Skip to content
Permalink
Browse files

[giow] (2) <iframe>s only do their nested browsing context stuff when…

… they are themselves in a browsing context

Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=25880
Affected topics: HTML

git-svn-id: http://svn.whatwg.org/webapps@8708 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Aug 5, 2014
1 parent 5112881 commit 8edfe6da5a635f1c31f3ea22f2d323adc33b938e
Showing with 40 additions and 40 deletions.
  1. +19 −19 complete.html
  2. +19 −19 index
  3. +2 −2 source
<hr>

<p>When an <code id=the-iframe-element:the-iframe-element-7><a href=#the-iframe-element>iframe</a></code> element is <a href=#insert-an-element-into-a-document id=the-iframe-element:insert-an-element-into-a-document>inserted
into a document</a>, the user agent must create a <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-5>nested browsing context</a>, and
into a document</a> that has a <a href=#browsing-context id=the-iframe-element:browsing-context>browsing context</a>, the user agent must create a <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-5>nested browsing context</a>, and
then <a href=#process-the-iframe-attributes id=the-iframe-element:process-the-iframe-attributes>process the <code>iframe</code> attributes</a> for the "first time".</p>

<p>When an <code id=the-iframe-element:the-iframe-element-8><a href=#the-iframe-element>iframe</a></code> element is <a href=#remove-an-element-from-a-document id=the-iframe-element:remove-an-element-from-a-document>removed
from a document</a>, the user agent must <a href=#a-browsing-context-is-discarded id=the-iframe-element:a-browsing-context-is-discarded>discard</a> the <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-6>nested browsing context</a>.</p>
from a document</a>, the user agent must <a href=#a-browsing-context-is-discarded id=the-iframe-element:a-browsing-context-is-discarded>discard</a> the <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-6>nested browsing context</a>, if any.</p>

<p class=note>This happens without any <code id=the-iframe-element:event-unload><a href=#event-unload>unload</a></code> events firing
(the <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-7>nested browsing context</a> and its <code id=the-iframe-element:document-2><a href=#document>Document</a></code> are <em><a href=#a-browsing-context-is-discarded id=the-iframe-element:a-browsing-context-is-discarded-2>discarded</a></em>, not <em><span> data-x="unload a
<p>Any <a href=#navigate id=the-iframe-element:navigate-3>navigation</a> required of the user agent in the <a href=#process-the-iframe-attributes id=the-iframe-element:process-the-iframe-attributes-4>process
the <code>iframe</code> attributes</a> algorithm must be completed as an <a href=#explicit-self-navigation-override id=the-iframe-element:explicit-self-navigation-override>explicit
self-navigation override</a> and with the <code id=the-iframe-element:the-iframe-element-13><a href=#the-iframe-element>iframe</a></code> element's document's
<a href=#browsing-context id=the-iframe-element:browsing-context>browsing context</a> as the <a href=#source-browsing-context id=the-iframe-element:source-browsing-context>source browsing context</a>.</p>
<a href=#browsing-context id=the-iframe-element:browsing-context-2>browsing context</a> as the <a href=#source-browsing-context id=the-iframe-element:source-browsing-context>source browsing context</a>.</p>

<p>Furthermore, if the <a href=#active-document id=the-iframe-element:active-document-2>active document</a> of the element's <a href=#child-browsing-context id=the-iframe-element:child-browsing-context-3>child browsing
context</a> before such a <a href=#navigate id=the-iframe-element:navigate-4>navigation</a> was not <a href=#completely-loaded id=the-iframe-element:completely-loaded>completely
access control policies that are stricter than those described above to mitigate this attack, but
unfortunately such policies are typically not compatible with existing Web content.</p>

<p>When the <code id=the-iframe-element:the-iframe-element-18><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context id=the-iframe-element:browsing-context-2>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-4>active document</a> is
<p>When the <code id=the-iframe-element:the-iframe-element-18><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context id=the-iframe-element:browsing-context-3>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-4>active document</a> is
not <a href=#ready-for-post-load-tasks id=the-iframe-element:ready-for-post-load-tasks>ready for post-load tasks</a>, and when anything in the <code id=the-iframe-element:the-iframe-element-19><a href=#the-iframe-element>iframe</a></code> is <a href=#delay-the-load-event id=the-iframe-element:delay-the-load-event>delaying the load event</a> of the <code id=the-iframe-element:the-iframe-element-20><a href=#the-iframe-element>iframe</a></code>'s
<a href=#browsing-context id=the-iframe-element:browsing-context-3>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-5>active document</a>, and when the <code id=the-iframe-element:the-iframe-element-21><a href=#the-iframe-element>iframe</a></code>'s
<a href=#browsing-context id=the-iframe-element:browsing-context-4>browsing context</a> is in the <a href=#delaying-load-events-mode id=the-iframe-element:delaying-load-events-mode>delaying <code>load</code> events
<a href=#browsing-context id=the-iframe-element:browsing-context-4>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-5>active document</a>, and when the <code id=the-iframe-element:the-iframe-element-21><a href=#the-iframe-element>iframe</a></code>'s
<a href=#browsing-context id=the-iframe-element:browsing-context-5>browsing context</a> is in the <a href=#delaying-load-events-mode id=the-iframe-element:delaying-load-events-mode>delaying <code>load</code> events
mode</a>, the <code id=the-iframe-element:the-iframe-element-22><a href=#the-iframe-element>iframe</a></code> must <a href=#delay-the-load-event id=the-iframe-element:delay-the-load-event-2>delay the load event</a> of its document.</p>

<p class=note>If, during the handling of the <code id=the-iframe-element:event-load-3><a href=#event-load>load</a></code> event, the
<a href=#browsing-context id=the-iframe-element:browsing-context-5>browsing context</a> in the <code id=the-iframe-element:the-iframe-element-23><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate id=the-iframe-element:navigate-8>navigated</a>, that will further <a href=#delay-the-load-event id=the-iframe-element:delay-the-load-event-3>delay the load event</a>.</p>
<a href=#browsing-context id=the-iframe-element:browsing-context-6>browsing context</a> in the <code id=the-iframe-element:the-iframe-element-23><a href=#the-iframe-element>iframe</a></code> is again <a href=#navigate id=the-iframe-element:navigate-8>navigated</a>, that will further <a href=#delay-the-load-event id=the-iframe-element:delay-the-load-event-3>delay the load event</a>.</p>





<p>Whenever the <code id=the-iframe-element:attr-iframe-name-2><a href=#attr-iframe-name>name</a></code> attribute is set, the nested
<a href=#browsing-context id=the-iframe-element:browsing-context-6>browsing context</a>'s <a href=#browsing-context-name id=the-iframe-element:browsing-context-name-3>name</a> must be changed to
<a href=#browsing-context id=the-iframe-element:browsing-context-7>browsing context</a>'s <a href=#browsing-context-name id=the-iframe-element:browsing-context-name-3>name</a> must be changed to
the new value. If the attribute is removed, the <a href=#browsing-context-name id=the-iframe-element:browsing-context-name-4>browsing context name</a> must be set to
the empty string.</p>


<p>When the attribute is set, the content is treated as being from a unique <a href=#origin-2 id=the-iframe-element:origin-2-2>origin</a>,
forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
targeting other <a href=#browsing-context id=the-iframe-element:browsing-context-7>browsing contexts</a>, and plugins are secured.
targeting other <a href=#browsing-context id=the-iframe-element:browsing-context-8>browsing contexts</a>, and plugins are secured.
The <code id=the-iframe-element:attr-iframe-sandbox-allow-same-origin-2><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword causes
the content to be treated as being from its real origin instead of forcing it into a unique
origin; the <code id=the-iframe-element:attr-iframe-sandbox-allow-top-navigation-2><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>

<p>The <dfn id=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute id=the-iframe-element:boolean-attribute>boolean
attribute</a>. When specified, it indicates that the <code id=the-iframe-element:the-iframe-element-42><a href=#the-iframe-element>iframe</a></code> element's
<a href=#browsing-context id=the-iframe-element:browsing-context-8>browsing context</a> is to be rendered in a manner that makes it appear to be part of the
<a href=#browsing-context id=the-iframe-element:browsing-context-9>browsing context</a> is to be rendered in a manner that makes it appear to be part of the
containing document (seamlessly included in the parent document).</p>

<div class=example>

<li>Either:

<ul><li>The <a href=#browsing-context id=the-iframe-element:browsing-context-9>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-6>active document</a> has the <a href=#same-origin id=the-iframe-element:same-origin-2>same
<ul><li>The <a href=#browsing-context id=the-iframe-element:browsing-context-10>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-6>active document</a> has the <a href=#same-origin id=the-iframe-element:same-origin-2>same
origin</a> as the <code id=the-iframe-element:the-iframe-element-48><a href=#the-iframe-element>iframe</a></code> element's <code id=the-iframe-element:document-13><a href=#document>Document</a></code>, or

<li>The <a href=#browsing-context id=the-iframe-element:browsing-context-10>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-7>active document</a>'s <em><a href=http://dom.spec.whatwg.org/#concept-document-url id="the-iframe-element:the-document's-address-2" data-x-internal="the-document's-address">address</a></em> has the <a href=#same-origin id=the-iframe-element:same-origin-3>same origin</a> as the
<li>The <a href=#browsing-context id=the-iframe-element:browsing-context-11>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-7>active document</a>'s <em><a href=http://dom.spec.whatwg.org/#concept-document-url id="the-iframe-element:the-document's-address-2" data-x-internal="the-document's-address">address</a></em> has the <a href=#same-origin id=the-iframe-element:same-origin-3>same origin</a> as the
<code id=the-iframe-element:the-iframe-element-49><a href=#the-iframe-element>iframe</a></code> element's <code id=the-iframe-element:document-14><a href=#document>Document</a></code>, or

<li>The <a href=#browsing-context id=the-iframe-element:browsing-context-11>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-8>active document</a> is <a href=#an-iframe-srcdoc-document id=the-iframe-element:an-iframe-srcdoc-document-4>an
<li>The <a href=#browsing-context id=the-iframe-element:browsing-context-12>browsing context</a>'s <a href=#active-document id=the-iframe-element:active-document-8>active document</a> is <a href=#an-iframe-srcdoc-document id=the-iframe-element:an-iframe-srcdoc-document-4>an
<code>iframe</code> <code>srcdoc</code> document</a>.

</ul>
requirements apply:</p>

<ul><li><p>The user agent must set the <dfn id=seamless-browsing-context-flag>seamless browsing context flag</dfn> to true for that
<a href=#browsing-context id=the-iframe-element:browsing-context-12>browsing context</a>. This will <a href=#seamlessLinks>cause links to open in the
<a href=#browsing-context id=the-iframe-element:browsing-context-13>browsing context</a>. This will <a href=#seamlessLinks>cause links to open in the
parent browsing context</a> unless an <a href=#explicit-self-navigation-override id=the-iframe-element:explicit-self-navigation-override-2>explicit self-navigation override</a> is used
(<code>target="_self"</code>).<li><p>Media queries in the context of the <code id=the-iframe-element:the-iframe-element-51><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context id=the-iframe-element:browsing-context-13>browsing context</a>
(<code>target="_self"</code>).<li><p>Media queries in the context of the <code id=the-iframe-element:the-iframe-element-51><a href=#the-iframe-element>iframe</a></code>'s <a href=#browsing-context id=the-iframe-element:browsing-context-14>browsing context</a>
(e.g. on <code id=the-iframe-element:attr-style-media><a href=#attr-style-media>media</a></code> attributes of <code id=the-iframe-element:the-style-element><a href=#the-style-element>style</a></code> elements in
<code id=the-iframe-element:document-15><a href=#document>Document</a></code>s in that <code id=the-iframe-element:the-iframe-element-52><a href=#the-iframe-element>iframe</a></code>) must be evaluated with respect to the nearest
<a href=#ancestor-browsing-context id=the-iframe-element:ancestor-browsing-context-2>ancestor browsing context</a> that is not itself being <a href=#browsing-context-nested-through id=the-iframe-element:browsing-context-nested-through>nested through</a> an <code id=the-iframe-element:the-iframe-element-53><a href=#the-iframe-element>iframe</a></code> that is <a href=#in-seamless-mode id=the-iframe-element:in-seamless-mode-2>in seamless

<p>If the attribute is not specified, or if the <a href=#origin-2 id=the-iframe-element:origin-2-3>origin</a> conditions listed above are
not met, then the user agent should render the <a href=#nested-browsing-context id=the-iframe-element:nested-browsing-context-25>nested browsing context</a> in a manner
that is clearly distinguishable as a separate <a href=#browsing-context id=the-iframe-element:browsing-context-14>browsing context</a>, and the
<a href=#seamless-browsing-context-flag id=the-iframe-element:seamless-browsing-context-flag>seamless browsing context flag</a> must be set to false for that <a href=#browsing-context id=the-iframe-element:browsing-context-15>browsing
that is clearly distinguishable as a separate <a href=#browsing-context id=the-iframe-element:browsing-context-15>browsing context</a>, and the
<a href=#seamless-browsing-context-flag id=the-iframe-element:seamless-browsing-context-flag>seamless browsing context flag</a> must be set to false for that <a href=#browsing-context id=the-iframe-element:browsing-context-16>browsing
context</a>.</p>

<p class=warning>It is important that user agents recheck the above conditions whenever the

<p>The <dfn id=attr-iframe-allowfullscreen><code>allowfullscreen</code></dfn> attribute is a
<a href=#boolean-attribute id=the-iframe-element:boolean-attribute-2>boolean attribute</a>. When specified, it indicates that <code id=the-iframe-element:document-16><a href=#document>Document</a></code> objects in
the <code id=the-iframe-element:the-iframe-element-70><a href=#the-iframe-element>iframe</a></code> element's <a href=#browsing-context id=the-iframe-element:browsing-context-16>browsing context</a> are to be allowed to use <code id=the-iframe-element:dom-element-requestfullscreen-2><a href=#dom-element-requestfullscreen>requestFullscreen()</a></code> (if it's not blocked for other
the <code id=the-iframe-element:the-iframe-element-70><a href=#the-iframe-element>iframe</a></code> element's <a href=#browsing-context id=the-iframe-element:browsing-context-17>browsing context</a> are to be allowed to use <code id=the-iframe-element:dom-element-requestfullscreen-2><a href=#dom-element-requestfullscreen>requestFullscreen()</a></code> (if it's not blocked for other
reasons, e.g. there is another ancestor <code id=the-iframe-element:the-iframe-element-71><a href=#the-iframe-element>iframe</a></code> without this attribute set).</p>

<div class=example>
embedded content has specific dimensions (e.g. ad units have well-defined dimensions).</p>

<p>An <code id=the-iframe-element:the-iframe-element-74><a href=#the-iframe-element>iframe</a></code> element never has <a href=#fallback-content id=the-iframe-element:fallback-content>fallback content</a>, as it will always
create a nested <a href=#browsing-context id=the-iframe-element:browsing-context-17>browsing context</a>, regardless of whether the specified initial
create a nested <a href=#browsing-context id=the-iframe-element:browsing-context-18>browsing context</a>, regardless of whether the specified initial
contents are successfully used.</p>


0 comments on commit 8edfe6d

Please sign in to comment.
You can’t perform that action at this time.