[giow] (1) Also sandbox the initial about:blank document of an <ifram…

…e sandbox>. Also, much cleanup. Affected topics: HTML git-svn-id: http://svn.whatwg.org/webapps@7411 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Sep 26, 2012 · b742b70 · b742b70
1 parent 3de820e
commit b742b70
Show file tree

Hide file tree

Showing 3 changed files with 201 additions and 227 deletions.
diff --git a/complete.html b/complete.html
@@ -26819,12 +26819,21 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
   <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
   embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
   allows the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
+  attribute and then reload itself, effectively breaking out of the sandbox altogether.</p>
 
-  <p class=warning>Sandboxing hostile content is of minimal help if an attacker can convince the
-  user to just visit the hostile content directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit
-  the damage that can be caused by hostile HTML content, it should be served from a separate
-  dedicated domain.</p>
+  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
+  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
+  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
+  already-loaded page.</p>
+
+  <p class=warning>Potentially hostile files should not be served from the same server as the file
+  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Sandboxing hostile content is of minimal help if an
+  attacker can convince the user to just visit the hostile content directly, rather than in the
+  <code><a href=#the-iframe-element>iframe</a></code>. To limit the damage that can be caused by hostile HTML content, it should be
+  served from a separate dedicated domain. Using a different domain ensures that scripts in the
+  files are unable to attack the site, even if the user is tricked into visiting those pages
+  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute.</p>
 
   <div class=impl>
 
@@ -26835,16 +26844,18 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
        - block access to 'parent.frames' from sandbox
   -->
 
-  <p>While the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed, the
-  user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing directive">parse the sandboxing directive</a>
-  using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's
-  <a href=#nested-browsing-context>nested browsing context</a>'s <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the
-  output.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element with a <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute has its <a href=#nested-browsing-context>nested browsing context</a> created (before the initial
+  <code><a href=#about:blank>about:blank</a></code> <code><a href=#document>Document</a></code> is created), and when an <code><a href=#the-iframe-element>iframe</a></code>
+  element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute is set or changed while it
+  has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must <a href=#parse-a-sandboxing-directive title="parse a sandboxing
+  directive">parse the sandboxing directive</a> using the attribute's value as the <var title="">input</var> and the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
-  <p class=warning>These flags only take effect when the <a href=#nested-browsing-context>nested browsing context</a> of
-  the <code><a href=#the-iframe-element>iframe</a></code> is <a href=#navigate title=navigate>navigated</a>. Removing them, or removing the
-  entire <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, has no effect on an
-  already-loaded page.</p>
+  <p>When an <code><a href=#the-iframe-element>iframe</a></code> element's <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+  attribute is removed while it has a <a href=#nested-browsing-context>nested browsing context</a>, the user agent must
+  empty the <code><a href=#the-iframe-element>iframe</a></code> element's <a href=#nested-browsing-context>nested browsing context</a>'s
+  <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a> as the output.</p>
 
   </div>
 
@@ -26910,18 +26921,6 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
 
   </div>
 
-  <p class=note>Potentially hostile files should not be served from the same server as the file
-  containing the <code><a href=#the-iframe-element>iframe</a></code> element. Using a different domain ensures that scripts in the
-  files are unable to attack the site, even if the user is tricked into visiting those pages
-  directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
-  attribute.</p>
-
-  <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword, and the file is
-  from the <a href=#same-origin>same origin</a> as the <code><a href=#the-iframe-element>iframe</a></code>'s <code><a href=#document>Document</a></code>, then a
-  script in the "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then reload itself, effectively breaking
-  out of the sandbox altogether.</p>
-
 
   <hr><!-- SEAMLESS --><!-- v2: Might be interesting to have a value on seamless that allowed event propagation of some
   sort, maybe based on the WICD work: http://www.w3.org/TR/WICD/ --><p>The <dfn id=attr-iframe-seamless title=attr-iframe-seamless><code>seamless</code></dfn> attribute is a <a href=#boolean-attribute>boolean
@@ -67216,14 +67215,15 @@ <h3 id=windows><span class=secno>6.1 </span>Browsing contexts</h3>
 
   <div class=impl>
 
-  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be
-  created with a single <code><a href=#document>Document</a></code> in its session history,
-  whose <a href="#the-document's-address" title="the document's address">address</a> is
-  <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character encoding</a> is
-  UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
-  <a href=#completely-loaded>completely loaded</a> immediately. The
-  <code><a href=#document>Document</a></code> must have a single child <code><a href=#the-html-element>html</a></code>
-  node, which itself has a single child <code><a href=#the-body-element>body</a></code> node.</p>
+  <p>When a <a href=#browsing-context>browsing context</a> is first created, it must be created with a single
+  <code><a href=#document>Document</a></code> in its session history, whose <a href="#the-document's-address" title="the document's
+  address">address</a> is <code><a href=#about:blank>about:blank</a></code>, which is marked as being an <a href=#html-documents title="HTML
+  documents">HTML document</a>, whose <a href="#document's-character-encoding" title="document's character encoding">character
+  encoding</a> is UTF-8, and which is both <a href=#ready-for-post-load-tasks>ready for post-load tasks</a> and
+  <a href=#completely-loaded>completely loaded</a> immediately. The <code><a href=#document>Document</a></code> must have a single child
+  <code><a href=#the-html-element>html</a></code> node, which itself has a single child <code><a href=#the-body-element>body</a></code> node. As soon as this
+  <code><a href=#document>Document</a></code> is created, the user agent must <a href=#implement-the-sandboxing>implement the sandboxing</a> for
+  it.</p>
 
   <p class=note>If the <a href=#browsing-context>browsing context</a> is created
   specifically to be immediately navigated, then that initial
@@ -69571,9 +69571,37 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
   <code><a href=#document>Document</a></code> is created, its <a href=#active-sandboxing-flag-set>active sandboxing flag
   set</a> must be empty. It is populated by the <a href=#navigate title=navigate>navigation algorithm</a>.</p>
 
+  <p>Every resource that is obtained by the <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
+  sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
+  set</a>. A resource by default has no flags set in its
+  <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
+  specifications can define that certain flags are set.</p>
+
+  <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+  set</a> is used by the Content Security Policy specification.
+  <a href=#refsCSP>[CSP]</a></p>
+
+  <hr><p>When a user agent is to <dfn id=implement-the-sandboxing>implement the sandboxing</dfn> for a <code><a href=#document>Document</a></code>, it
+  must populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a> with the union of
+  the flags that are present in the following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
+  sets</a> at the time the <code><a href=#document>Document</a></code> object is created:</p>
 
+  <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#top-level-browsing-context>top-level browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#popup-sandboxing-flag-set>popup sandboxing
+   flag set</a>.</li>
 
-  <h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s
+   <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
+
+   <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> is a <a href=#nested-browsing-context>nested browsing
+   context</a>, then: the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent browsing
+   context</a>'s <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
+
+   <li><p>The flags set on the <code><a href=#document>Document</a></code>'s resource's <a href=#forced-sandboxing-flag-set>forced sandboxing flag
+   set</a>, if it has one.</li>
+
+  </ul><h3 id=history><span class=secno>6.5 </span>Session history and navigation</h3>
 
   <h4 id=the-session-history-of-browsing-contexts><span class=secno>6.5.1 </span>The session history of browsing contexts</h4>
 
@@ -70902,44 +70930,7 @@ <h4 id=navigating-across-documents><span class=secno>6.6.1 </span>Navigating acr
      <code><a href=#window>Window</a></code> object to point to the new
      <code><a href=#document>Document</a></code>.</p>
 
-     <li>
-
-      <p>Populate <code><a href=#document>Document</a></code>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
-      set</a> with the union of the flags that are present in the
-      following <a href=#sandboxing-flag-set title="sandboxing flag set">sandboxing flag
-      sets</a> at the time the <code><a href=#document>Document</a></code> object is
-      created:</p>
-
-      <ul><li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#top-level-browsing-context>top-level browsing context</a>,
-       then: the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#popup-sandboxing-flag-set>popup sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s
-       <a href=#iframe-sandboxing-flag-set><code>iframe</code> sandboxing flag set</a>.</li>
-
-       <li><p>If the <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
-       context</a> is a <a href=#nested-browsing-context>nested browsing context</a>, then:
-       the flags set on the <a href=#browsing-context>browsing context</a>'s <a href=#parent-browsing-context>parent
-       browsing context</a>'s <a href=#active-document>active document</a>'s
-       <a href=#active-sandboxing-flag-set>active sandboxing flag set</a>.</li>
-
-       <li><p>The flags set on the resource's <a href=#forced-sandboxing-flag-set>forced sandboxing
-       flag set</a>.</li>
-
-      </ul><p>Each resource obtained by this <a href=#navigate title=navigate>navigation algorithm</a> has a <dfn id=forced-sandboxing-flag-set>forced
-      sandboxing flag set</dfn>, which is a <a href=#sandboxing-flag-set>sandboxing flag
-      set</a>. A resource by default has no flags set in its
-      <a href=#forced-sandboxing-flag-set>forced sandboxing flag set</a>, but other
-      specifications can define that certain flags are set.</p>
-
-      <p class=note>In particular, the <a href=#forced-sandboxing-flag-set>forced sandboxing flag
-      set</a> is used by the Content Security Policy specification.
-      <a href=#refsCSP>[CSP]</a></p>
-
-     </li>
+     <li><p><a href=#implement-the-sandboxing>Implement the sandboxing</a> for the <code><a href=#document>Document</a></code>.</li>
 
     </ol></li>