[html5] r7411 - [giow] (1) Also sandbox the initial about:blank document of an <iframe sandbox>. [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Sep 26 14:58:21 PDT 2012
Author: ianh
Date: 2012-09-26 14:58:19 -0700 (Wed, 26 Sep 2012)
New Revision: 7411
Modified:
complete.html
index
source
Log:
[giow] (1) Also sandbox the initial about:blank document of an <iframe sandbox>. Also, much cleanup.
Affected topics: HTML
Modified: complete.html
===================================================================
--- complete.html 2012-09-26 18:10:58 UTC (rev 7410)
+++ complete.html 2012-09-26 21:58:19 UTC (rev 7411)
@@ -26819,13 +26819,22 @@
<p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute.</p>
+ attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
- <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
- user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
- the damage that can be caused by hostile HTML content, it should be served from a separate
- dedicated domain.</p>
+ <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+ the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+ entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
+ <p class=warning>Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href=#the-iframe-element>iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+ attacker can convince the user to just visit the hostile content directly, rather than in the
+ <code><a href=#the-iframe-element>iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+ served from a separate dedicated domain. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26835,16 +26844,18 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
- user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
- using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
- output.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element with a <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute has its <a href=#nested-browsing-context>nested browsing context</a> created (before the initial
+ <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is created), and when an <code><a href=#the-iframe-element>iframe</a></code>
+ element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed while it
+ has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing
+ directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
- <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
- the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
- entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
- already-loaded page.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute is removed while it has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must
+ empty the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
</div>
@@ -26910,19 +26921,7 @@
</div>
- <p class=note>Potentially hostile files should not be served from the same server as the file
- containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
- files are unable to attack the site, even if the user is tricked into visiting those pages
- directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute.</p>
- <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
- from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
- script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
- out of the sandbox altogether.</p>
-
-
<hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
@@ -67216,14 +67215,15 @@
<div class=impl>
- <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be
- created with a single <code><a href=#document>Document</a></code> in its session history,
- whose <a href="#the-document's-address" title="the document's address">address</a> is
- <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
- UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
- <a href=#completely-loaded>completely loaded</a> immediately. The
- <code><a href=#document>Document</a></code> must have a single child <code><a href=#the-html-element>html</a></code>
- node, which itself has a single child <code><a href=#the-body-element>body</a></code> node.</p>
+ <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be created with a single
+ <code><a href=#document>Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+ address">address</a> is <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML
+ documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+ encoding</a> is UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
+ <a href=#completely-loaded>completely loaded</a> immediately. The <code><a href=#document>Document</a></code> must have a single child
+ <code><a href=#the-html-element>html</a></code> node, which itself has a single child <code><a href=#the-body-element>body</a></code> node. As soon as this
+ <code><a href=#document>Document</a></code> is created, the user agent must <a href=#implement-the-sandboxing>implement the sandboxing</a> for
+ it.</p>
<p class=note>If the <a href=#browsing-context>browsing context</a> is created
specifically to be immediately navigated, then that initial
@@ -69571,10 +69571,38 @@
<code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
+ <p>Every resource that is obtained by the <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
+ sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
+ specifications can define that certain flags are set.</p>
+ <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href=#refsCSP>[CSP]</a></p>
- <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+ <hr><p>When a user agent is to <dfn id=implement-the-sandboxing>implement the sandboxing</dfn> for a <code><a href=#document>Document</a></code>, it
+ must populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> with the union of
+ the flags that are present in the following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
+ sets</a> at the time the <code><a href=#document>Document</a></code> object is created:</p>
+ <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#top-level-browsing-context>top-level browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#popup-sandboxing-flag-set>popup sandboxing
+ flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent browsing
+ context</a>'s <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+ <li><p>The flags set on the <code><a href=#document>Document</a></code>'s resource's <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a>, if it has one.</li>
+
+ </ul><h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
<h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
<p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
@@ -70902,45 +70930,8 @@
<code><a href=#window>Window</a></code> object to point to the new
<code><a href=#document>Document</a></code>.</p>
- <li>
+ <li><p><a href=#implement-the-sandboxing>Implement the sandboxing</a> for the <code><a href=#document>Document</a></code>.</li>
- <p>Populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
- set</a> with the union of the flags that are present in the
- following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
- sets</a> at the time the <code><a href=#document>Document</a></code> object is
- created:</p>
-
- <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#top-level-browsing-context>top-level browsing context</a>,
- then: the flags set on the <a href=#browsing-context>browsing context</a>'s
- <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a>.</li>
-
- <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
- the flags set on the <a href=#browsing-context>browsing context</a>'s
- <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
-
- <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
- the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
- browsing context</a>'s <a href=#active-document>active document</a>'s
- <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
-
- <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
- flag set</a>.</li>
-
- </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
- sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
- set</a>. A resource by default has no flags set in its
- <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
- specifications can define that certain flags are set.</p>
-
- <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
- set</a> is used by the Content Security Policy specification.
- <a href=#refsCSP>[CSP]</a></p>
-
- </li>
-
</ol></li>
<li id=navigate-non-Document>
Modified: index
===================================================================
--- index 2012-09-26 18:10:58 UTC (rev 7410)
+++ index 2012-09-26 21:58:19 UTC (rev 7411)
@@ -26819,13 +26819,22 @@
<p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute.</p>
+ attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
- <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
- user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
- the damage that can be caused by hostile HTML content, it should be served from a separate
- dedicated domain.</p>
+ <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+ the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+ entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+ already-loaded page.</p>
+ <p class=warning>Potentially hostile files should not be served from the same server as the file
+ containing the <code><a href=#the-iframe-element>iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+ attacker can convince the user to just visit the hostile content directly, rather than in the
+ <code><a href=#the-iframe-element>iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+ served from a separate dedicated domain. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute.</p>
+
<div class=impl>
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -26835,16 +26844,18 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
- user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
- using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
- <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
- output.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element with a <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute has its <a href=#nested-browsing-context>nested browsing context</a> created (before the initial
+ <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is created), and when an <code><a href=#the-iframe-element>iframe</a></code>
+ element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed while it
+ has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing
+ directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
- <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
- the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
- entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
- already-loaded page.</p>
+ <p>When an <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute is removed while it has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must
+ empty the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
</div>
@@ -26910,19 +26921,7 @@
</div>
- <p class=note>Potentially hostile files should not be served from the same server as the file
- containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
- files are unable to attack the site, even if the user is tricked into visiting those pages
- directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
- attribute.</p>
- <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
- from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
- script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
- out of the sandbox altogether.</p>
-
-
<hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
attribute</a>. When specified, it indicates that the <code><a href=#the-iframe-element>iframe</a></code> element's
@@ -67216,14 +67215,15 @@
<div class=impl>
- <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be
- created with a single <code><a href=#document>Document</a></code> in its session history,
- whose <a href="#the-document's-address" title="the document's address">address</a> is
- <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
- UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
- <a href=#completely-loaded>completely loaded</a> immediately. The
- <code><a href=#document>Document</a></code> must have a single child <code><a href=#the-html-element>html</a></code>
- node, which itself has a single child <code><a href=#the-body-element>body</a></code> node.</p>
+ <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be created with a single
+ <code><a href=#document>Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+ address">address</a> is <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML
+ documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+ encoding</a> is UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
+ <a href=#completely-loaded>completely loaded</a> immediately. The <code><a href=#document>Document</a></code> must have a single child
+ <code><a href=#the-html-element>html</a></code> node, which itself has a single child <code><a href=#the-body-element>body</a></code> node. As soon as this
+ <code><a href=#document>Document</a></code> is created, the user agent must <a href=#implement-the-sandboxing>implement the sandboxing</a> for
+ it.</p>
<p class=note>If the <a href=#browsing-context>browsing context</a> is created
specifically to be immediately navigated, then that initial
@@ -69571,10 +69571,38 @@
<code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
+ <p>Every resource that is obtained by the <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
+ sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+ set</a>. A resource by default has no flags set in its
+ <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
+ specifications can define that certain flags are set.</p>
+ <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a> is used by the Content Security Policy specification.
+ <a href=#refsCSP>[CSP]</a></p>
- <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+ <hr><p>When a user agent is to <dfn id=implement-the-sandboxing>implement the sandboxing</dfn> for a <code><a href=#document>Document</a></code>, it
+ must populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> with the union of
+ the flags that are present in the following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
+ sets</a> at the time the <code><a href=#document>Document</a></code> object is created:</p>
+ <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#top-level-browsing-context>top-level browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#popup-sandboxing-flag-set>popup sandboxing
+ flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s
+ <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+ <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+ context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent browsing
+ context</a>'s <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+ <li><p>The flags set on the <code><a href=#document>Document</a></code>'s resource's <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+ set</a>, if it has one.</li>
+
+ </ul><h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+
<h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
<p>The sequence of <code><a href=#document>Document</a></code>s in a <a href=#browsing-context>browsing
@@ -70902,45 +70930,8 @@
<code><a href=#window>Window</a></code> object to point to the new
<code><a href=#document>Document</a></code>.</p>
- <li>
+ <li><p><a href=#implement-the-sandboxing>Implement the sandboxing</a> for the <code><a href=#document>Document</a></code>.</li>
- <p>Populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
- set</a> with the union of the flags that are present in the
- following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
- sets</a> at the time the <code><a href=#document>Document</a></code> object is
- created:</p>
-
- <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#top-level-browsing-context>top-level browsing context</a>,
- then: the flags set on the <a href=#browsing-context>browsing context</a>'s
- <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a>.</li>
-
- <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
- the flags set on the <a href=#browsing-context>browsing context</a>'s
- <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
-
- <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
- context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
- the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
- browsing context</a>'s <a href=#active-document>active document</a>'s
- <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
-
- <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
- flag set</a>.</li>
-
- </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
- sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
- set</a>. A resource by default has no flags set in its
- <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
- specifications can define that certain flags are set.</p>
-
- <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
- set</a> is used by the Content Security Policy specification.
- <a href=#refsCSP>[CSP]</a></p>
-
- </li>
-
</ol></li>
<li id=navigate-non-Document>
Modified: source
===================================================================
--- source 2012-09-26 18:10:58 UTC (rev 7410)
+++ source 2012-09-26 21:58:19 UTC (rev 7411)
@@ -28932,13 +28932,22 @@
title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the
embedded page has the <span>same origin</span> as the page containing the <code>iframe</code>
allows the embedded page to simply remove the <code title="attr-iframe-sandbox">sandbox</code>
- attribute.</p>
+ attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
- <p class="warning">Sandboxing hostile content is of minimal help if an attacker can convince the
- user to just visit the hostile content directly, rather than in the <code>iframe</code>. To limit
- the damage that can be caused by hostile HTML content, it should be served from a separate
- dedicated domain.</p>
+ <p class="warning">These flags only take effect when the <span>nested browsing context</span> of
+ the <code>iframe</code> is <span title="navigate">navigated</span>. Removing them, or removing the
+ entire <code title="attr-iframe-sandbox">sandbox</code> attribute, has no effect on an
+ already-loaded page.</p>
+ <p class="warning">Potentially hostile files should not be served from the same server as the file
+ containing the <code>iframe</code> element. Sandboxing hostile content is of minimal help if an
+ attacker can convince the user to just visit the hostile content directly, rather than in the
+ <code>iframe</code>. To limit the damage that can be caused by hostile HTML content, it should be
+ served from a separate dedicated domain. Using a different domain ensures that scripts in the
+ files are unable to attack the site, even if the user is tricked into visiting those pages
+ directly, without the protection of the <code title="attr-iframe-sandbox">sandbox</code>
+ attribute.</p>
+
<div class="impl">
<!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -28948,16 +28957,19 @@
- block access to 'parent.frames' from sandbox
-->
- <p>While the <code title="attr-iframe-sandbox">sandbox</code> attribute is set or changed, the
- user agent must <span title="parse a sandboxing directive">parse the sandboxing directive</span>
- using the attribute's value as the <var title="">input</var> and the <code>iframe</code> element's
- <span>nested browsing context</span>'s <span><code>iframe</code> sandboxing flag set</span> as the
- output.</p>
+ <p>When an <code>iframe</code> element with a <code title="attr-iframe-sandbox">sandbox</code>
+ attribute has its <span>nested browsing context</span> created (before the initial
+ <code>about:blank</code> <code>Document</code> is created), and when an <code>iframe</code>
+ element's <code title="attr-iframe-sandbox">sandbox</code> attribute is set or changed while it
+ has a <span>nested browsing context</span>, the user agent must <span title="parse a sandboxing
+ directive">parse the sandboxing directive</span> using the attribute's value as the <var
+ title="">input</var> and the <code>iframe</code> element's <span>nested browsing context</span>'s
+ <span><code>iframe</code> sandboxing flag set</span> as the output.</p>
- <p class="warning">These flags only take effect when the <span>nested browsing context</span> of
- the <code>iframe</code> is <span title="navigate">navigated</span>. Removing them, or removing the
- entire <code title="attr-iframe-sandbox">sandbox</code> attribute, has no effect on an
- already-loaded page.</p>
+ <p>When an <code>iframe</code> element's <code title="attr-iframe-sandbox">sandbox</code>
+ attribute is removed while it has a <span>nested browsing context</span>, the user agent must
+ empty the <code>iframe</code> element's <span>nested browsing context</span>'s
+ <span><code>iframe</code> sandboxing flag set</span> as the output.</p>
</div>
@@ -29028,21 +29040,7 @@
</div>
- <p class="note">Potentially hostile files should not be served from the same server as the file
- containing the <code>iframe</code> element. Using a different domain ensures that scripts in the
- files are unable to attack the site, even if the user is tricked into visiting those pages
- directly, without the protection of the <code title="attr-iframe-sandbox">sandbox</code>
- attribute.</p>
- <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- keyword is set along with <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword, and the file is
- from the <span>same origin</span> as the <code>iframe</code>'s <code>Document</code>, then a
- script in the "sandboxed" iframe could just reach out, remove the <code
- title="attr-iframe-sandbox">sandbox</code> attribute, and then reload itself, effectively breaking
- out of the sandbox altogether.</p>
-
-
<hr> <!-- SEAMLESS -->
<!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
@@ -78684,16 +78682,15 @@
<div class="impl">
- <p>When a <span>browsing context</span> is first created, it must be
- created with a single <code>Document</code> in its session history,
- whose <span title="the document's address">address</span> is
- <code>about:blank</code>, which is marked as being an <span
- title="HTML documents">HTML document</span>, whose <span
- title="document's character encoding">character encoding</span> is
- UTF-8, and which is both <span>ready for post-load tasks</span> and
- <span>completely loaded</span> immediately. The
- <code>Document</code> must have a single child <code>html</code>
- node, which itself has a single child <code>body</code> node.</p>
+ <p>When a <span>browsing context</span> is first created, it must be created with a single
+ <code>Document</code> in its session history, whose <span title="the document's
+ address">address</span> is <code>about:blank</code>, which is marked as being an <span title="HTML
+ documents">HTML document</span>, whose <span title="document's character encoding">character
+ encoding</span> is UTF-8, and which is both <span>ready for post-load tasks</span> and
+ <span>completely loaded</span> immediately. The <code>Document</code> must have a single child
+ <code>html</code> node, which itself has a single child <code>body</code> node. As soon as this
+ <code>Document</code> is created, the user agent must <span>implement the sandboxing</span> for
+ it.</p>
<p class="note">If the <span>browsing context</span> is created
specifically to be immediately navigated, then that initial
@@ -81394,8 +81391,45 @@
set</span> must be empty. It is populated by the <span
title="navigate">navigation algorithm</span>.</p>
+ <p>Every resource that is obtained by the <span
+ title="navigate">navigation algorithm</span> has a <dfn>forced
+ sandboxing flag set</dfn>, which is a <span>sandboxing flag
+ set</span>. A resource by default has no flags set in its
+ <span>forced sandboxing flag set</span>, but other
+ specifications can define that certain flags are set.</p>
+ <p class="note">In particular, the <span>forced sandboxing flag
+ set</span> is used by the Content Security Policy specification.
+ <a href="#refsCSP">[CSP]</a></p>
+ <hr>
+
+ <p>When a user agent is to <dfn>implement the sandboxing</dfn> for a <code>Document</code>, it
+ must populate <code>Document</code>'s <span>active sandboxing flag set</span> with the union of
+ the flags that are present in the following <span title="sandboxing flag set">sandboxing flag
+ sets</span> at the time the <code>Document</code> object is created:</p>
+
+ <ul>
+
+ <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>top-level browsing
+ context</span>, then: the flags set on the <span>browsing context</span>'s <span>popup sandboxing
+ flag set</span>.</p></li>
+
+ <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>nested browsing
+ context</span>, then: the flags set on the <span>browsing context</span>'s
+ <span><code>iframe</code> sandboxing flag set</span>.</p></li>
+
+ <li><p>If the <code>Document</code>'s <span>browsing context</span> is a <span>nested browsing
+ context</span>, then: the flags set on the <span>browsing context</span>'s <span>parent browsing
+ context</span>'s <span>active document</span>'s <span>active sandboxing flag set</span>.</p></li>
+
+ <li><p>The flags set on the <code>Document</code>'s resource's <span>forced sandboxing flag
+ set</span>, if it has one.</p></li>
+
+ </ul>
+
+
+
<h3 id="history">Session history and navigation</h3>
<h4>The session history of browsing contexts</h4>
@@ -82884,50 +82918,8 @@
<code>Window</code> object to point to the new
<code>Document</code>.</p>
- <li>
+ <li><p><span>Implement the sandboxing</span> for the <code>Document</code>.</p></li>
- <p>Populate <code>Document</code>'s <span>active sandboxing flag
- set</span> with the union of the flags that are present in the
- following <span title="sandboxing flag set">sandboxing flag
- sets</span> at the time the <code>Document</code> object is
- created:</p>
-
- <ul>
-
- <li><p>If the <code>Document</code>'s <span>browsing
- context</span> is a <span>top-level browsing context</span>,
- then: the flags set on the <span>browsing context</span>'s
- <span>popup sandboxing flag set</span>.</p></li>
-
- <li><p>If the <code>Document</code>'s <span>browsing
- context</span> is a <span>nested browsing context</span>, then:
- the flags set on the <span>browsing context</span>'s
- <span><code>iframe</code> sandboxing flag set</span>.</p></li>
-
- <li><p>If the <code>Document</code>'s <span>browsing
- context</span> is a <span>nested browsing context</span>, then:
- the flags set on the <span>browsing context</span>'s <span>parent
- browsing context</span>'s <span>active document</span>'s
- <span>active sandboxing flag set</span>.</p></li>
-
- <li><p>The flags set on the resource's <span>forced sandboxing
- flag set</span>.</p></li>
-
- </ul>
-
- <p>Each resource obtained by this <span
- title="navigate">navigation algorithm</span> has a <dfn>forced
- sandboxing flag set</dfn>, which is a <span>sandboxing flag
- set</span>. A resource by default has no flags set in its
- <span>forced sandboxing flag set</span>, but other
- specifications can define that certain flags are set.</p>
-
- <p class="note">In particular, the <span>forced sandboxing flag
- set</span> is used by the Content Security Policy specification.
- <a href="#refsCSP">[CSP]</a></p>
-
- </li>
-
</ol>
</li>
More information about the Commit-Watchers
mailing list