Permalink
Browse files

[giow] (0) Add sandbox=allow-pointer-lock, and some nearby cleanup.

Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=18647
Affected topics: HTML

git-svn-id: http://svn.whatwg.org/webapps@7485 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent b2a9286 commit b9efe617dd5eb94f200e2514c7a8fa1a3cdd652e @Hixie Hixie committed Oct 25, 2012
Showing with 304 additions and 417 deletions.
  1. +94 −127 complete.html
  2. +94 −127 index
  3. +116 −163 source
View
221 complete.html
@@ -248,7 +248,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 23 October 2012</h2>
+ <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 25 October 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -26782,14 +26782,17 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
<hr><!-- SANDBOX --><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn> attribute, when specified,
enables a set of extra restrictions on any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value
must be an <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are <a href=#ascii-case-insensitive>ASCII
- case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
+ case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
<p>When the attribute is set, the content is treated as being from a unique <a href=#origin>origin</a>,
- forms and scripts are disabled, links are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are secured. The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows the content
- to be treated as being from the same origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code> keyword allows the
- content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, popups,
- and scripts respectively.</p>
+ forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
+ targeting other <a href=#browsing-context title="browsing context">browsing contexts</a>, and plugins are secured.
+ The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows
+ the content to be treated as being from the same origin instead of forcing it into a unique
+ origin; the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
+ keyword allows the content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>;
+ and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, the
+ pointer lock API, popups, and scripts respectively. <a href=#refsPOINTERLOCK>[POINTERLOCK]</a></p>
<p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
@@ -69332,35 +69335,27 @@ <h4 id=relaxing-the-same-origin-restriction><span class=secno>6.3.1 </span>Relax
<h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
- <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the
- following flags, which are used to restrict the abilities that
- potentially untrusted resources have:</p>
+ <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the following flags, which are
+ used to restrict the abilities that potentially untrusted resources have:</p>
<dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
<dd>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), <a href=#auxiliary-browsing-context title="auxiliary browsing context">auxiliary browsing
- contexts</a> (which are protected by the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed
- auxiliary navigation browsing context flag</a> defined next),
- and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
- protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
- context flag</a> defined below).</p>
+ <p>This flag <a href=#sandboxLinks>prevents content from navigating browsing contexts other
+ than the sandboxed browsing context itself</a> (or browsing contexts further nested inside it),
+ <a href=#auxiliary-browsing-context title="auxiliary browsing context">auxiliary browsing contexts</a> (which are protected
+ by the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> defined next), and the
+ <a href=#top-level-browsing-context>top-level browsing context</a> (which is protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level
+ navigation browsing context flag</a> defined below).</p>
- <p>If the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a> is not set, then in certain cases the restrictions
- nonetheless allow popups (new <a href=#top-level-browsing-context title="top-level browsing
- context">top-level browsing contexts</a>) to be opened. These
- <a href=#browsing-context title="browsing context">browsing contexts</a> always
- have <dfn id=one-permitted-sandboxed-navigator>one permitted sandboxed navigator</dfn>, set when the
- browsing context is created, which allows the <a href=#browsing-context>browsing
- context</a> that created them to actually navigate them.
- (Otherwise, the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context
- flag</a> would prevent them from being navigated even if they
- were opened.)</p>
+ <p>If the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> is not set, then in
+ certain cases the restrictions nonetheless allow popups (new <a href=#top-level-browsing-context title="top-level browsing
+ context">top-level browsing contexts</a>) to be opened. These <a href=#browsing-context title="browsing
+ context">browsing contexts</a> always have <dfn id=one-permitted-sandboxed-navigator>one permitted sandboxed navigator</dfn>, set
+ when the browsing context is created, which allows the <a href=#browsing-context>browsing context</a> that
+ created them to actually navigate them. (Otherwise, the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing
+ context flag</a> would prevent them from being navigated even if they were opened.)</p>
</dd>
@@ -69369,8 +69364,9 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag <a href=#sandboxWindowOpen>prevents content from
- creating new auxiliary browsing contexts</a>, e.g. using the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
+ <p>This flag <a href=#sandboxWindowOpen>prevents content from creating new auxiliary browsing
+ contexts</a>, e.g. using the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
+ <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
</dd>
@@ -69379,16 +69375,13 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <p>This flag <a href=#sandboxLinks>prevents content from navigating their <span>top-level
+ browsing context</span></a>.</p>
- <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
- context</a>, but other <a href=#browsing-context title="browsing context">browsing
- contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> and possibly the
- <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a>.</p>
+ <p>When the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a> is <em>not</em>
+ set, content can navigate its <a href=#top-level-browsing-context>top-level browsing context</a>, but other <a href=#browsing-context title="browsing context">browsing contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
+ navigation browsing context flag</a> and possibly the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation
+ browsing context flag</a>.</p>
</dd>
@@ -69397,10 +69390,9 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
- <a href=#sandboxPluginApplet>the <code>applet</code>
- element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
+ <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether
+ using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>, <a href=#sandboxPluginApplet>the <code>applet</code> element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested browsing context</a>, unless
+ those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
</dd>
@@ -69409,13 +69401,12 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
- descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
+ <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
+ attribute on descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
- <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
+ <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword from using a
+ CSS-selector-based method of probing the DOM of other pages on the same site (in particular,
+ pages that contain user-sensitive information).</p>
<!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
@@ -69426,13 +69417,12 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag <a href=#sandboxOrigin>forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <a href=#origin>origin</a>.</p>
+ <p>This flag <a href=#sandboxOrigin>forces content into a unique origin</a>, thus preventing
+ it from accessing other content from the same <a href=#origin>origin</a>.</p>
- <p>This flag also <a href=#sandboxCookies>prevents script from
- reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
- attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
+ <p>This flag also <a href=#sandboxCookies>prevents script from reading from or writing to the
+ <code title=dom-document-cookie>document.cookie</code> IDL attribute</a>, and blocks access to
+ <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
</p>
</dd>
@@ -69442,8 +69432,16 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag <a href=#sandboxSubmitBlocked>blocks form
- submission</a>.</p>
+ <p>This flag <a href=#sandboxSubmitBlocked>blocks form submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-pointer-lock-browsing-context-flag>sandboxed pointer lock browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag disables the Pointer Lock API. <a href=#refsPOINTERLOCK>[POINTERLOCK]</a></p>
</dd>
@@ -69452,8 +69450,7 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag <a href=#sandboxScriptBlocked>blocks script
- execution</a>.</p>
+ <p>This flag <a href=#sandboxScriptBlocked>blocks script execution</a>.</p>
</dd>
@@ -69463,16 +69460,11 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<dd>
- <p>This flag blocks features that trigger automatically, such as
- <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
- video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
- focusing a form control</a>.</p>
+ <p>This flag blocks features that trigger automatically, such as <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically focusing a form control</a>.</p>
</dd>
- </dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing
- directive</dfn>, given a string <var title="">input</var> and a
- <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, it must
+ </dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing directive</dfn>, given a string <var title="">input</var> and a <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, it must
run the following steps:</p>
<ol><li><p><a href=#split-a-string-on-spaces title="split a string on spaces">Split <var title="">input</var> on spaces</a>, to obtain <var title="">tokens</var>.</li>
@@ -69483,65 +69475,53 @@ <h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
<p>Add the following flags to <var title="">output</var>:</p>
- <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a></li>
+ <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a>.</li>
- <li><p>The <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-popups title=attr-iframe-sandbox-allow-popups><code>allow-popups</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-popups title=attr-iframe-sandbox-allow-popups><code>allow-popups</code></dfn> keyword.</li>
- <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
- flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
+ keyword.</li>
- <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a></li>
+ <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a>.</li>
- <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a></li>
+ <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a>.</li>
<li>
- <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>,
- unless the <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
- keyword</p>
+ <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>, unless the <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
+ keyword.</p>
<div class=note>
- <p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword is intended for two cases.</p>
+ <p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword
+ is intended for two cases.</p>
- <p>First, it can be used to allow content from the same site to
- be sandboxed to disable scripting, while still allowing access to
- the DOM of the sandboxed content.</p>
+ <p>First, it can be used to allow content from the same site to be sandboxed to disable
+ scripting, while still allowing access to the DOM of the sandboxed content.</p>
- <p>Second, it can be used to embed content from a third-party
- site, sandboxed to prevent that site from opening popup windows,
- etc, without preventing the embedded page from communicating back
- to its originating site, using the database APIs to store data,
- etc.</p>
+ <p>Second, it can be used to embed content from a third-party site, sandboxed to prevent that
+ site from opening popup windows, etc, without preventing the embedded page from communicating
+ back to its originating site, using the database APIs to store data, etc.</p>
</div>
</li>
- <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>,
- unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn> keyword.</li>
- <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>,
- unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-pointer-lock-browsing-context-flag>sandboxed pointer lock browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-pointer-lock title=attr-iframe-sandbox-pointer-lock><code>allow-pointer-lock</code></dfn>
+ keyword.</li>
+
+ <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn> keyword.</li>
<li>
- <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
- flag</a>, unless <var title="">tokens</var> contains the
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword (defined above)</p>
+ <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>, unless <var title="">tokens</var> contains the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword (defined above).</p>
- <p class=note>This flag is relaxed by the same keyword as
- scripts, because when scripts are enabled these features are
- trivially possible anyway, and it would be unfortunate to force
- authors to use script to do them when sandboxed rather than
- allowing them to use the declarative features.</p>
+ <p class=note>This flag is relaxed by the same keyword as scripts, because when scripts are
+ enabled these features are trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than allowing them to use the
+ declarative features.</p>
</li>
@@ -104273,6 +104253,7 @@ <h3 class=no-num id=element-content-categories>Element content categories</h3>
<td> Security rules for nested content
<td> <a href=#unordered-set-of-unique-space-separated-tokens>Unordered set of unique space-separated tokens</a>, <a href=#ascii-case-insensitive>ASCII case-insensitive</a>, consisting of
"<code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>",
+ "<code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>",
"<code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>",
"<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>",
"<code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
@@ -105557,13 +105538,7 @@ <h2 class=no-num id=references>References</h2><!--REFS-->
C. Clavius. Gregory XIII Papal Bull, February 1582.</dd>
<dt id=refsHTMLDIFF>[HTMLDIFF]</dt>
- <!--
- <dd>(Non-normative) <cite><a
- href="http://www.w3.org/TR/html5-diff/">HTML5 differences from
- HTML4</a></cite>, A. van Kesteren. W3C.</dd>
- -->
- <dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html4-differences/>HTML5
- differences from HTML4</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html4-differences/>HTML5 differences from HTML4</a></cite>, S. Pieters. W3C.</dd>
<dt id=refsHTTP>[HTTP]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc2616>Hypertext
@@ -105637,18 +105612,10 @@ <h2 class=no-num id=references>References</h2><!--REFS-->
<!-- search for ["Box Structure was and subsequent clauses were re-organized"] to find it -->
<dt id=refsMQ>[MQ]</dt>
- <!--
- <dd><cite><a href="http://www.w3.org/TR/css3-mediaqueries/">Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
- -->
- <dd><cite><a href=http://dev.w3.org/csswg/css3-mediaqueries/>Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
+ <dd><cite><a href=http://dev.w3.org/csswg/css3-mediaqueries/>Media Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van Kesteren. W3C.</dd>
<dt id=refsNPAPI>[NPAPI]</dt>
- <dd>(Non-normative) <cite><a href=https://developer.mozilla.org/en/Gecko_Plugin_API_Reference>Gecko
- Plugin API Reference</a></cite>. Mozilla.</dd>
+ <dd>(Non-normative) <cite><a href=https://developer.mozilla.org/en/Gecko_Plugin_API_Reference>Gecko Plugin API Reference</a></cite>. Mozilla.</dd>
<dt id=refsOGGSKELETONHEADERS>[OGGSKELETONHEADERS]</dt>
<dd><cite><a href=http://wiki.xiph.org/SkeletonHeaders>SkeletonHeaders</a></cite>. Xiph.Org.</dd>
@@ -105675,6 +105642,9 @@ <h2 class=no-num id=references>References</h2><!--REFS-->
<dd><cite><a href=http://www.w3.org/TR/PNG/>Portable Network
Graphics (PNG) Specification</a></cite>, D. Duce. W3C.</dd>
+ <dt id=refsPOINTERLOCK>[POINTERLOCK]</dt>
+ <dd><cite><a href=http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html>Pointer Lock</a></cite>, V. Scheib. W3C.</dd>
+
<dt id=refsPOLYGLOT>[POLYGLOT]</dt>
<dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html>Polyglot
Markup: HTML-Compatible XHTML Documents</a></cite>, E. Graff.
@@ -105690,17 +105660,14 @@ <h2 class=no-num id=references>References</h2><!--REFS-->
<dd>(Non-normative) <cite><a href=http://www.sw.it.aoyama.ac.jp/2012/pub/IUC11-UTF-8.pdf>The Properties and Promises <!-- Promizes (sic) --> of UTF-8</a></cite>, M. D&uuml;rst. University of Z&uuml;rich. In <cite>Proceedings of the 11th International Unicode Conference</cite>.</dd>
<dt id=refsPROGRESS>[PROGRESS]</dt>
- <dd><cite><a href=http://dev.w3.org/2006/webapi/progress/>Progress
- Events</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd><cite><a href=http://dev.w3.org/2006/webapi/progress/>Progress Events</a></cite>, A. van Kesteren. W3C.</dd>
<dt id=refsPSL>[PSL]</dt>
<dd><cite><a href=http://publicsuffix.org/>Public Suffix List</a></cite>.
Mozilla Foundation.</dd>
<dt id=refsRFC1034>[RFC1034]</dt>
- <dd><cite><a href=http://tools.ietf.org/html/rfc1034>Domain
- Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF,
- November 1987.</dd>
+ <dd><cite><a href=http://tools.ietf.org/html/rfc1034>Domain Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF, November 1987.</dd>
<dt id=refsRFC1345>[RFC1345]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc1345>Character Mnemonics
View
221 index
@@ -248,7 +248,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 23 October 2012</h2>
+ <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 25 October 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -26782,14 +26782,17 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<hr><!-- SANDBOX --><p>The <dfn id=attr-iframe-sandbox title=attr-iframe-sandbox><code>sandbox</code></dfn> attribute, when specified,
enables a set of extra restrictions on any content hosted by the <code><a href=#the-iframe-element>iframe</a></code>. Its value
must be an <a href=#unordered-set-of-unique-space-separated-tokens>unordered set of unique space-separated tokens</a> that are <a href=#ascii-case-insensitive>ASCII
- case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
+ case-insensitive</a>. The allowed values are <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>, <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>, <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>, and <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>.</p>
<p>When the attribute is set, the content is treated as being from a unique <a href=#origin>origin</a>,
- forms and scripts are disabled, links are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are secured. The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows the content
- to be treated as being from the same origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code> keyword allows the
- content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, popups,
- and scripts respectively.</p>
+ forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
+ targeting other <a href=#browsing-context title="browsing context">browsing contexts</a>, and plugins are secured.
+ The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword allows
+ the content to be treated as being from the same origin instead of forcing it into a unique
+ origin; the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
+ keyword allows the content to <a href=#navigate>navigate</a> its <a href=#top-level-browsing-context>top-level browsing context</a>;
+ and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>, <code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>, <code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keywords re-enable forms, the
+ pointer lock API, popups, and scripts respectively. <a href=#refsPOINTERLOCK>[POINTERLOCK]</a></p>
<p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keywords together when the
embedded page has the <a href=#same-origin>same origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code>
@@ -69332,35 +69335,27 @@ x === this; // true</pre>
<h3 id=sandboxing><span class=secno>6.4 </span>Sandboxing</h3>
- <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the
- following flags, which are used to restrict the abilities that
- potentially untrusted resources have:</p>
+ <p>A <dfn id=sandboxing-flag-set>sandboxing flag set</dfn> is a set of zero or more of the following flags, which are
+ used to restrict the abilities that potentially untrusted resources have:</p>
<dl><dt>The <dfn id=sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</dfn></dt>
<dd>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), <a href=#auxiliary-browsing-context title="auxiliary browsing context">auxiliary browsing
- contexts</a> (which are protected by the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed
- auxiliary navigation browsing context flag</a> defined next),
- and the <a href=#top-level-browsing-context>top-level browsing context</a> (which is
- protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing
- context flag</a> defined below).</p>
+ <p>This flag <a href=#sandboxLinks>prevents content from navigating browsing contexts other
+ than the sandboxed browsing context itself</a> (or browsing contexts further nested inside it),
+ <a href=#auxiliary-browsing-context title="auxiliary browsing context">auxiliary browsing contexts</a> (which are protected
+ by the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> defined next), and the
+ <a href=#top-level-browsing-context>top-level browsing context</a> (which is protected by the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level
+ navigation browsing context flag</a> defined below).</p>
- <p>If the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a> is not set, then in certain cases the restrictions
- nonetheless allow popups (new <a href=#top-level-browsing-context title="top-level browsing
- context">top-level browsing contexts</a>) to be opened. These
- <a href=#browsing-context title="browsing context">browsing contexts</a> always
- have <dfn id=one-permitted-sandboxed-navigator>one permitted sandboxed navigator</dfn>, set when the
- browsing context is created, which allows the <a href=#browsing-context>browsing
- context</a> that created them to actually navigate them.
- (Otherwise, the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context
- flag</a> would prevent them from being navigated even if they
- were opened.)</p>
+ <p>If the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a> is not set, then in
+ certain cases the restrictions nonetheless allow popups (new <a href=#top-level-browsing-context title="top-level browsing
+ context">top-level browsing contexts</a>) to be opened. These <a href=#browsing-context title="browsing
+ context">browsing contexts</a> always have <dfn id=one-permitted-sandboxed-navigator>one permitted sandboxed navigator</dfn>, set
+ when the browsing context is created, which allows the <a href=#browsing-context>browsing context</a> that
+ created them to actually navigate them. (Otherwise, the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing
+ context flag</a> would prevent them from being navigated even if they were opened.)</p>
</dd>
@@ -69369,8 +69364,9 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href=#sandboxWindowOpen>prevents content from
- creating new auxiliary browsing contexts</a>, e.g. using the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
+ <p>This flag <a href=#sandboxWindowOpen>prevents content from creating new auxiliary browsing
+ contexts</a>, e.g. using the <code title=attr-hyperlink-target><a href=#attr-hyperlink-target>target</a></code> attribute, the
+ <code title=dom-open><a href=#dom-open>window.open()</a></code> method, or the <code title=dom-showModalDialog><a href=#dom-showmodaldialog>showModalDialog()</a></code> method.</p>
</dd>
@@ -69379,16 +69375,13 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href=#sandboxLinks>prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <p>This flag <a href=#sandboxLinks>prevents content from navigating their <span>top-level
+ browsing context</span></a>.</p>
- <p>When the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
- is set, content can navigate its <a href=#top-level-browsing-context>top-level browsing
- context</a>, but other <a href=#browsing-context title="browsing context">browsing
- contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
- navigation browsing context flag</a> and possibly the
- <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a>.</p>
+ <p>When the <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a> is <em>not</em>
+ set, content can navigate its <a href=#top-level-browsing-context>top-level browsing context</a>, but other <a href=#browsing-context title="browsing context">browsing contexts</a> are still protected by the <a href=#sandboxed-navigation-browsing-context-flag>sandboxed
+ navigation browsing context flag</a> and possibly the <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation
+ browsing context flag</a>.</p>
</dd>
@@ -69397,10 +69390,9 @@ x === this; // true</pre>
<dd>
- <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
- <a href=#sandboxPluginApplet>the <code>applet</code>
- element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
+ <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether
+ using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>, <a href=#sandboxPluginApplet>the <code>applet</code> element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested browsing context</a>, unless
+ those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
</dd>
@@ -69409,13 +69401,12 @@ x === this; // true</pre>
<dd>
- <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code> attribute on
- descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
+ <p>This flag prevents content from using the <code title=attr-iframe-seamless><a href=#attr-iframe-seamless>seamless</a></code>
+ attribute on descendant <code><a href=#the-iframe-element>iframe</a></code> elements.</p>
- <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
+ <p class=note>This prevents a page inserted using the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword from using a
+ CSS-selector-based method of probing the DOM of other pages on the same site (in particular,
+ pages that contain user-sensitive information).</p>
<!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
@@ -69426,13 +69417,12 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href=#sandboxOrigin>forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <a href=#origin>origin</a>.</p>
+ <p>This flag <a href=#sandboxOrigin>forces content into a unique origin</a>, thus preventing
+ it from accessing other content from the same <a href=#origin>origin</a>.</p>
- <p>This flag also <a href=#sandboxCookies>prevents script from
- reading from or writing to the <code title=dom-document-cookie>document.cookie</code> IDL
- attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
+ <p>This flag also <a href=#sandboxCookies>prevents script from reading from or writing to the
+ <code title=dom-document-cookie>document.cookie</code> IDL attribute</a>, and blocks access to
+ <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>.
</p>
</dd>
@@ -69442,8 +69432,16 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href=#sandboxSubmitBlocked>blocks form
- submission</a>.</p>
+ <p>This flag <a href=#sandboxSubmitBlocked>blocks form submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn id=sandboxed-pointer-lock-browsing-context-flag>sandboxed pointer lock browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag disables the Pointer Lock API. <a href=#refsPOINTERLOCK>[POINTERLOCK]</a></p>
</dd>
@@ -69452,8 +69450,7 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href=#sandboxScriptBlocked>blocks script
- execution</a>.</p>
+ <p>This flag <a href=#sandboxScriptBlocked>blocks script execution</a>.</p>
</dd>
@@ -69463,16 +69460,11 @@ x === this; // true</pre>
<dd>
- <p>This flag blocks features that trigger automatically, such as
- <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a
- video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically
- focusing a form control</a>.</p>
+ <p>This flag blocks features that trigger automatically, such as <a href=#attr-media-autoplay title=attr-media-autoplay>automatically playing a video</a> or <a href=#attr-fe-autofocus title=attr-fe-autofocus>automatically focusing a form control</a>.</p>
</dd>
- </dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing
- directive</dfn>, given a string <var title="">input</var> and a
- <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, it must
+ </dl><p>When the user agent is to <dfn id=parse-a-sandboxing-directive>parse a sandboxing directive</dfn>, given a string <var title="">input</var> and a <a href=#sandboxing-flag-set>sandboxing flag set</a> <var title="">output</var>, it must
run the following steps:</p>
<ol><li><p><a href=#split-a-string-on-spaces title="split a string on spaces">Split <var title="">input</var> on spaces</a>, to obtain <var title="">tokens</var>.</li>
@@ -69483,65 +69475,53 @@ x === this; // true</pre>
<p>Add the following flags to <var title="">output</var>:</p>
- <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a></li>
+ <ul><li><p>The <a href=#sandboxed-navigation-browsing-context-flag>sandboxed navigation browsing context flag</a>.</li>
- <li><p>The <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context
- flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-popups title=attr-iframe-sandbox-allow-popups><code>allow-popups</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-auxiliary-navigation-browsing-context-flag>sandboxed auxiliary navigation browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-popups title=attr-iframe-sandbox-allow-popups><code>allow-popups</code></dfn> keyword.</li>
- <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context
- flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-top-level-navigation-browsing-context-flag>sandboxed top-level navigation browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-top-navigation title=attr-iframe-sandbox-allow-top-navigation><code>allow-top-navigation</code></dfn>
+ keyword.</li>
- <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a></li>
+ <li><p>The <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a>.</li>
- <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a></li>
+ <li><p>The <a href=#sandboxed-seamless-iframes-flag>sandboxed seamless iframes flag</a>.</li>
<li>
- <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>,
- unless the <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
- keyword</p>
+ <p>The <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a>, unless the <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-same-origin title=attr-iframe-sandbox-allow-same-origin><code>allow-same-origin</code></dfn>
+ keyword.</p>
<div class=note>
- <p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
- keyword is intended for two cases.</p>
+ <p>The <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code> keyword
+ is intended for two cases.</p>
- <p>First, it can be used to allow content from the same site to
- be sandboxed to disable scripting, while still allowing access to
- the DOM of the sandboxed content.</p>
+ <p>First, it can be used to allow content from the same site to be sandboxed to disable
+ scripting, while still allowing access to the DOM of the sandboxed content.</p>
- <p>Second, it can be used to embed content from a third-party
- site, sandboxed to prevent that site from opening popup windows,
- etc, without preventing the embedded page from communicating back
- to its originating site, using the database APIs to store data,
- etc.</p>
+ <p>Second, it can be used to embed content from a third-party site, sandboxed to prevent that
+ site from opening popup windows, etc, without preventing the embedded page from communicating
+ back to its originating site, using the database APIs to store data, etc.</p>
</div>
</li>
- <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>,
- unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-forms-browsing-context-flag>sandboxed forms browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-forms title=attr-iframe-sandbox-allow-forms><code>allow-forms</code></dfn> keyword.</li>
- <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>,
- unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
- keyword</li>
+ <li><p>The <a href=#sandboxed-pointer-lock-browsing-context-flag>sandboxed pointer lock browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-pointer-lock title=attr-iframe-sandbox-pointer-lock><code>allow-pointer-lock</code></dfn>
+ keyword.</li>
+
+ <li><p>The <a href=#sandboxed-scripts-browsing-context-flag>sandboxed scripts browsing context flag</a>, unless <var title="">tokens</var> contains the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn> keyword.</li>
<li>
- <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context
- flag</a>, unless <var title="">tokens</var> contains the
- <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
- keyword (defined above)</p>
+ <p>The <a href=#sandboxed-automatic-features-browsing-context-flag>sandboxed automatic features browsing context flag</a>, unless <var title="">tokens</var> contains the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword (defined above).</p>
- <p class=note>This flag is relaxed by the same keyword as
- scripts, because when scripts are enabled these features are
- trivially possible anyway, and it would be unfortunate to force
- authors to use script to do them when sandboxed rather than
- allowing them to use the declarative features.</p>
+ <p class=note>This flag is relaxed by the same keyword as scripts, because when scripts are
+ enabled these features are trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than allowing them to use the
+ declarative features.</p>
</li>
@@ -104273,6 +104253,7 @@ if (s = prompt('What is your name?')) {
<td> Security rules for nested content
<td> <a href=#unordered-set-of-unique-space-separated-tokens>Unordered set of unique space-separated tokens</a>, <a href=#ascii-case-insensitive>ASCII case-insensitive</a>, consisting of
"<code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code>",
+ "<code title=attr-iframe-sandbox-allow-pointer-lock>allow-pointer-lock</code>",
"<code title=attr-iframe-sandbox-allow-popups><a href=#attr-iframe-sandbox-allow-popups>allow-popups</a></code>",
"<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>",
"<code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
@@ -105557,13 +105538,7 @@ if (s = prompt('What is your name?')) {
C. Clavius. Gregory XIII Papal Bull, February 1582.</dd>
<dt id=refsHTMLDIFF>[HTMLDIFF]</dt>
- <!--
- <dd>(Non-normative) <cite><a
- href="http://www.w3.org/TR/html5-diff/">HTML5 differences from
- HTML4</a></cite>, A. van Kesteren. W3C.</dd>
- -->
- <dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html4-differences/>HTML5
- differences from HTML4</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html4-differences/>HTML5 differences from HTML4</a></cite>, S. Pieters. W3C.</dd>
<dt id=refsHTTP>[HTTP]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc2616>Hypertext
@@ -105637,18 +105612,10 @@ if (s = prompt('What is your name?')) {
<!-- search for ["Box Structure was and subsequent clauses were re-organized"] to find it -->
<dt id=refsMQ>[MQ]</dt>
- <!--
- <dd><cite><a href="http://www.w3.org/TR/css3-mediaqueries/">Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
- -->
- <dd><cite><a href=http://dev.w3.org/csswg/css3-mediaqueries/>Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
+ <dd><cite><a href=http://dev.w3.org/csswg/css3-mediaqueries/>Media Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van Kesteren. W3C.</dd>
<dt id=refsNPAPI>[NPAPI]</dt>
- <dd>(Non-normative) <cite><a href=https://developer.mozilla.org/en/Gecko_Plugin_API_Reference>Gecko
- Plugin API Reference</a></cite>. Mozilla.</dd>
+ <dd>(Non-normative) <cite><a href=https://developer.mozilla.org/en/Gecko_Plugin_API_Reference>Gecko Plugin API Reference</a></cite>. Mozilla.</dd>
<dt id=refsOGGSKELETONHEADERS>[OGGSKELETONHEADERS]</dt>
<dd><cite><a href=http://wiki.xiph.org/SkeletonHeaders>SkeletonHeaders</a></cite>. Xiph.Org.</dd>
@@ -105675,6 +105642,9 @@ if (s = prompt('What is your name?')) {
<dd><cite><a href=http://www.w3.org/TR/PNG/>Portable Network
Graphics (PNG) Specification</a></cite>, D. Duce. W3C.</dd>
+ <dt id=refsPOINTERLOCK>[POINTERLOCK]</dt>
+ <dd><cite><a href=http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html>Pointer Lock</a></cite>, V. Scheib. W3C.</dd>
+
<dt id=refsPOLYGLOT>[POLYGLOT]</dt>
<dd>(Non-normative) <cite><a href=http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html>Polyglot
Markup: HTML-Compatible XHTML Documents</a></cite>, E. Graff.
@@ -105690,17 +105660,14 @@ if (s = prompt('What is your name?')) {
<dd>(Non-normative) <cite><a href=http://www.sw.it.aoyama.ac.jp/2012/pub/IUC11-UTF-8.pdf>The Properties and Promises <!-- Promizes (sic) --> of UTF-8</a></cite>, M. D&uuml;rst. University of Z&uuml;rich. In <cite>Proceedings of the 11th International Unicode Conference</cite>.</dd>
<dt id=refsPROGRESS>[PROGRESS]</dt>
- <dd><cite><a href=http://dev.w3.org/2006/webapi/progress/>Progress
- Events</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd><cite><a href=http://dev.w3.org/2006/webapi/progress/>Progress Events</a></cite>, A. van Kesteren. W3C.</dd>
<dt id=refsPSL>[PSL]</dt>
<dd><cite><a href=http://publicsuffix.org/>Public Suffix List</a></cite>.
Mozilla Foundation.</dd>
<dt id=refsRFC1034>[RFC1034]</dt>
- <dd><cite><a href=http://tools.ietf.org/html/rfc1034>Domain
- Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF,
- November 1987.</dd>
+ <dd><cite><a href=http://tools.ietf.org/html/rfc1034>Domain Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF, November 1987.</dd>
<dt id=refsRFC1345>[RFC1345]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc1345>Character Mnemonics
View
279 source
@@ -28885,22 +28885,25 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
must be an <span>unordered set of unique space-separated tokens</span> that are <span>ASCII
case-insensitive</span>. The allowed values are <code
title="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
+ title="attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</code>, <code
title="attr-iframe-sandbox-allow-popups">allow-popups</code>, <code
title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, and <code
title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>.</p>
<p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
- forms and scripts are disabled, links are prevented from targeting other <span title="browsing
- context">browsing contexts</span>, and plugins are secured. The <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword allows the content
- to be treated as being from the same origin instead of forcing it into a unique origin, the <code
- title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> keyword allows the
- content to <span>navigate</span> its <span>top-level browsing context</span>, and the <code
- title="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
+ forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
+ targeting other <span title="browsing context">browsing contexts</span>, and plugins are secured.
+ The <code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword allows
+ the content to be treated as being from the same origin instead of forcing it into a unique
+ origin; the <code title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
+ keyword allows the content to <span>navigate</span> its <span>top-level browsing context</span>;
+ and the <code title="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
+ title="attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</code>, <code
title="attr-iframe-sandbox-allow-popups">allow-popups</code> and <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keywords re-enable forms, popups,
- and scripts respectively.</p>
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keywords re-enable forms, the
+ pointer lock API, popups, and scripts respectively. <a
+ href="#refsPOINTERLOCK">[POINTERLOCK]</a></p>
<p class="warning">Setting both the <code
title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and <code
@@ -81196,37 +81199,29 @@ x === this; // true</pre>
<h3>Sandboxing</h3>
- <p>A <dfn>sandboxing flag set</dfn> is a set of zero or more of the
- following flags, which are used to restrict the abilities that
- potentially untrusted resources have:</p>
+ <p>A <dfn>sandboxing flag set</dfn> is a set of zero or more of the following flags, which are
+ used to restrict the abilities that potentially untrusted resources have:</p>
<dl>
<dt>The <dfn>sandboxed navigation browsing context flag</dfn></dt>
<dd>
- <p>This flag <a href="#sandboxLinks">prevents content from
- navigating browsing contexts other than the sandboxed browsing
- context itself</a> (or browsing contexts further nested inside
- it), <span title="auxiliary browsing context">auxiliary browsing
- contexts</span> (which are protected by the <span>sandboxed
- auxiliary navigation browsing context flag</span> defined next),
- and the <span>top-level browsing context</span> (which is
- protected by the <span>sandboxed top-level navigation browsing
- context flag</span> defined below).</p>
+ <p>This flag <a href="#sandboxLinks">prevents content from navigating browsing contexts other
+ than the sandboxed browsing context itself</a> (or browsing contexts further nested inside it),
+ <span title="auxiliary browsing context">auxiliary browsing contexts</span> (which are protected
+ by the <span>sandboxed auxiliary navigation browsing context flag</span> defined next), and the
+ <span>top-level browsing context</span> (which is protected by the <span>sandboxed top-level
+ navigation browsing context flag</span> defined below).</p>
- <p>If the <span>sandboxed auxiliary navigation browsing context
- flag</span> is not set, then in certain cases the restrictions
- nonetheless allow popups (new <span title="top-level browsing
- context">top-level browsing contexts</span>) to be opened. These
- <span title="browsing context">browsing contexts</span> always
- have <dfn>one permitted sandboxed navigator</dfn>, set when the
- browsing context is created, which allows the <span>browsing
- context</span> that created them to actually navigate them.
- (Otherwise, the <span>sandboxed navigation browsing context
- flag</span> would prevent them from being navigated even if they
- were opened.)</p>
+ <p>If the <span>sandboxed auxiliary navigation browsing context flag</span> is not set, then in
+ certain cases the restrictions nonetheless allow popups (new <span title="top-level browsing
+ context">top-level browsing contexts</span>) to be opened. These <span title="browsing
+ context">browsing contexts</span> always have <dfn>one permitted sandboxed navigator</dfn>, set
+ when the browsing context is created, which allows the <span>browsing context</span> that
+ created them to actually navigate them. (Otherwise, the <span>sandboxed navigation browsing
+ context flag</span> would prevent them from being navigated even if they were opened.)</p>
</dd>
@@ -81235,10 +81230,9 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href="#sandboxWindowOpen">prevents content from
- creating new auxiliary browsing contexts</a>, e.g. using the <code
- title="attr-hyperlink-target">target</code> attribute, the <code
- title="dom-open">window.open()</code> method, or the <code
+ <p>This flag <a href="#sandboxWindowOpen">prevents content from creating new auxiliary browsing
+ contexts</a>, e.g. using the <code title="attr-hyperlink-target">target</code> attribute, the
+ <code title="dom-open">window.open()</code> method, or the <code
title="dom-showModalDialog">showModalDialog()</code> method.</p>
</dd>
@@ -81248,17 +81242,14 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href="#sandboxLinks">prevents content from
- navigating their <span>top-level browsing context</span></a>.</p>
+ <p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
+ browsing context</span></a>.</p>
- <p>When the <code
- title="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
- is set, content can navigate its <span>top-level browsing
- context</span>, but other <span title="browsing context">browsing
- contexts</span> are still protected by the <span>sandboxed
- navigation browsing context flag</span> and possibly the
- <span>sandboxed auxiliary navigation browsing context
- flag</span>.</p>
+ <p>When the <span>sandboxed top-level navigation browsing context flag</span> is <em>not</em>
+ set, content can navigate its <span>top-level browsing context</span>, but other <span
+ title="browsing context">browsing contexts</span> are still protected by the <span>sandboxed
+ navigation browsing context flag</span> and possibly the <span>sandboxed auxiliary navigation
+ browsing context flag</span>.</p>
</dd>
@@ -81267,15 +81258,12 @@ x === this; // true</pre>
<dd>
- <p>This flag prevents content from instantiating <span
- title="plugin">plugins</span>, whether using <a
- href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
- href="#sandboxPluginObject">the <code>object</code> element</a>,
- <a href="#sandboxPluginApplet">the <code>applet</code>
- element</a>, or through <a
- href="#sandboxPluginNavigate">navigation</a> of a <span>nested
- browsing context</span>, unless those <span
- title="plugin">plugins</span> can be <span
+ <p>This flag prevents content from instantiating <span title="plugin">plugins</span>, whether
+ using <a href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
+ href="#sandboxPluginObject">the <code>object</code> element</a>, <a
+ href="#sandboxPluginApplet">the <code>applet</code> element</a>, or through <a
+ href="#sandboxPluginNavigate">navigation</a> of a <span>nested browsing context</span>, unless
+ those <span title="plugin">plugins</span> can be <span
title="concept-plugin-secure">secured</span>.</p>
</dd>
@@ -81285,15 +81273,13 @@ x === this; // true</pre>
<dd>
- <p>This flag prevents content from using the <code
- title="attr-iframe-seamless">seamless</code> attribute on
- descendant <code>iframe</code> elements.</p>
+ <p>This flag prevents content from using the <code title="attr-iframe-seamless">seamless</code>
+ attribute on descendant <code>iframe</code> elements.</p>
<p class="note">This prevents a page inserted using the <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keyword from using a CSS-selector-based method of probing the DOM
- of other pages on the same site (in particular, pages that contain
- user-sensitive information).</p>
+ title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword from using a
+ CSS-selector-based method of probing the DOM of other pages on the same site (in particular,
+ pages that contain user-sensitive information).</p>
<!-- http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html#msg51 -->
@@ -81304,15 +81290,12 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href="#sandboxOrigin">forces content into a unique
- origin</a>, thus preventing it from accessing other content from
- the same <span>origin</span>.</p>
+ <p>This flag <a href="#sandboxOrigin">forces content into a unique origin</a>, thus preventing
+ it from accessing other content from the same <span>origin</span>.</p>
- <p>This flag also <a href="#sandboxCookies">prevents script from
- reading from or writing to the <code
- title="dom-document-cookie">document.cookie</code> IDL
- attribute</a>, and blocks access to <code
- title="dom-localStorage">localStorage</code>.
+ <p>This flag also <a href="#sandboxCookies">prevents script from reading from or writing to the
+ <code title="dom-document-cookie">document.cookie</code> IDL attribute</a>, and blocks access to
+ <code title="dom-localStorage">localStorage</code>.
<!--END complete-->
<a href="#refsWEBSTORAGE">[WEBSTORAGE]</a>
<!--START complete-->
@@ -81325,8 +81308,16 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href="#sandboxSubmitBlocked">blocks form
- submission</a>.</p>
+ <p>This flag <a href="#sandboxSubmitBlocked">blocks form submission</a>.</p>
+
+ </dd>
+
+
+ <dt>The <dfn>sandboxed pointer lock browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag disables the Pointer Lock API. <a href="#refsPOINTERLOCK">[POINTERLOCK]</a></p>
</dd>
@@ -81335,8 +81326,7 @@ x === this; // true</pre>
<dd>
- <p>This flag <a href="#sandboxScriptBlocked">blocks script
- execution</a>.</p>
+ <p>This flag <a href="#sandboxScriptBlocked">blocks script execution</a>.</p>
</dd>
@@ -81346,18 +81336,16 @@ x === this; // true</pre>
<dd>
- <p>This flag blocks features that trigger automatically, such as
- <span title="attr-media-autoplay">automatically playing a
- video</span> or <span title="attr-fe-autofocus">automatically
- focusing a form control</span>.</p>
+ <p>This flag blocks features that trigger automatically, such as <span
+ title="attr-media-autoplay">automatically playing a video</span> or <span
+ title="attr-fe-autofocus">automatically focusing a form control</span>.</p>
</dd>
</dl>
- <p>When the user agent is to <dfn>parse a sandboxing
- directive</dfn>, given a string <var title="">input</var> and a
- <span>sandboxing flag set</span> <var title="">output</var>, it must
+ <p>When the user agent is to <dfn>parse a sandboxing directive</dfn>, given a string <var
+ title="">input</var> and a <span>sandboxing flag set</span> <var title="">output</var>, it must
run the following steps:</p>
<ol>
@@ -81374,72 +81362,67 @@ x === this; // true</pre>
<ul>
- <li><p>The <span>sandboxed navigation browsing context flag</span></p></li>
+ <li><p>The <span>sandboxed navigation browsing context flag</span>.</p></li>
- <li><p>The <span>sandboxed auxiliary navigation browsing context
- flag</span>, unless <var title="">tokens</var> contains the <dfn
- title="attr-iframe-sandbox-allow-popups"><code>allow-popups</code></dfn>
- keyword</p></li>
+ <li><p>The <span>sandboxed auxiliary navigation browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <dfn
+ title="attr-iframe-sandbox-allow-popups"><code>allow-popups</code></dfn> keyword.</p></li>
- <li><p>The <span>sandboxed top-level navigation browsing context
- flag</span>, unless <var title="">tokens</var> contains the <dfn
+ <li><p>The <span>sandboxed top-level navigation browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <dfn
title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
- keyword</p></li>
+ keyword.</p></li>
- <li><p>The <span>sandboxed plugins browsing context flag</span></p></li>
+ <li><p>The <span>sandboxed plugins browsing context flag</span>.</p></li>
- <li><p>The <span>sandboxed seamless iframes flag</span></p></li>
+ <li><p>The <span>sandboxed seamless iframes flag</span>.</p></li>
<li>
- <p>The <span>sandboxed origin browsing context flag</span>,
- unless the <var title="">tokens</var> contains the <dfn
+ <p>The <span>sandboxed origin browsing context flag</span>, unless the <var
+ title="">tokens</var> contains the <dfn
title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
- keyword</p>
+ keyword.</p>
<div class="note">
- <p>The <code
- title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
- keyword is intended for two cases.</p>
+ <p>The <code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword
+ is intended for two cases.</p>
- <p>First, it can be used to allow content from the same site to
- be sandboxed to disable scripting, while still allowing access to
- the DOM of the sandboxed content.</p>
+ <p>First, it can be used to allow content from the same site to be sandboxed to disable
+ scripting, while still allowing access to the DOM of the sandboxed content.</p>
- <p>Second, it can be used to embed content from a third-party
- site, sandboxed to prevent that site from opening popup windows,
- etc, without preventing the embedded page from communicating back
- to its originating site, using the database APIs to store data,
- etc.</p>
+ <p>Second, it can be used to embed content from a third-party site, sandboxed to prevent that
+ site from opening popup windows, etc, without preventing the embedded page from communicating
+ back to its originating site, using the database APIs to store data, etc.</p>
</div>
</li>
- <li><p>The <span>sandboxed forms browsing context flag</span>,
- unless <var title="">tokens</var> contains the <dfn
- title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
- keyword</p></li>
+ <li><p>The <span>sandboxed forms browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <dfn
+ title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn> keyword.</p></li>
- <li><p>The <span>sandboxed scripts browsing context flag</span>,
- unless <var title="">tokens</var> contains the <dfn
- title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
- keyword</p></li>
+ <li><p>The <span>sandboxed pointer lock browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <dfn
+ title="attr-iframe-sandbox-pointer-lock"><code>allow-pointer-lock</code></dfn>
+ keyword.</p></li>
+
+ <li><p>The <span>sandboxed scripts browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <dfn
+ title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn> keyword.</p></li>
<li>
- <p>The <span>sandboxed automatic features browsing context
- flag</span>, unless <var title="">tokens</var> contains the
- <code
- title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
- keyword (defined above)</p>
+ <p>The <span>sandboxed automatic features browsing context flag</span>, unless <var
+ title="">tokens</var> contains the <code
+ title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keyword (defined above).</p>
- <p class="note">This flag is relaxed by the same keyword as
- scripts, because when scripts are enabled these features are
- trivially possible anyway, and it would be unfortunate to force
- authors to use script to do them when sandboxed rather than
- allowing them to use the declarative features.</p>
+ <p class="note">This flag is relaxed by the same keyword as scripts, because when scripts are
+ enabled these features are trivially possible anyway, and it would be unfortunate to force
+ authors to use script to do them when sandboxed rather than allowing them to use the
+ declarative features.</p>
</li>
@@ -122079,6 +122062,7 @@ if (s = prompt('What is your name?')) {
<td> Security rules for nested content
<td> <span>Unordered set of unique space-separated tokens</span>, <span>ASCII case-insensitive</span>, consisting of
"<code title="attr-iframe-sandbox-allow-forms">allow-forms</code>",
+ "<code title="attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</code>",
"<code title="attr-iframe-sandbox-allow-popups">allow-popups</code>",
"<code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>",
"<code title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and
@@ -123648,34 +123632,14 @@ if (s = prompt('What is your name?')) {
href="http://www.w3.org/TR/html4/">HTML 4.01
Specification</a></cite>, D. Raggett, A. Le Hors, I. Jacobs. W3C.</dd>
-<!--END complete-->
<dt id="refsHTML">[HTML]</dt>
- <dd><cite><a
- href="http://www.whatwg.org/specs/web-apps/current-work/">HTML</a></cite>,
- I. Hickson. WHATWG.</dd>
-
-<!--END dev-html-->
- <dt id="refsHTML5">[HTML5]</dt>
- <dd>
-<!--END vocabs--><!--END vCard--><!--END vEvent--><!--END work--><!--END websocket-api--><!--END storage--><!--END eventsource--><!--END whatwg-workers--><!--END workers--><!--END html-device--><!--END microdata--><!--END 2dcontext--><!--END postmsg--><!--END w3c-html-->
- (Non-normative) <!--YYY-->
-<!--START html-device--><!--START microdata--><!--START 2dcontext--><!--START postmsg--><!--START w3c-html--><!--START websocket-api--><!--START storage--><!--START eventsource--><!--START whatwg-workers--><!--START workers--><!--START vocabs--><!--START vCard--><!--START vEvent--><!--START work-->
- <cite><a href="http://dev.w3.org/html5/spec/">HTML5</a></cite>,
- I. Hickson. W3C.</dd>
-<!--START complete--><!--START dev-html-->
+ <dd><cite><a href="http://www.whatwg.org/specs/web-apps/current-work/">HTML</a></cite>, I. Hickson. WHATWG.</dd>
<dt id="refsHTMLALTTECHS">[HTMLALTTECHS]</dt>
<dd>(Non-normative) <cite><a href="http://dev.w3.org/html5/alt-techniques/">HTML5: Techniques for providing useful text alternatives</a></cite>, S. Faulkner. W3C.</dd>
<dt id="refsHTMLDIFF">[HTMLDIFF]</dt>
- <!--
- <dd>(Non-normative) <cite><a
- href="http://www.w3.org/TR/html5-diff/">HTML5 differences from
- HTML4</a></cite>, A. van Kesteren. W3C.</dd>
- -->
- <dd>(Non-normative) <cite><a
- href="http://dev.w3.org/html5/html4-differences/">HTML5
- differences from HTML4</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd>(Non-normative) <cite><a href="http://dev.w3.org/html5/html4-differences/">HTML5 differences from HTML4</a></cite>, S. Pieters. W3C.</dd>
<dt id="refsHTTP">[HTTP]</dt>
<dd><cite><a href="http://tools.ietf.org/html/rfc2616">Hypertext
@@ -123765,20 +123729,10 @@ if (s = prompt('What is your name?')) {
<!-- search for ["Box Structure was and subsequent clauses were re-organized"] to find it -->
<dt id="refsMQ">[MQ]</dt>
- <!--
- <dd><cite><a href="http://www.w3.org/TR/css3-mediaqueries/">Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
- -->
- <dd><cite><a
- href="http://dev.w3.org/csswg/css3-mediaqueries/">Media
- Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van
- Kesteren. W3C.</dd>
+ <dd><cite><a href="http://dev.w3.org/csswg/css3-mediaqueries/">Media Queries</a></cite>, H. Lie, T. &Ccedil;elik, D. Glazman, A. van Kesteren. W3C.</dd>
<dt id="refsNPAPI">[NPAPI]</dt>
- <dd>(Non-normative) <cite><a
- href="https://developer.mozilla.org/en/Gecko_Plugin_API_Reference">Gecko
- Plugin API Reference</a></cite>. Mozilla.</dd>
+ <dd>(Non-normative) <cite><a href="https://developer.mozilla.org/en/Gecko_Plugin_API_Reference">Gecko Plugin API Reference</a></cite>. Mozilla.</dd>
<dt id="refsNPN">[NPN]</dt>
<dd><cite><a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg">Transport Layer Security (TLS) Next Protocol Negotiation Extension</a></cite>, A. Langley. IETF.</dd>
@@ -123810,6 +123764,9 @@ if (s = prompt('What is your name?')) {
<dd><cite><a href="http://www.w3.org/TR/PNG/">Portable Network
Graphics (PNG) Specification</a></cite>, D. Duce. W3C.</dd>
+ <dt id="refsPOINTERLOCK">[POINTERLOCK]</dt>
+ <dd><cite><a href="http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html">Pointer Lock</a></cite>, V. Scheib. W3C.</dd>
+
<dt id="refsPOLYGLOT">[POLYGLOT]</dt>
<dd>(Non-normative) <cite><a
href="http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html">Polyglot
@@ -123827,18 +123784,14 @@ if (s = prompt('What is your name?')) {
<dd>(Non-normative) <cite><a href="http://www.sw.it.aoyama.ac.jp/2012/pub/IUC11-UTF-8.pdf">The Properties and Promises <!-- Promizes (sic) --> of UTF-8</a></cite>, M. D&uuml;rst. University of Z&uuml;rich. In <cite>Proceedings of the 11th International Unicode Conference</cite>.</dd>
<dt id="refsPROGRESS">[PROGRESS]</dt>
- <dd><cite><a
- href="http://dev.w3.org/2006/webapi/progress/">Progress
- Events</a></cite>, A. van Kesteren. W3C.</dd>
+ <dd><cite><a href="http://dev.w3.org/2006/webapi/progress/">Progress Events</a></cite>, A. van Kesteren. W3C.</dd>
<dt id="refsPSL">[PSL]</dt>
<dd><cite><a href="http://publicsuffix.org/">Public Suffix List</a></cite>.
Mozilla Foundation.</dd>
<dt id="refsRFC1034">[RFC1034]</dt>
- <dd><cite><a href="http://tools.ietf.org/html/rfc1034">Domain
- Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF,
- November 1987.</dd>
+ <dd><cite><a href="http://tools.ietf.org/html/rfc1034">Domain Names - Concepts and Facilities</a></cite>, P. Mockapetris. IETF, November 1987.</dd>
<dt id="refsRFC1321">[RFC1321]</dt>
<dd><cite><a href="http://tools.ietf.org/html/rfc1321">The MD5

0 comments on commit b9efe61

Please sign in to comment.