Skip to content
Permalink
Browse files

Add allow-top-navigation-by-user-activation sandbox token

  • Loading branch information...
domenic committed Feb 23, 2017
1 parent 10d61c4 commit 8abd73ec3a56541e3f6486d3a593a8bcfd67295d
Showing with 76 additions and 18 deletions.
  1. +76 −18 source
94 source
data-x="attr-iframe-sandbox-allow-popups-to-escape-sandbox">allow-popups-to-escape-sandbox</code>,
<code data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code>, <code
data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, and <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>.</p>
data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, and <code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>.</p>

<p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
the content to be treated as being from its real origin instead of forcing it into a unique
origin; the <code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
keyword allows the content to <span>navigate</span> its <span>top-level browsing context</span>;
and the <code data-x="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
the <code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
keyword behaves similarly but only allows such <span data-x="navigate">navigation</span> when
<span>triggered by user activation</span>; and the <code
data-x="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
data-x="attr-iframe-sandbox-allow-modals">allow-modals</code>, <code
data-x="attr-iframe-sandbox-allow-orientation-lock">allow-orientation-lock</code>, <code
data-x="attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</code>, <code
context">auxiliary browsing contexts</span> respectively. <ref spec=POINTERLOCK>
<ref spec=SCREENORIENTATION> <ref spec=PRESENTATION></p>

<p>The <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> and <code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
keywords must not both be specified, as doing so is redundant; only <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> will have an effect
in such non-conformant markup.</p>

<p class="warning">Setting both the <code
data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and <code
data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the
document</span>'s <span>active sandboxing flag set</span> has its <span>sandboxed navigation
browsing context flag</span> set, then abort these steps negatively.</p></li>

<li><p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is one of the
<span data-x="ancestor browsing context">ancestor browsing contexts</span> of <var>A</var>, and
<var>A</var>'s <span>active document</span>'s <span>active sandboxing flag set</span> has its
<span>sandboxed top-level navigation browsing context flag</span> set, then abort these steps
negatively.</p></li>
<li>
<p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is one of the
<span data-x="ancestor browsing context">ancestor browsing contexts</span> of <var>A</var>,
then:</p>

<ol>
<li><p>If this algorithm is <span>triggered by user activation</span> and <var>A</var>'s
<span>active document</span>'s <span>active sandboxing flag set</span> has its <span>sandboxed
top-level navigation with user activation browsing context flag</span> set, then abort these
steps negatively.</p></li>

<li><p>Otherwise, If this algorithm is not <span>triggered by user activation</span> and
<var>A</var>'s <span>active document</span>'s <span>active sandboxing flag set</span> has its
<span>sandboxed top-level navigation without user activation browsing context flag</span> set,
then abort these steps negatively.</p></li>
</ol>
</li>

<li><p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is
neither <var>A</var> nor one of the <span data-x="ancestor browsing context">ancestor
<span data-x="auxiliary browsing context">auxiliary browsing contexts</span> (which are protected
by the <span>sandboxed auxiliary navigation browsing context flag</span> defined next), and the
<span>top-level browsing context</span> (which is protected by the <span>sandboxed top-level
navigation browsing context flag</span> defined below).</p>
navigation without user activation browsing context flag</span> and <span>sandboxed top-level
navigation with user activation browsing context flag</span> defined below).</p>

<p>If the <span>sandboxed auxiliary navigation browsing context flag</span> is not set, then in
certain cases the restrictions nonetheless allow popups (new <span data-x="top-level browsing
</dd>


<dt>The <dfn data-export="">sandboxed top-level navigation browsing context flag</dfn></dt>
<dt>The <dfn data-export="">sandboxed top-level navigation without user activation browsing
context flag</dfn></dt>

<dd>

<p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
browsing context</span></a> and <a href="#sandboxClose">prevents content from closing their
<span>top-level browsing context</span></a>. It is consulted only from algorithms that are
<em>not</em> <span>triggered by user activation</span>.</p>

<p>When the <span>sandboxed top-level navigation without user activation browsing context
flag</span> is <em>not</em> set, content can navigate its <span>top-level browsing
context</span>, but other <span data-x="browsing context">browsing contexts</span> are still
protected by the <span>sandboxed navigation browsing context flag</span> and possibly
the <span>sandboxed auxiliary navigation browsing context flag</span>.</p>

</dd>


<dt>The <dfn data-export="">sandboxed top-level navigation with user activation browsing context
flag</dfn></dt>

<dd>

<p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
browsing context</span></a> and <a href="#sandboxClose">prevents content from closing their
<span>top-level browsing context</span></a>.</p>
<span>top-level browsing context</span></a>. It is consulted only from algorithms that
<em>are</em> <span>triggered by user activation</span>.</p>

<p>When the <span>sandboxed top-level navigation browsing context flag</span> is <em>not</em>
set, content can navigate its <span>top-level browsing context</span>, but other <span
data-x="browsing context">browsing contexts</span> are still protected by the <span>sandboxed
navigation browsing context flag</span> and possibly the <span>sandboxed auxiliary navigation
browsing context flag</span>.</p>
<p>As with the <span>sandboxed top-level navigation without user activation browsing context
flag</span>, this flag only affects the <span>top-level browsing context</span>; if it is not
set, other <span data-x="browsing context">browsing contexts</span> might still be protected by
other flags.</p>

</dd>


<li><p>The <span>sandboxed auxiliary navigation browsing context flag</span>, unless <var>tokens</var> contains the <dfn><code data-x="attr-iframe-sandbox-allow-popups">allow-popups</code></dfn> keyword.</p></li>

<li><p>The <span>sandboxed top-level navigation browsing context flag</span>, unless <var>tokens</var> contains the <dfn><code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code></dfn>
keyword.</p></li>
<li><p>The <span>sandboxed top-level navigation without user activation browsing context flag</span>, unless
<var>tokens</var> contains the <dfn><code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code></dfn> keyword.</p></li>

<li>
<p>The <span>sandboxed top-level navigation with user activation browsing context flag</span>, unless
<var>tokens</var> contains either the <dfn><code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code></dfn>
keyword or the <code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> keyword.</p>

<p class="note">This means that if the <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> is present, the <code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
keyword will have no effect. For this reason, specifying both is a document conformance error.</p>
</li>

<li><p>The <span>sandboxed plugins browsing context flag</span>.</p></li>

0 comments on commit 8abd73e

Please sign in to comment.
You can’t perform that action at this time.