> has the <span>same origin</span> as
- the <code>iframe</code> element's <code>Document</code>, or
+ <li>The <span>browsing context</span>'s <span>active document</span> is <span>an
+ <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code> document</span>.
- <li>The <span>browsing context</span>'s <span>active
- document</span> is <span>an <code>iframe</code> <code
- title="attr-iframe-srcdoc">srcdoc</code> document</span>.
-
</ul>
</li>
</ul>
- <p>When an <code>iframe</code> element is <span>in seamless
- mode</span>, the following requirements apply:</p>
+ <p>When an <code>iframe</code> element is <span>in seamless mode</span>, the following
+ requirements apply:</p>
<ul>
- <li><p>The user agent must set the <dfn>seamless browsing context
- flag</dfn> to true for that <span>browsing context</span>. This
- will <a href="#seamlessLinks">cause links to open in the parent
- browsing context</a> unless an <span>explicit self-navigation
- override</span> is used (<code
- title="">target="_self"</code>).</p></li>
+ <li><p>The user agent must set the <dfn>seamless browsing context flag</dfn> to true for that
+ <span>browsing context</span>. This will <a href="#seamlessLinks">cause links to open in the
+ parent browsing context</a> unless an <span>explicit self-navigation override</span> is used
+ (<code title="">target="_self"</code>).</p></li>
- <li><p>Media queries in the context of the <code>iframe</code>'s
- <span>browsing context</span> (e.g. on <code
- title="attr-style-media">media</code> attributes of
- <code>style</code> elements in <code>Document</code>s in that
- <code>iframe</code>) must be evaluated with respect to the nearest
- <span>ancestor browsing context</span> that is not itself being
- <span title="browsing context nested through">nested through</span>
- an <code>iframe</code> that is <span>in seamless
+ <li><p>Media queries in the context of the <code>iframe</code>'s <span>browsing context</span>
+ (e.g. on <code title="attr-style-media">media</code> attributes of <code>style</code> elements in
+ <code>Document</code>s in that <code>iframe</code>) must be evaluated with respect to the nearest
+ <span>ancestor browsing context</span> that is not itself being <span title="browsing context
+ nested through">nested through</span> an <code>iframe</code> that is <span>in seamless
mode</span>. <a href="#refsMQ">[MQ]</a></p></li>
- <li><p>In a CSS-supporting user agent: the user agent must add all
- the style sheets that apply to the <code>iframe</code> element to
- the cascade of the <span>active document</span> of the
- <code>iframe</code> element's <span>nested browsing context</span>,
- at the appropriate cascade levels, before any style sheets
- specified by the document itself.</p></li>
+ <li><p>In a CSS-supporting user agent: the user agent must add all the style sheets that apply to
+ the <code>iframe</code> element to the cascade of the <span>active document</span> of the
+ <code>iframe</code> element's <span>nested browsing context</span>, at the appropriate cascade
+ levels, before any style sheets specified by the document itself.</p></li>
- <li><p>In a CSS-supporting user agent: the user agent must, for the
- purpose of CSS property inheritance only, treat the root element of
- the <span>active document</span> of the <code>iframe</code>
- element's <span>nested browsing context</span> as being a child of
- the <code>iframe</code> element. (Thus inherited properties on the
- root element of the document in the <code>iframe</code> will
- inherit the computed values of those properties on the
- <code>iframe</code> element instead of taking their initial
- values.)</p></li>
+ <li><p>In a CSS-supporting user agent: the user agent must, for the purpose of CSS property
+ inheritance only, treat the root element of the <span>active document</span> of the
+ <code>iframe</code> element's <span>nested browsing context</span> as being a child of the
+ <code>iframe</code> element. (Thus inherited properties on the root element of the document in
+ the <code>iframe</code> will inherit the computed values of those properties on the
+ <code>iframe</code> element instead of taking their initial values.)</p></li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic width of the <code>iframe</code> to
- the width that the element would have if it was a non-replaced
- block-level element with 'width: auto', unless that width would be
- zero (e.g. if the element is floating or absolutely positioned), in
- which case the user agent should set the intrinsic width of the
- <code>iframe</code> to the shrink-to-fit width of the root element
- (if any) of the content rendered in the
- <code>iframe</code>.</p></li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ width of the <code>iframe</code> to the width that the element would have if it was a
+ non-replaced block-level element with 'width: auto', unless that width would be zero (e.g. if the
+ element is floating or absolutely positioned), in which case the user agent should set the
+ intrinsic width of the <code>iframe</code> to the shrink-to-fit width of the root element (if
+ any) of the content rendered in the <code>iframe</code>.</p></li>
- <li><p>In visual media, in a CSS-supporting user agent: the user
- agent should set the intrinsic height of the <code>iframe</code> to
- the shortest height that would make the content rendered in the
- <code>iframe</code> at its current width (as given in the previous
- bullet point) have no scrollable overflow at its bottom edge<!--,
- if the scrolling position was such that the top of the viewport for
- the content rendered in the <code>iframe</code> was aligned with
- the origin of that content's canvas-->. Scrollable overflow is any
- overflow that would increase the range to which a scrollbar or
- other scrolling mechanism can scroll.</p></li>
+ <li><p>In visual media, in a CSS-supporting user agent: the user agent should set the intrinsic
+ height of the <code>iframe</code> to the shortest height that would make the content rendered in
+ the <code>iframe</code> at its current width (as given in the previous bullet point) have no
+ scrollable overflow at its bottom edge<!--, if the scrolling position was such that the top of
+ the viewport for the content rendered in the <code>iframe</code> was aligned with the origin of
+ that content's canvas-->. Scrollable overflow is any overflow that would increase the range to
+ which a scrollbar or other scrolling mechanism can scroll.</p></li>
<li>
- <p>In visual media, in a CSS-supporting user agent: the user agent
- must force the height of the initial containing block of the
- <span>active document</span> of the <span>nested browsing
+ <p>In visual media, in a CSS-supporting user agent: the user agent must force the height of the
+ initial containing block of the <span>active document</span> of the <span>nested browsing
context</span> of the <code>iframe</code> to zero.</p>
- <p class="note">This is intended to get around the otherwise
- circular dependency of percentage dimensions that depend on the
- height of the containing block, thus affecting the height of the
- document's bounding box, thus affecting the height of the
- viewport, thus affecting the size of the initial containing
- block.</p>
+ <p class="note">This is intended to get around the otherwise circular dependency of percentage
+ dimensions that depend on the height of the containing block, thus affecting the height of the
+ document's bounding box, thus affecting the height of the viewport, thus affecting the size of
+ the initial containing block.</p>
</li>
- <li><p>In speech media, the user agent should render the <span>nested
- browsing context</span> without announcing that it is a separate
- document.</p></li>
+ <li><p>In speech media, the user agent should render the <span>nested browsing context</span>
+ without announcing that it is a separate document.</p></li>
<li>
- <p>User agents should, in general, act as if the <span>active
- document</span> of the <code>iframe</code>'s <span>nested browsing
- context</span> was part of the document that the
+ <p>User agents should, in general, act as if the <span>active document</span> of the
+ <code>iframe</code>'s <span>nested browsing context</span> was part of the document that the
<code>iframe</code> is in, if any.</p>
- <p class="example">For example if the user agent supports listing
- all the links in a document, links in "seamlessly" nested
- documents would be included in that list without being
+ <p class="example">For example if the user agent supports listing all the links in a document,
+ links in "seamlessly" nested documents would be included in that list without being
significantly distinguished from links in the document itself.</p>
</li>
</ul>
- <p>If the attribute is not specified, or if the <span>origin</span>
- conditions listed above are not met, then the user agent should
- render the <span>nested browsing context</span> in a manner that is
- clearly distinguishable as a separate <span>browsing context</span>,
- and the <span>seamless browsing context flag</span> must be set to
- false for that <span>browsing context</span>.</p>
+ <p>If the attribute is not specified, or if the <span>origin</span> conditions listed above are
+ not met, then the user agent should render the <span>nested browsing context</span> in a manner
+ that is clearly distinguishable as a separate <span>browsing context</span>, and the
+ <span>seamless browsing context flag</span> must be set to false for that <span>browsing
+ context</span>.</p>
- <p class="warning">It is important that user agents recheck the
- above conditions whenever the <span>active document</span> of the
- <span>nested browsing context</span> of the <code>iframe</code>
- changes, such that the <span>seamless browsing context flag</span>
- gets unset if the <span>nested browsing context</span> is <span
- title="navigate">navigated</span> to another origin.</p>
+ <p class="warning">It is important that user agents recheck the above conditions whenever the
+ <span>active document</span> of the <span>nested browsing context</span> of the
+ <code>iframe</code> changes, such that the <span>seamless browsing context flag</span> gets unset
+ if the <span>nested browsing context</span> is <span title="navigate">navigated</span> to another
+ origin.</p>
</div>
- <p class="note">The attribute can be set or removed dynamically,
- with the rendering updating in tandem.</p>
+ <p class="note">The attribute can be set or removed dynamically, with the rendering updating in
+ tandem.</p>
<div class="example">
- <p>In this example, the site's navigation is embedded using a
- client-side include using an <code>iframe</code>. Any links in the
- <code>iframe</code> will, in new user agents, be automatically
- opened in the <code>iframe</code>'s parent browsing context; for
- legacy user agents, the site could also include a <code>base</code>
- element with a <code title="attr-base-target">target</code>
- attribute with the value <code title="">_parent</code>. Similarly,
- in new user agents the styles of the parent page will be
- automatically applied to the contents of the frame, but to support
- legacy user agents authors might wish to include the styles
+ <p>In this example, the site's navigation is embedded using a client-side include using an
+ <code>iframe</code>. Any links in the <code>iframe</code> will, in new user agents, be
+ automatically opened in the <code>iframe</code>'s parent browsing context; for legacy user
+ agents, the site could also include a <code>base</code> element with a <code
+ title="attr-base-target">target</code> attribute with the value <code title="">_parent</code>.
+ Similarly, in new user agents the styles of the parent page will be automatically applied to the
+ contents of the frame, but to support legacy user agents authors might wish to include the styles
explicitly.</p>
<pre><nav><iframe seamless src="nav.include.html"></iframe></nav></pre>
</div>
- <p class="note">The <code
- title="attr-contenteditable">contenteditable</code> attribute does
- not propagate into <code
- title="attr-iframe-seamless">seamless</code>
- <code>iframe</code>s.</p>
+ <p class="note">The <code title="attr-contenteditable">contenteditable</code> attribute does not
+ propagate into <code title="attr-iframe-seamless">seamless</code> <code>iframe</code>s.</p>
- <hr>
+ <hr> <!-- DIM ATTRIBUTES -->
- <p>The <code>iframe</code> element supports <span>dimension
- attributes</span> for cases where the embedded content has specific
- dimensions (e.g. ad units have well-defined dimensions).</p>
+ <p>The <code>iframe</code> element supports <span>dimension attributes</span> for cases where the
+ embedded content has specific dimensions (e.g. ad units have well-defined dimensions).</p>
- <p>An <code>iframe</code> element never has <span>fallback
- content</span>, as it will always create a nested <span>browsing
- context</span>, regardless of whether the specified initial contents
- are successfully used.</p>
+ <p>An <code>iframe</code> element never has <span>fallback content</span>, as it will always
+ create a nested <span>browsing context</span>, regardless of whether the specified initial
+ contents are successfully used.</p>
- <p>Descendants of <code>iframe</code> elements represent
- nothing. (In legacy user agents that do not support
- <code>iframe</code> elements, the contents would be parsed as markup
- that could act as fallback content.)</p>
- <p id="iframe-content-model">When used in <span>HTML
- documents</span>, the allowed content model of <code>iframe</code>
- elements is text, except that invoking the <span>HTML fragment
- parsing algorithm</span> with the <code>iframe</code> element as the
- <var title="concept-frag-parse-context">context</var> element and
- the text contents as the <var title="">input</var> must result in a
- list of nodes that are all <span>phrasing content</span>, with no
- <span title="parse error">parse errors</span> having occurred, with
- no <code>script</code> elements being anywhere in the list or as
- descendants of elements in the list, and with all the elements in
- the list (including their descendants) being themselves
- conforming.</p>
+ <hr> <!-- FALLBACK -->
- <p>The <code>iframe</code> element must be empty in <span>XML
- documents</span>.</p>
+ <p>Descendants of <code>iframe</code> elements represent nothing. (In legacy user agents that do
+ not support <code>iframe</code> elements, the contents would be parsed as markup that could act as
+ fallback content.)</p>
- <p class="note">The <span>HTML parser</span> treats markup inside
- <code>iframe</code> elements as text.</p>
+ <p id="iframe-content-model">When used in <span>HTML documents</span>, the allowed content model
+ of <code>iframe</code> elements is text, except that invoking the <span>HTML fragment parsing
+ algorithm</span> with the <code>iframe</code> element as the <var
+ title="concept-frag-parse-context">context</var> element and the text contents as the <var
+ title="">input</var> must result in a list of nodes that are all <span>phrasing content</span>,
+ with no <span title="parse error">parse errors</span> having occurred, with no <code>script</code>
+ elements being anywhere in the list or as descendants of elements in the list, and with all the
+ elements in the list (including their descendants) being themselves conforming.</p>
+ <p>The <code>iframe</code> element must be empty in <span>XML documents</span>.</p>
+
+ <p class="note">The <span>HTML parser</span> treats markup inside <code>iframe</code> elements as
+ text.</p>
+
+
<div class="impl">
- <p>The IDL attributes <dfn
- title="dom-iframe-src"><code>src</code></dfn>, <dfn
+ <hr> <!-- DOM -->
+
+ <p>The IDL attributes <dfn title="dom-iframe-src"><code>src</code></dfn>, <dfn
title="dom-iframe-srcdoc"><code>srcdoc</code></dfn>, <dfn
title="dom-iframe-name"><code>name</code></dfn>, <dfn
title="dom-iframe-sandbox"><code>sandbox</code></dfn>, and <dfn
- title="dom-iframe-seamless"><code>seamless</code></dfn> must
- <span>reflect</span> the respective content attributes of the same
- name.</p>
+ title="dom-iframe-seamless"><code>seamless</code></dfn> must <span>reflect</span> the respective
+ content attributes of the same name.</p>
- <p>The <dfn
- title="dom-iframe-contentDocument"><code>contentDocument</code></dfn>
- IDL attribute must return the <code>Document</code> object of the
- <span>active document</span> of the <code>iframe</code> element's
- <span>nested browsing context</span>, if any, or null otherwise.</p>
+ <p>The <dfn title="dom-iframe-contentDocument"><code>contentDocument</code></dfn> IDL attribute
+ must return the <code>Document</code> object of the <span>active document</span> of the
+ <code>iframe</code> element's <span>nested browsing context</span>, if any, or null otherwise.</p>
- <p>The <dfn
- title="dom-iframe-contentWindow"><code>contentWindow</code></dfn>
- IDL attribute must return the <code>WindowProxy</code> object of the
- <code>iframe</code> element's <span>nested browsing
- context</span>, if any, or null otherwise.</p>
+ <p>The <dfn title="dom-iframe-contentWindow"><code>contentWindow</code></dfn> IDL attribute must
+ return the <code>WindowProxy</code> object of the <code>iframe</code> element's <span>nested
+ browsing context</span>, if any, or null otherwise.</p>
</div>
<div class="example">
- <p>Here is an example of a page using an <code>iframe</code> to
- include advertising from an advertising broker:</p>
+ <p>Here is an example of a page using an <code>iframe</code> to include advertising from an
+ advertising broker:</p>
<pre><iframe src="http://ads.example.com/?customerid=923513721&format=banner"
width="468" height="60"></iframe></pre>
More information about the Commit-Watchers
mailing list