[html5] r8275 - [giow] (2) Make sandboxed iframes block document.domain setting Fixing https://w [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Nov 13 11:32:59 PST 2013
Author: ianh
Date: 2013-11-13 11:32:57 -0800 (Wed, 13 Nov 2013)
New Revision: 8275
Modified:
complete.html
index
source
Log:
[giow] (2) Make sandboxed iframes block document.domain setting
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23040
Affected topics: HTML, Security
Modified: complete.html
===================================================================
--- complete.html 2013-11-13 19:09:31 UTC (rev 8274)
+++ complete.html 2013-11-13 19:32:57 UTC (rev 8275)
@@ -65200,7 +65200,7 @@
<p>Can be set to a value that removes subdomains, to change the <a href=#effective-script-origin>effective script
origin</a> to allow pages on other subdomains of the same domain (if they do the same thing)
- to access each other.</p>
+ to access each other. (Can't be set in sandboxed <code><a href=#the-iframe-element>iframe</a></code>s.)</p>
</dd>
@@ -65227,6 +65227,14 @@
<li>
+ <p>If the <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing context
+ flag</a> set, throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</p>
+
+ </li>
+
+ <li>
+
<p>If the new value is an IPv4 or IPv6 address, let <var title="">new value</var> be the new
value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the
AllowUnassigned and UseSTD3ASCIIRules flags set, and let <var title="">new value</var> be the
@@ -65474,6 +65482,17 @@
</dd>
+
+ <dt>The <dfn id=sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> feature to change the <a href=#effective-script-origin>effective script
+ origin</a>.</p>
+
+ </dd>
+
+
</dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing directive</dfn>, given a string <var title="">input</var>, a <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, and
optionally an <var title="">allow fullscreen flag</var>, it must run the following steps:</p>
@@ -65539,6 +65558,9 @@
<li><p>The <a href=#sandboxed-fullscreen-browsing-context-flag>sandboxed fullscreen browsing context flag</a>, unless the <var title="">allow fullscreen flag</var> was passed to the <a href=#parse-a-sandboxing-directive>parse a sandboxing
directive</a> flag.</li>
+ <li><p>The <a href=#sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing
+ context flag</a>.</li>
+
</ul></li>
</ol><hr><p>Every <a href=#top-level-browsing-context>top-level browsing context</a> has a <dfn id=popup-sandboxing-flag-set>popup sandboxing flag set</dfn>, which
Modified: index
===================================================================
--- index 2013-11-13 19:09:31 UTC (rev 8274)
+++ index 2013-11-13 19:32:57 UTC (rev 8275)
@@ -65200,7 +65200,7 @@
<p>Can be set to a value that removes subdomains, to change the <a href=#effective-script-origin>effective script
origin</a> to allow pages on other subdomains of the same domain (if they do the same thing)
- to access each other.</p>
+ to access each other. (Can't be set in sandboxed <code><a href=#the-iframe-element>iframe</a></code>s.)</p>
</dd>
@@ -65227,6 +65227,14 @@
<li>
+ <p>If the <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> has its
+ <a href=#sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing context
+ flag</a> set, throw a <code><a href=#securityerror>SecurityError</a></code> exception and abort these steps.</p>
+
+ </li>
+
+ <li>
+
<p>If the new value is an IPv4 or IPv6 address, let <var title="">new value</var> be the new
value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the
AllowUnassigned and UseSTD3ASCIIRules flags set, and let <var title="">new value</var> be the
@@ -65474,6 +65482,17 @@
</dd>
+
+ <dt>The <dfn id=sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> feature to change the <a href=#effective-script-origin>effective script
+ origin</a>.</p>
+
+ </dd>
+
+
</dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing directive</dfn>, given a string <var title="">input</var>, a <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, and
optionally an <var title="">allow fullscreen flag</var>, it must run the following steps:</p>
@@ -65539,6 +65558,9 @@
<li><p>The <a href=#sandboxed-fullscreen-browsing-context-flag>sandboxed fullscreen browsing context flag</a>, unless the <var title="">allow fullscreen flag</var> was passed to the <a href=#parse-a-sandboxing-directive>parse a sandboxing
directive</a> flag.</li>
+ <li><p>The <a href=#sandboxed-document.domain-browsing-context-flag>sandboxed <code title=dom-document-domain>document.domain</code> browsing
+ context flag</a>.</li>
+
</ul></li>
</ol><hr><p>Every <a href=#top-level-browsing-context>top-level browsing context</a> has a <dfn id=popup-sandboxing-flag-set>popup sandboxing flag set</dfn>, which
Modified: source
===================================================================
--- source 2013-11-13 19:09:31 UTC (rev 8274)
+++ source 2013-11-13 19:32:57 UTC (rev 8275)
@@ -72594,7 +72594,7 @@
<p>Can be set to a value that removes subdomains, to change the <span>effective script
origin</span> to allow pages on other subdomains of the same domain (if they do the same thing)
- to access each other.</p>
+ to access each other. (Can't be set in sandboxed <code>iframe</code>s.)</p>
</dd>
@@ -72625,6 +72625,14 @@
<li>
+ <p>If the <code>Document</code>'s <span>active sandboxing flag set</span> has its
+ <span>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing context
+ flag</span> set, throw a <code>SecurityError</code> exception and abort these steps.</p>
+
+ </li>
+
+ <li>
+
<p>If the new value is an IPv4 or IPv6 address, let <var data-x="">new value</var> be the new
value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the
AllowUnassigned and UseSTD3ASCIIRules flags set, and let <var data-x="">new value</var> be the
@@ -72901,6 +72909,18 @@
</dd>
+
+ <dt>The <dfn>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from using the <code
+ data-x="dom-document-domain">document.domain</code> feature to change the <span>effective script
+ origin</span>.</p>
+
+ </dd>
+
+
</dl>
<p>When the user agent is to <dfn>parse a sandboxing directive</dfn>, given a string <var
@@ -72988,6 +73008,9 @@
data-x="">allow fullscreen flag</var> was passed to the <span>parse a sandboxing
directive</span> flag.</p></li>
+ <li><p>The <span>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing
+ context flag</span>.</p></li>
+
</ul>
</li>
More information about the Commit-Watchers
mailing list