HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
1643[Authors] [Conformance Checkers] [Gecko] [Internet Explorer] [Opera] [Webkit] * Add <iframe sandbox>, which supports:
- isolating frames in their own unique origin,
- disabling plugins
- disabling forms
- disabling scripts
- disabling navigating of other browsing contexts
- disabling popups and modal dialogs
* Make the spec well-defined in the face of browsers that disable scripting on a per-browsing-context basis, and use this for the concept of sandboxing scripts.
* Abstract out the concept of scripting being disabled, so that we don't have to refer to designMode all over the place.
* Add a note that <noscript> fails pretty badly with designMode. Add and update some XXX notes in various places.
* Require that Henri do the impossible by checking that scripts never cause non-conforming states to occur.
* Require that sets of space-separated tokens with lists of allowed values not use values outside of the allowed values.
2008-05-21 00:30
@@ -289,26 +289,26 @@
     irrelevant when the user cannot interact with the document, the UA
     would not need to support any of the focus-related DOM APIs.</p>
 
    </dd>
 
    <dt><dfn id="non-scripted">User agents with no scripting support</dfn></dt>
 
    <dd>
 
     <p>Implementations that do not support scripting (or which have
-    their scripting features <span title="scripting is
-    disabled">disabled</span>) are exempt from supporting the events
-    and DOM interfaces mentioned in this specification. For the parts
-    of this specification that are defined in terms of an events model
-    or in terms of the DOM, such user agents must still act as if
-    events and the DOM were supported.</p>
+    their scripting features disabled entirely) are exempt from
+    supporting the events and DOM interfaces mentioned in this
+    specification. For the parts of this specification that are
+    defined in terms of an events model or in terms of the DOM, such
+    user agents must still act as if events and the DOM were
+    supported.</p>
 
     <p class="note">Scripting can form an integral part of an
     application. Web browsers that do not support scripting, or that
     have scripting disabled, might be unable to fully convey the
     author's intent.</p>
 
    </dd>
 
    <dt>Conformance checkers</dt>
 
@@ -317,32 +317,35 @@
     <p>Conformance checkers must verify that a document conforms to
     the applicable conformance criteria described in this
     specification. Conformance checkers are exempt from detecting
     errors that require interpretation of the author's intent (for
     example, while a document is non-conforming if the content of a
     <code>blockquote</code> element is not a quote, conformance
     checkers do not have to check that <code>blockquote</code>
     elements only contain quoted material).</p>
 
     <p>Conformance checkers must check that the input document
-    conforms when <span>scripting is disabled</span>, and should also
-    check that the input document conforms when <span>scripting is
-    enabled</span>. (This is only a "SHOULD" and not a "MUST"
-    requirement because it has been proven to be impossible. <a
+    conforms when parsed without a <span>browsing context</span>
+    (meaning that no scripts are run, and that the parser's
+    <span>scripting flag</span> is disabled), and should also check
+    that the input document conforms when parsed with a <span>browsing
+    context</span> in which scripts execute, and that the scripts
+    never cause non-conforming states to occur. (This is only a
+    "SHOULD" and not a "MUST" requirement because it has been proven
+    to be impossible. <a
     href="#refsHALTINGPROBLEM">[HALTINGPROBLEM]</a>)</p> <!-- XXX
     [Computable] On computable numbers, with an application to the
     Entscheidungsproblem. Alan M. Turing. In Proceedings of the London
     Mathematical Society, series 2, volume 42, pages 230-265. London
     Mathematical Society,
     1937. http://www.turingarchive.org/browse.php/B/12 (referenced:
-    2007-03-03)
-    -->
+    2007-03-03) -->
 
     <p>The term "HTML5 validator" can be used to refer to a
     conformance checker that itself conforms to the applicable
     requirements of this specification.</p>
 
     <div class="note">
 
      <p>XML DTDs cannot express all the conformance requirements of
      this specification. Therefore, a validating XML processor and a
      DTD cannot constitute a conformance checker. Also, since neither
@@ -4375,20 +4378,27 @@ data:text/xml,<script xmlns="http://www.w3.org/1999/xhtml"><![CDATA[ alert('test
   characters</span>.</p>
 
   <p>An <dfn>unordered set of unique space-separated tokens</dfn> is a
   <span>set of space-separated tokens</span> where none of the words
   are duplicated.</p>
 
   <p>An <dfn>ordered set of unique space-separated tokens</dfn> is a
   <span>set of space-separated tokens</span> where none of the words
   are duplicated but where the order of the tokens is meaningful.</p>
 
+  <p><span title="set of space-separated tokens">Sets of
+  space-separated tokens</span> sometimes have a defined set of
+  allowed values. When a set of allowed values is defined, the tokens
+  must all be from that list of allowed values; other values are
+  non-conforming. If no such set of allowed values is provided, then
+  all values are conforming.</p>
+
   <p>When a user agent has to <dfn>split a string on spaces</dfn>, it
   must use the following algorithm:</p>
 
   <ol>
 
    <li><p>Let <var title="">input</var> be the string being
    parsed.</p></li>
 
    <li><p>Let <var title="">position</var> be a pointer into <var
    title="">input</var>, initially pointing at the start of the
@@ -12153,26 +12163,28 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
   <dl class="element">
    <dt>Categories</dt>
    <dd><span>Embedded content</span>.</dd>
    <dt>Contexts in which this element may be used:</dt>
    <dd>Where <span>embedded content</span> is expected.</dd>
    <dt>Content model:</dt>
    <dd>Text that conforms to the requirements given in the prose.</dd>
    <dt>Element-specific attributes:</dt>
    <dd><code title="attr-iframe-src">src</code></dd>
    <dd><code title="attr-iframe-name">name</code></dd>
+   <dd><code title="attr-iframe-sandbox">sandbox</code></dd>
    <dd><code title="attr-iframe-seamless">seamless</code></dd>
    <dt>DOM interface:</dt>
    <dd>
 <pre class="idl">interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
            attribute DOMString <span title="dom-iframe-src">src</span>;
            attribute DOMString <span title="dom-iframe-name">name</span>;
+           attribute DOMString <span title="dom-iframe-sandbox">sandbox</span>;
            attribute DOMString <span title="dom-iframe-seamless">seamless</span>;<!--
   readonly attribute Document <span title="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>Window</span> <span title="dom-iframe-contentWindow">contentWindow</span>;-->
 };</pre>
     <p>Objects implementing the <code>HTMLIFrameElement</code>
     interface must also implement the <code>EmbeddingElement</code>
     interface defined in the Window Object specification. <a
     href="#refsWINDOW">[WINDOW]</a></p> <!-- XXX -->
    </dd>
   </dl>
@@ -12232,20 +12244,145 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
   context</span>, the <code>iframe</code> must <span>delay the <code
   title="event-load">load</code> event</span>.</p>
 
   <p class="note">If, during the handling of the <code
   title="event-load">load</code> event, the <span>browsing
   context</span> in the <code>iframe</code> is again <span
   title="navigate">navigated</span>, that will further <span>delay the
   <code title="event-load">load</code> event</span>.</p>
 
 
+  <p>The <dfn title="attr-iframe-sandbox"><code>sandbox</code></dfn>
+  attribute, when specified, enables a set of extra restrictions on
+  any content hosted by the <code>iframe</code>. Its value must be an
+  <span>unordered set of unique space-separated tokens</span>. The
+  allowed values are <code
+  title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name">xxx_origin_please_suggest_a_better_name</code>,
+  <code
+  title="attr-iframe-sandbox-unrestricted-forms">unrestricted-forms</code>,
+  and <code
+  title="attr-iframe-sandbox-unrestricted-scripts">unrestricted-scripts</code>.</p>
+
+  <p>While the <code title="attr-iframe-sandbox">sandbox</code>
+  attribute is specified, the <code>iframe</code> element's
+  <span>nested browsing context</span>, and all the browsing contexts
+  <span title="nested browsing context">nested</span> within it
+  (either directly or indirectly through other nested browsing
+  contexts) must have the following flags set:</p>
+
+  <dl>
+
+   <dt>The <dfn>sandboxed navigation browsing context</dfn> flag</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxLinks">prevents content from
+    navigating browsing contexts other than the sandboxed browsing
+    context itself</a> (or browsing contexts further nested inside
+    it).</p>
+
+    <p>This flag also <a href="#sandboxWindowOpen">prevents content
+    from creating new auxiliary browsing contexts</a>, e.g. using the
+    <code title="attr-hyperlink-target">target</code> attribute or the
+    <code title="dom-window-open">window.open()</code> method.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed plugins browsing context</dfn> flag</dt>
+
+   <dd>
+
+    <p>This flag prevents content from instantiating third-party
+    handlers (i.e. plugins), whether using <a
+    href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
+    href="#sandboxPluginObject">the <code>object</code> element</a>,
+    <a href="#sandboxPluginApplet">the <code>applet</code>
+    element</a>, or <a href="#sandboxPluginNavigate">through
+    navigation</a> of a <span>nested browsing context</span>.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed origin browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name"><code>xxx_origin_please_suggest_a_better_name</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxOrigin">forces content into a unique
+    origin</a> for the purposes of the <span
+    title="origin">same-origin policy</span>.</p>
+
+    <div class="note">
+
+     <p>The <code
+     title="attr-iframe-sandbox-xxx_origin_please_suggest_a_better_name">xxx_origin_please_suggest_a_better_name</code>
+     attribute is intended for two cases.</p>
+
+     <p>First, it can be used to allow content from the same site to
+     be sandboxed to disable scripting, while still allowing access to
+     the DOM of the sandboxed content.</p>
+
+     <p>Second, it can be used to embed content from a third-party
+     site, sandboxed to prevent that site from opening popup windows,
+     etc, without preventing the embedded page from communicating back
+     to its originating site, using the database APIs to store data,
+     etc.</p>
+
+    </div>
+
+    <p class="big-issue">Please don't implement this keyword using the
+    name "xxx_origin_please_suggest_a_better_name" -- please suggest a
+    better name first!</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed forms browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-unrestricted-forms"><code>unrestricted-forms</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxSubmitBlocked">blocks form
+    submission</a>.</p>
+
+   </dd>
+
+
+   <dt>The <dfn>sandboxed scripts browsing context</dfn> flag, unless
+   the <code title="attr-iframe-sandbox">sandbox</code> attribute's
+   value, when <span title="split a string on spaces">split on
+   spaces</span>, is found to have the <dfn
+   title="attr-iframe-sandbox-unrestricted-scripts"><code>unrestricted-scripts</code></dfn>
+   keyword set</dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxScriptBlocked">blocks script
+    execution</a>.</p>
+
+   </dd>
+
+  </dl>
+
+  <p>These flags must not be set unless the conditions listed above
+  define them as being set.</p>
+
+
   <p>The <dfn title="attr-iframe-seamless"><code>seamless</code></dfn>
   attribute is a boolean attribute. When specified, it indicates that
   the <code>iframe</code> element's <span>browsing context</span> is
   to be rendered in a manner that makes it appear to be part of the
   containing document (seamlessly included in the parent
   document). Specifically, when the attribute is set on an element and
   while the <span>browsing context</span>'s <span>active
   document</span> has the <span>same origin</span> as the
   <code>iframe</code> element's document, or the <span>browsing
   context</span>'s <span>active document</span>'s <em>URI</em> has the
@@ -12357,21 +12494,22 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
     Gotta handle <script> elements inside <iframe>s that screw around with the DOM on the fly, or that use document.write().
     Gotta handle <iframe> elements created from script with text contents.
     Gotta handle the XML case.
    -->
 
   <p class="note">The <span>HTML parser</span> treats markup inside
   <code>iframe</code> elements as text.</p>
 
   <p>The DOM attributes <dfn
   title="dom-iframe-src"><code>src</code></dfn>, <dfn
-  title="dom-iframe-name"><code>name</code></dfn>, and <dfn
+  title="dom-iframe-name"><code>name</code></dfn>, <dfn
+  title="dom-iframe-sandbox"><code>sandbox</code></dfn>, and <dfn
   title="dom-iframe-seamless"><code>seamless</code></dfn> must
   <span>reflect</span> the content attributes of the same name.</p>
 
 
   <h4>The <dfn><code>embed</code></dfn> element</h4>
 
   <dl class="element">
    <dt>Categories</dt>
    <dd><span>Embedded content</span>.</dd>
    <dt>Contexts in which this element may be used:</dt>
@@ -12400,21 +12538,44 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
 
   <p>The <code>embed</code> element represents an integration point
   for an external (typically non-HTML) application or interactive
   content.</p>
 
   <p>The <dfn title="attr-embed-src"><code>src</code></dfn> attribute
   gives the address of the resource being embedded. The attribute must
   be present and contain a URI (or IRI).</p>
 
   <p>If the <code title="attr-embed-src">src</code> attribute is
-  missing, then the <code>embed</code> element must be ignored.</p>
+  missing, then the <code>embed</code> element must be ignored (it
+  represents nothing).</p>
+
+  <p id="sandboxPluginEmbed">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>embed</code> element's document is the <span>active
+  document</span>, then the user agent must render the
+  <code>embed</code> element in a manner that conveys that the plugin
+  was disabled. The user agent may offer the user the option to
+  override the sandbox and instantiate the handler anyway; if the user
+  invokes such an option, the user agent must act as if the
+  <span>sandboxed plugins browsing context</span> flag was not set for
+  the purposes of this element.</p>
+
+  <p class="warning">Plugins are disabled in sandboxed browsing
+  contexts because they might not honour the restrictions imposed by
+  the sandbox (e.g. they might allow scripting even when scripting in
+  the sandbox is disabled). User agents should convey the danger of
+  overriding the sandbox to the user if an option to do so is
+  provided.</p>
+
+  <p>Otherwise, the <code title="attr-embed-src">src</code> attribute
+  is present, and the element is not in a sandboxed browsing
+  context:</p>
 
   <p>When the <code title="attr-embed-src">src</code> attribute is
   set, user agents are expected to find an appropriate handler for the
   specified resource, based on the <span
   title="concept-embed-type">content's type</span>, and hand that
   handler the content of the resource. If the handler supports a
   scriptable interface, the <code>HTMLEmbedElement</code> object
   representing the element should expose that interfaces.</p>
 
   <p>The download of the resource must <span>delay the <code
@@ -12457,22 +12618,21 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
    <li>Otherwise, if the specified resource has <span
    title="Content-Type">explicit Content-Type metadata</span>, then
    that is the <span>content's type</span>.</li>
 
    <li>Otherwise, the content has no type and there can be no
    appropriate handler for it.</li>
 
   </ol>
 
   <p class="big-issue">Should we instead say that the content-sniffing
-  that we're going to define for top-level browsing contexts should
-  apply here?</p>
+  used for top-level browsing contexts should apply here?</p>
 
   <p class="big-issue">Should we require the type attribute to match
   the server information?</p>
 
   <p class="big-issue">We should say that 404s, etc, don't affect
   whether the resource is used or not. Not sure how to say it here
   though.</p>
 
   <p>Browsers should take extreme care when interacting with external
   content intended for third-party renderers. When third-party
@@ -12563,26 +12723,27 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
   <code>object</code> element represents:</p>
 
   <ol>
 
    <li>
 
     <p>If the <code title="attr-object-classid">classid</code>
     attribute is present, and has a value that isn't the empty string,
     then: if the user agent can find a handler suitable according to
     the value of the <code title="attr-object-classid">classid</code>
-    attribute, then that handler <a href="#object-plugin">should be
-    used</a>, and the value of the <code
-    title="attr-object-data">data</code> attribute, if any, should be
-    passed to the handler. If no suitable handler can be found, or if
-    the handler reports an error, jump to the last step in the overall
-    set of steps (fallback).</p>
+    attribute, and <a href="#sandboxPluginObject">handlers aren't
+    being sandboxed</a>, then that handler <a
+    href="#object-plugin">should be used</a>, and the value of the
+    <code title="attr-object-data">data</code> attribute, if any,
+    should be passed to the handler. If no suitable handler can be
+    found, or if the handler reports an error, jump to the last step
+    in the overall set of steps (fallback).</p>
 
     <!--
      case insensitive:
       is "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" -> application/x-shockwave-flash
       is "clsid:cfcdaa03-8be4-11cf-b84b-0020afbbccfa" -> audio/x-pn-realaudio-plugin
       is "clsid:02bf25d5-8c17-4b23-bc80-d3488abddc6b" -> video/quicktime
       is "clsid:166b1bca-3f9c-11cf-8075-444553540000" -> application/x-director
       is "clsid:6bf52a52-394a-11d3-b153-00c04f79faa6" -> application/x-mplayer2
       starts with "java:"                             -> application/x-java-vm
       starts with "clsid:"                            -> application/x-oleobject
@@ -12670,21 +12831,23 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
       </ol>
 
      </li>
 
      <li><p>Handle the content as given by the first of the following
      cases that matches:</p>
 
       <dl class="switch">
 
        <dt>If the <var title="">resource type</var> can be handled by
-       a special handler (e.g. a plugin)</dt>
+       a special handler (e.g. a plugin), and <a
+       href="#sandboxPluginObject">handlers aren't being
+       sandboxed</a></dt>
 
        <dd>
 
         <p>The user agent <a href="#object-plugin">should use that
         handler</a> and pass the content of the resource to that
         handler. If the handler reports an error, then jump to the
         last step in the overall set of steps (fallback).</p>
 
        </dd>
 
@@ -12765,21 +12928,22 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
      title="event-load">load</code> event</span> at the
      element.</p></li> <!-- XXX ordering of events (like with iframe)
      -->
 
     </ol>
 
    </li>
 
    <li><p>If the <code title="attr-object-data">data</code> attribute
    is absent but the <code title="attr-object-type">type</code>
-   attribute is present, and if the user agent can find a handler
+   attribute is present, <a href="#sandboxPluginObject">handlers
+   aren't being sandboxed</a>, and the user agent can find a handler
    suitable according to the value of the <code
    title="attr-object-type">type</code> attribute, then that handler
    <a href="#object-plugin">should be used</a>. If no suitable handler
    can be found, or if the handler reports an error, jump to the next
    step (fallback).</p></li>
 
    <li><p>(Fallback.) The <code>object</code> element represents what
    the element's contents represent, ignoring any leading
    <code>param</code> element children. This is the element's
    <span>fallback content</span>.</li>
@@ -12788,20 +12952,27 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
 
   <p id="object-plugin">When the algorihm above instantiates a
   handler, the user agent should pass the names and values of all the
   <span title="concept-param-parameter">parameters</span> given by
   <code>param</code> elements that are children of the
   <code>object</code> element to the handler used. If the handler
   supports a scriptable interface, the <code>HTMLObjectElement</code>
   object representing the element should expose that interface. The
   handler is not a nested <span>browsing context</span>.</p>
 
+  <p id="sandboxPluginObject">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>object</code> element's document is the <span>active
+  document</span>, then the steps above must always act as if they had
+  failed to find a handler, even if one would otherwise have been
+  used.</p>
+
   <!-- duplicates what's in <embed> section above -->
   <p class="note">The <code>object</code> element can, in certain
   cases as described above, instantiate third-party handlers. This
   specification does not define a mechanism for interacting with
   third-party handlers, as it is expected to be
   user-agent-specific. Some UAs might opt to support a plugin
   mechanism such as the Netscape Plugin API; others may use remote
   content convertors or have built-in support for certain types. <a
   href="#refsNPAPI">[NPAPI]</a></p>
 
@@ -15075,28 +15246,28 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
   title="dom-voidCallback-handleEvent"><code>handleEvent</code></dfn>
   method of objects implementing the <code>VoidCallback</code>
   interface is the entrypoint for the callback represented by the
   object.</p>
 
 
   <h5>User interface</h5>
 
   <p>The <dfn title="attr-media-controls"><code>controls</code></dfn>
   attribute is a <span>boolean attribute</span>. If the attribute is
-  present, or if <span>scripting is disabled</span>, then the user
-  agent should <dfn>expose a user interface to the user</dfn>. This
-  user interface should include features to begin playback, pause
-  playback, seek to an arbitrary position in the content (if the
-  content supports arbitrary seeking), change the volume, and show the
-  media content in manners more suitable to the user (e.g. full-screen
-  video or in an independent resizable window). Other controls may
-  also be made available.</p>
+  present, or if the <span>media element</span> is <span>without
+  script</span>, then the user agent should <dfn>expose a user
+  interface to the user</dfn>. This user interface should include
+  features to begin playback, pause playback, seek to an arbitrary
+  position in the content (if the content supports arbitrary seeking),
+  change the volume, and show the media content in manners more
+  suitable to the user (e.g. full-screen video or in an independent
+  resizable window). Other controls may also be made available.</p>
 
   <p>If the attribute is absent, then the user agent should avoid
   making a user interface available that could conflict with an
   author-provided user interface. User agents may make the following
   features available, however, even when the attribute is absent:</p>
 
   <p>User agents may provide controls to affect playback of the media
   resource (e.g. play, pause, seeking, and volume controls), but such
   features should not interfere with the page's normal rendering. For
   example, such features could be exposed in the <span>media
@@ -15438,36 +15609,37 @@ the time Marco had stuck his tongue out...&lt;/p></pre>
   elements (typically <code>h1</code>) and then styled using CSS and
   supporting technologies such as XBL.</p>
 
   <p>When authors use the <code>canvas</code> element, they should
   also provide content that, when presented to the user, conveys
   essentially the same function or purpose as the bitmap canvas. This
   content may be placed as content of the <code>canvas</code>
   element. The contents of the <code>canvas</code> element, if any,
   are the element's <span>fallback content</span>.</p>
 
-  <p>In interactive visual media with <span>scripting enabled</span>,
-  the canvas element is an embedded element with a dynamically created
-  image.</p>
+  <p>In interactive visual media, if the <code>canvas</code> element
+  is <span>with script</span>, the <code>canvas</code> element
+  represents an embedded element with a dynamically created image.</p>
 
   <p>In non-interactive, static, visual media, if the
   <code>canvas</code> element has been previously painted on (e.g. if
   the page was viewed in an interactive visual medium and is now being
   printed, or if some script that ran during the page layout process
-  painted on the element), then the <code>canvas</code> element must
-  be treated as <span>embedded content</span> with the current image
-  and size. Otherwise, the element's <span>fallback content</span>
-  must be used instead.</p>
+  painted on the element), then the <code>canvas</code> element
+  represents <span>embedded content</span> with the current image and
+  size. Otherwise, the element represents its <span>fallback
+  content</span> instead.</p>
 
-  <p>In non-visual media, and in visual media with <span>scripting
-  disabled</span>, the <code>canvas</code> element's <span>fallback
-  content</span> must be used instead.</p>
+  <p>In non-visual media, and in visual media if the
+  <code>canvas</code> element is <span>without script</span>, the
+  <code>canvas</code> element represents its <span>fallback
+  content</span> instead.</p>
 
   <p>The <code>canvas</code> element has two attributes to control the
   size of the coordinate space: <dfn
   title="attr-canvas-width"><code>width</code></dfn> and <dfn
   title="attr-canvas-height"><code>height</code></dfn>. These
   attributes, when specified, must have values that are <span
   title="valid non-negative integer">valid non-negative
   integers</span>. The <span>rules for parsing non-negative
   integers</span> must be used to obtain their numeric values. If an
   attribute is missing, or if parsing its value returns an error, then
@@ -20681,20 +20853,24 @@ XXXDVT (also check for '- -' bits in the part above) -->
   <h4>The <code>output</code> element</h4>
 
   <h4>Processing model</h4>
 
   <p class="big-issue">See <a href="http://www.whatwg.org/specs/web-forms/current-work/#extend-form-controls">WF2</a> for now</p>
 
   <h5>Form submission</h5>
 
   <p class="big-issue">See <a href="http://www.whatwg.org/specs/web-forms/current-work/#form-submission">WF2</a> for now</p>
 
+  <p class="big-issue" id="sandboxSubmitBlocked">If a form is in a
+  browsing context whose <span>sandboxed forms browsing context</span>
+  is set, it must not be submitted.</p>
+
 
 
   <h3>Scripting</h3>
 
   <p>Scripts allow authors to add interactivity to their documents.</p>
 
   <p>Authors are encouraged to use declarative alternatives to
   scripting where possible, as declarative mechanisms are often more
   maintainable, and many users disable scripting.</p>
 
@@ -20891,28 +21067,27 @@ XXXDVT (also check for '- -' bits in the part above) -->
 
     <p>Otherwise, let <var>the script's character encoding</var> for
     this <code>script</code> element be the same as <span
     title="document's character encoding">the encoding of the document
     itself</span>.</p>
 
    </li>
 
    <li>
 
-    <p>If <span>scripting is disabled</span>, or if the
-    <code>Document</code> has <code
-    title="dom-document-designMode">designMode</code> enabled, or if
-    the <code>script</code> element was created by an <span>XML
-    parser</span> that itself was created as part of the processing of
-    the <code title="dom-innerHTML-XML">innerHTML</code> attribute's
-    setter<!-- no need to worry about the innerHTML-HTML case, as the
-    HTML parser handles that for us-->, or if the user agent does not
+    <p>If the <code>script</code> element is <span>without
+    script</span>, or if the <code>script</code> element was created
+    by an <span>XML parser</span> that itself was created as part of
+    the processing of the <code
+    title="dom-innerHTML-XML">innerHTML</code> attribute's setter<!--
+    no need to worry about the innerHTML-HTML case, as the HTML parser
+    handles that for us-->, or if the user agent does not
     <span>support the scripting language</span> given by <var>the
     script's type</var> for this <code>script</code> element, or if
     the <code>script</code> element has its <span>"already
     executed"</span> flag set, then the user agent must abort these
     steps at this point. The script is not executed.</p>
 
    </li>
 
    <li>
 
@@ -21174,26 +21349,23 @@ XXXDVT (also check for '- -' bits in the part above) -->
    event</span> at the element.</p></dd>
 
    <dt>If the load was successful</dt>
 
    <dd>
 
     <ol>
 
      <li>
 
-      <p>If <span>scripting is enabled</span>, and the
-      <code>Document</code> does not have <code
-      title="dom-document-designMode">designMode</code> enabled, and the
-      <code>Document</code> is the <span>active document</span> in its
-      <span>browsing context</span>, the user agent must execute the
-      script:</p>
+      <p>If the <code>script</code> element's <code>Document</code> is
+      the <span>active document</span> in its <span>browsing
+      context</span>, the user agent must execute the script:</p>
 
       <dl class="switch">
 
        <dt>If the script is from an external file</dt>
 
        <dd>
 
         <p>That file must be used as the file to execute.</p>
 
         <p>The file must be interpreted using the character encoding
@@ -21224,21 +21396,21 @@ XXXDVT (also check for '- -' bits in the part above) -->
        </dd>
 
       </dl>
 
       <p>In any case, the user agent must execute the script according to
       the semantics defined by the language associated with <var>the
       script's type</var> (see the <a href="#scriptingLanguages">scripting
       languages</a> section below).</p>
 
       <p>Scripts must be executed in the scope of the <span>browsing
-      context</span> of the element's <code>Document</code>. That
+      context</span> of the element's <code>Document</code>. The
       <span>script execution browsing context</span> is that browsing
       context.</p>
 
       <p class="note">The element's attributes' values might have changed
       between when the element was inserted into the document and when the
       script has finished loading, as may its other attributes; similarly,
       the element itself might have been taken back out of the DOM, or had
       other changes made. These changes do not in any way affect the above
       steps; only the values of the attributes at the time the
       <code>script</code> element is first inserted into the document
@@ -21312,72 +21484,73 @@ XXXDVT (also check for '- -' bits in the part above) -->
   <h4>The <dfn><code>noscript</code></dfn> element</h4>
 
   <dl class="element">
    <dt>Categories</dt>
    <dd><span>Metadata content</span>.</dd>
    <dd><span>Phrasing content</span>.</dd>
    <dt>Contexts in which this element may be used:</dt>
    <dd>In a <code>head</code> element of an <span title=">HTML documents">HTML document</span>, if there are no ancestor <code>noscript</code> elements.</dd>
    <dd>Where <span>phrasing content</span> is expected in <span>HTML documents</span>, if there are no ancestor <code>noscript</code> elements.</dd>
    <dt>Content model:</dt>
-   <dd>When <span>scripting is disabled</span>, in a <code>head</code> element: in any order, zero or more <code>link</code> elements, zero or more <code>style</code> elements, and zero or more <code>meta</code> elements.</dd>
-   <dd>When <span>scripting is disabled</span>, not in a <code>head</code> element: <span>transparent</span>, but there must be no <code>noscript</code> element descendants.</dd>
-   <dd>When <span>scripting is enabled</span>: text that conforms to the requirements given in the prose.</dd>
+   <dd><span>Without script</span>, in a <code>head</code> element: in any order, zero or more <code>link</code> elements, zero or more <code>style</code> elements, and zero or more <code>meta</code> elements.</dd>
+   <dd><span>Without script</span>, not in a <code>head</code> element: <span>transparent</span>, but there must be no <code>noscript</code> element descendants.</dd>
+   <dd><span>With script</span>: text that conforms to the requirements given in the prose.</dd>
    <dt>Element-specific attributes:</dt>
    <dd>None.</dd>
    <dt>DOM interface:</dt>
    <dd>Uses <code>HTMLElement</code>.</dd>
   </dl>
 
   <p>The <code>noscript</code> element does not represent anything. It
   is used to present different markup to user agents that support
   scripting and those that don't support scripting, by affecting how
   the document is parsed.</p>
 
   <p>The <code>noscript</code> element must not be used in <span>XML
   documents</span>.</p>
 
   <p class="note"><strong>The <code>noscript</code> element is only
   effective in the <span title="">HTML serialisation</span><!-- XXX
   xref -->, it has no effect in the <span title="">XML
   serialisation</span><!-- XXX xref -->.</strong></p>
 
   <p>When used in <span>HTML documents</span>, the allowed content
-  model depends on whether scripting is enabled or not, and whether
-  the element is in a <code>head</code> element or not.</p>
-
-  <p>In a <code>head</code> element, if <span>scripting is
-  disabled</span>, then the content model of a <code>noscript</code>
-  element must contain only <code>link</code>, <code>style</code>, and
-  <code>meta</code> elements. If <span>scripting is enabled</span>,
-  then the content model of a <code>noscript</code> element is text,
-  except that invoking the <span>HTML fragment parsing
-  algorithm</span> with the <code>noscript</code> element as the <var
-  title="">context</var> element and the text contents as the <var
-  title="">input</var> must result in a list of nodes that consists
-  only of <code>link</code>, <code>style</code>, and <code>meta</code>
-  elements.</p>
-
-  <p>Outside of <code>head</code> elements, if <span>scripting is
-  disabled</span>, then the content model of a <code>noscript</code>
-  element is <span>transparent</span>, with the additional restriction
-  that a <code>noscript</code> element must not have a
-  <code>noscript</code> element as an ancestor (that is,
-  <code>noscript</code> can't be nested).</p>
-
-  <p>Outside of <code>head</code> elements, if <span>scripting is
-  enabled</span>, then the content model of a <code>noscript</code>
-  element is text, except that the text must be such that running the
-  following algorithm results in a conforming document with no
-  <code>noscript</code> elements and no <code>script</code> elements,
-  and such that no step in the algorithm causes an <span>HTML
-  parser</span> to flag a <span>parse error</span>:</p>
+  model is as follows:</p>
+
+  <p>In a <code>head</code> element, if the <code>noscript</code>
+  element is <span>without script</span>, then the content model of a
+  <code>noscript</code> element must contain only <code>link</code>,
+  <code>style</code>, and <code>meta</code> elements. If the
+  <code>noscript</code> element is <span>with script</span>, then the
+  content model of a <code>noscript</code> element is text, except
+  that invoking the <span>HTML fragment parsing algorithm</span> with
+  the <code>noscript</code> element as the <var title="">context</var>
+  element and the text contents as the <var title="">input</var> must
+  result in a list of nodes that consists only of <code>link</code>,
+  <code>style</code>, and <code>meta</code> elements.</p>
+
+  <p>Outside of <code>head</code> elements, if the
+  <code>noscript</code> element is <span>without script</span>, then
+  the content model of a <code>noscript</code> element is
+  <span>transparent</span>, with the additional restriction that a
+  <code>noscript</code> element must not have a <code>noscript</code>
+  element as an ancestor (that is, <code>noscript</code> can't be
+  nested).</p>
+
+  <p>Outside of <code>head</code> elements, if the
+  <code>noscript</code> element is <span>with script</span>, then the
+  content model of a <code>noscript</code> element is text, except
+  that the text must be such that running the following algorithm
+  results in a conforming document with no <code>noscript</code>
+  elements and no <code>script</code> elements, and such that no step
+  in the algorithm causes an <span>HTML parser</span> to flag a
+  <span>parse error</span>:</p>
 
   <ol>
 
    <li>Remove every <code>script</code> element from the
    document.</li>
 
    <li>Make a list of every <code>noscript</code> element in the
    document. For every <code>noscript</code> element in that list,
    perform the following steps:
 
@@ -21413,29 +21586,36 @@ XXXDVT (also check for '- -' bits in the part above) -->
      relative order.</li>
 
     </ol>
 
    </li>
 
   </ol>
 
   <p>The <code>noscript</code> element has no other requirements. In
   particular, children of the <code>noscript</code> element are not
-  exempt from form submission, scripting, and so forth, even when
-  scripting is enabled.</p>
+  exempt from form submission, scripting, and so forth, even when the
+  element is <span>with script</span>.</p>
 
   <p class="note">All these contortions are required because, for
-  historical reasons, the <code>noscript</code> element causes the
-  <span>HTML parser</span> to act differently based on whether
-  scripting is enabled or not. The element is not allowed in XML,
-  because in XML the parser is not affected by such state, and thus
-  the element would not have the desired effect.</p>
+  historical reasons, the <code>noscript</code> element is handled
+  differently by the <span>HTML parser</span> based on whether <span
+  title="scripting flag">scripting was enabled or not</span> when the
+  parser was invoked. The element is not allowed in XML, because in
+  XML the parser is not affected by such state, and thus the element
+  would not have the desired effect.</p>
+
+  <p class="note">The <code>noscript</code> element interacts poorly
+  with the <code title="dom-document-designMode">designMode</code>
+  feature. Authors are encouraged to not use <code>noscript</code>
+  elements on pages that will have <code
+  title="dom-document-designMode">designMode</code> enabled.</p>
 
 
   <h4>The <dfn><code>event-source</code></dfn> element</h4>
 
   <dl class="element">
    <dt>Categories</dt>
    <dd><span>Metadata content</span>.</dd>
    <dd><span>Phrasing content</span>.</dd>
    <dt>Contexts in which this element may be used:</dt>
    <dd>Where <span>metadata content</span> is expected.</dd>
@@ -24802,26 +24982,25 @@ XXX selection ranges -->
 
 
   <h5>The <code title="attr-template">template</code> attribute</h5>
 
   <p><dfn title="datatemplate-template-set">Setting</dfn>: When an
   <span title="HTML elements">HTML element</span> without a <code
   title="attr-template">template</code> attribute has its <code
   title="attr-template">template</code> attribute set, the user agent
   must fetch the specified file<!-- XXX or queue it up to be fetched,
   or something --> and parse it (without a <span>browsing
-  context</span>, and with <span>scripting disabled</span><!-- XXX
-  xref -->) to obtain a DOM. If the URI is the same as the URI of the
-  current document<!-- XXX xref -->, then the current document's DOM
-  must be assumed to be that parsed DOM. While this loading and
-  parsing is in progress, the element is said to be <em>busy loading
-  the template rules or data</em>.</p>
+  context</span>) to obtain a DOM. If the URI is the same as the URI
+  of the current document<!-- XXX xref -->, then the current
+  document's DOM must be assumed to be that parsed DOM. While this
+  loading and parsing is in progress, the element is said to be
+  <em>busy loading the template rules or data</em>.</p>
 
   <p>If the resource specified by the <code
   title="attr-template">template</code> attribute is not the current
   document<!-- XXX xref --> and does not have an XML MIME type, or if
   an XML parse error is found while parsing the resource, then the
   resource cannot be successfully parsed, and the user agent must jump
   to the <span title="datatemplate-template-failed">failed to
   parse</span> steps below.</p>
 
   <p>Once the DOM in question has been parsed, assuming that it indeed
@@ -24930,27 +25109,26 @@ XXX selection ranges -->
   attribute must have the value null.</p>
 
 
   <h5>The <code title="attr-ref">ref</code> attribute</h5>
 
   <p><dfn title="datatemplate-ref-set">Setting</dfn>: When an <span
   title="HTML elements">HTML element</span> without a <code
   title="attr-ref">ref</code> attribute has its <code
   title="attr-ref">ref</code> attribute set, the user agent must fetch
   the specified file<!-- XXX or queue it up to be fetched, or
-  something --> and parse it (without a <span>browsing context</span>,
-  and with <span>scripting disabled</span><!-- XXX xref -->) to obtain
-  a DOM. If the URI is the same as the URI of the current document<!--
-  XXX xref -->, then the current document's DOM is assumed to be that
-  parsed DOM. While this loading and parsing is in progress, the
-  element is said to be <em>busy loading the template rules or
-  data</em>.</p>
+  something --> and parse it (without a <span>browsing context</span>)
+  to obtain a DOM. If the URI is the same as the URI of the current
+  document<!-- XXX xref -->, then the current document's DOM is
+  assumed to be that parsed DOM. While this loading and parsing is in
+  progress, the element is said to be <em>busy loading the template
+  rules or data</em>.</p>
 
   <p>If the resource specified by the <code
   title="attr-ref">ref</code> attribute is not the current
   document<!-- XXX xref --> and does not have an XML MIME type, or if
   an XML parse error is found while parsing the resource, then the
   resource cannot be successfully parsed, and the user agent must jump
   to the <span title="datatemplate-ref-failed">failed to parse</span>
   steps below.</p>
 
   <p>Once the DOM in question has been parsed, assuming that it indeed
@@ -25832,20 +26010,33 @@ never reset. This is nice and consistent.)
    </li>
 
    <li>
 
     <p>Otherwise, a new browsing context is being requested, and what
     happens depends on the user agent's configuration and/or
     abilities:</p>
 
     <dl>
 
+     <dt id="sandboxWindowOpen">If the current browsing context has
+     the <span>sandboxed navigation browsing context</span> flag
+     set.</dt>
+
+     <dd>The user agent may offer to create a new <span>top-level
+     browsing context</span> or reuse an existing <span>top-level
+     browsing context</span>. If the user picks one of those options,
+     then the designated browsing context must be the chosen one (the
+     browsing context's name isn't set to the given browsing context
+     name). Otherwise (if the user agent doesn't offer the option to
+     the user, or if the user declines to allow a browsing context to
+     be used) there must not be a chosen browsing context.</dd>
+
      <dt>If the user agent has been configured such that in this
      instance it will create a new browsing context</dt>
 
      <dd>A new <span>auxiliary browsing context</span> must be
      created, with the <span>opener browsing context</span> being the
      current one. If the given browsing context name is not <code
      title="">_blank</code>, then the new auxiliary browsing context's
      name must be the given browsing context name (otherwise, it has
      no name). The chosen browsing context must be this new browsing
      context. If it is immediately <span
@@ -26313,20 +26504,28 @@ never reset. This is nice and consistent.)
     origin</span> of the owner.</p>
 
    </dd>
 
    <dt>For <code>Document</code> objects and images</dt>
 
    <dd>
 
     <dl class="switch">
 
+     <dt id="sandboxOrigin">If a <code>Document</code> is in a
+     <span>browsing context</span> whose <span>sandboxed origin
+     browsing context</span> is set</dt>
+
+     <dd>The <span>origin</span> is a globally unique identifier
+     assigned when the <code>Document</code> is created.</dd>
+
+
      <dt>If a <code>Document</code> or image was returned by the
      <code>XMLHttpRequest</code> API</dt>
 
      <dd>The <span>origin</span> and <span>effective script
      origin</span> are equal to the <span>origin</span> and
      <span>effective script origin</span> of the <code>Document</code>
      object that was the <span>active document</span> of the
      <code>Window</code> object of the browsing context from which the
      <code>XMLHttpRequest</code> constructor was invoked. (That is,
      they track the <code>Document</code> to which the
@@ -26602,38 +26801,81 @@ never reset. This is nice and consistent.)
    <li>Event handlers, whether registered through the DOM using <code
    title="">addEventListener()</code>, by explicit <span>event handler
    content attributes</span>, by <span>event handler DOM
    attributes</span>, or otherwise.</li>
 
    <li>Processing of technologies like XBL or SVG that have their own
    scripting features.</li>
 
   </ul>
 
-  <p>User agents may provide a mechanism to enable or disable the
-  execution of author-provided code. When the user agent is configured
-  such that author-provided code does not execute, or if the user
-  agent is implemented so as to never execute author-provided code, it
-  is said that <dfn>scripting is disabled</dfn>. When author-provided
-  code <em>does</em> execute, <dfn>scripting is enabled</dfn>. A user
-  agent with scripting disabled is a <span title="User agents with no
-  scripting support">user agent with no scripting support</span> for
-  the purposes of conformance.</p>
 
-  
 
   <h4>Script execution contexts</h4>
 
   <p>The <dfn>script execution browsing context</dfn> of a script is
   defined when that script is created. It is typically the
   <span>browsing context</span> of the <code>Window</code> object that
-  is being used as the script's dereference context..</p>
+  is being used as the script's dereference context.</p>
+
+  <p>All <span title="browsing context">browsing contexts</span> are,
+  by definition, potential <span title="script execution browsing
+  context">script execution browsing contexts</span>.</p>
+
+  <p>It is said that <dfn>scripting is disabled</dfn> in a
+  <span>script execution browsing context</span> when any of the
+  following conditions are true:</p>
+
+  <ul>
+
+   <li>The user agent does not support scripting.</li>
+
+   <li>The user has disabled scripting for this <span>script execution
+   browsing context</span>. (User agents may provide users with the
+   option to disable scripting globally, on a per-origin basis, or in
+   other ways down to the granularity of individual <span
+   title="script execution browsing context">script execution browsing
+   contexts</span>.)</li>
+
+   <li id="designModeScriptBlocked">The <span>script execution
+   browsing context</span> is a <span>browsing context</span> whose
+   <span>active document</span> has <code
+   title="dom-document-designMode">designMode</code> enabled.</li>
+
+   <li id="sandboxScriptBlocked">The <span>script execution browsing
+   context</span> is a <span>browsing context</span> whose
+   <span>sandboxed scripts browsing context</span> flag is set.</li>
+
+  </ul>
+
+  <p>A node is said to be <dfn>without script</dfn> if either the
+  <code>Document</code> object of the node (the node itself, it is
+  itself a <code>Document</code> object) does not have an associated
+  <span>browsing context</span>, or <span>scripting is disabled</span>
+  in that <span>browsing context</span>.</p>
+
+  <p>A node is said to be <dfn>with script</dfn> if it is not
+  <span>without script</span>.</p>
+
+  <p class="big-issue">If you can find a better pair of terms than
+  "with script" and "without script" let me know. The only things I
+  can find that are less confusing are also way, way longer.</p>
+
+  <p>When a script is to be executed in a <span>script execution
+  browsing context</span> in which <span>scripting is disabled</span>,
+  the script must do nothing and return nothing (a void return
+  value).</p>
+
+  <p class="note">Thus, for instance, enabling <code
+  title="dom-document-designMode">designMode</code> will disable any
+  event handler attributes, event listeners, timeouts, etc, that were
+  set by scripts in the document.</p>
 
 
 
   <h4>Security exceptions</h4>
 
   <p class="big-issue">Define <dfn>security exception</dfn>.</p>
 
 
   <h4 id="javascript-protocol"><dfn title="javascript protocol">The <code title="">javascript:</code> protocol</dfn></h4>
 
@@ -26662,25 +26904,21 @@ JSURI: http://ietfreport.isoc.org/all-ids/draft-hoehrmann-javascript-scheme-00.t
   and the <span>active document</span> of that browsing context has a
   an <span>origin</span> that is <em>not</em> the <span title="same
   origin">same</span> as that of the script given by the URI, the
   dereference context must be an empty object.</p>
 -->
 
   <p>Otherwise, the dereference context must be an empty object, and
   there is no <span>script execution browsing context</span>.</p>
 
   <p>URIs using the <code title="">javascript:</code> protocol should
-  be evaluated when the resource for that URI is needed, unless
-  <span>scripting is disabled</span> or the <code>Document</code>
-  corresponding to the dereference context (as defined above), if any,
-  has <code title="dom-document-designMode">designMode</code>
-  enabled.</p>
+  be evaluated when the resource for that URI is needed.</p>
 
   <p>If the dereference by-product is void (there is no return value),
   then the URI must be treated in a manner equivalent to an HTTP
   resource with an HTTP 204 No Content response.</p>
 
   <p>Otherwise, the URI must be treated in a manner equivalent to an
   HTTP resource with a 200 OK response whose <span
   title="Content-Type">Content-Type metadata</span> is <code
   title="">text/html</code> and whose response body is the dereference
   by-product, converted to a string value.</p>
@@ -27027,44 +27265,39 @@ JSURI: http://ietfreport.isoc.org/all-ids/draft-hoehrmann-javascript-scheme-00.t
   <p>When an event handler attribute is invoked, its argument must be
   set to the <code>Event</code> object of the event in question. If
   the function returns the exact boolean value false, the event's
   <code>preventDefault()</code> method must then invoked. Exception:
   for historical reasons, for the HTML <code>mouseover</code> event,
   the <code>preventDefault()</code> method must be called when the
   function returns true instead.</p>
 
   <!-- IE actually uncancels the event if the function returns true -->
 
-
-  <p>When <span>scripting is disabled</span>, event handler attributes
-  must do nothing.</p>
-
-  <!-- XXX arguments should use <var>, not <code>: --> <p>When
-  <span>scripting is enabled</span>, all event handler attributes on
-  an element, whether set to null or to a function, must be registered
-  as event listeners on the element, as if the <code
+  <p>All event handler attributes on an element, whether set to null
+  or to a function, must be registered as event listeners on the
+  element, as if the <code
   title="dom-EventTarget-addEventListenerNS">addEventListenerNS()</code>
   method on the <code>Element</code> object's <code>EventTarget</code>
   interface had been invoked when the element was created, with the
-  event type (<code title="dom-event-type">type</code> argument) equal
+  event type (<var title="dom-event-type">type</var> argument) equal
   to the type described for the event handler attribute in the list
-  above, the namespace (<code
-  title="dom-event-namespaceURI">namespaceURI</code> argument) set to
+  above, the namespace (<var
+  title="dom-event-namespaceURI">namespaceURI</var> argument) set to
   null, the listener set to be a target and bubbling phase listener
-  (<code title="dom-event-useCapture">useCapture</code> argument set
-  to false), the event group set to the default group (<code
-  title="dom-event-evtGroup">evtGroup</code> argument set to null),
-  and the event listener itself (<code
-  title="dom-event-listener">listener</code> argument) set to do
+  (<var title="dom-event-useCapture">useCapture</var> argument set to
+  false), the event group set to the default group (<var
+  title="dom-event-evtGroup">evtGroup</var> argument set to null), and
+  the event listener itself (<var
+  title="dom-event-listener">listener</var> argument) set to do
   nothing while the event handler attribute is null, and set to invoke
   the function associated with the event handler attribute
-  otherwise. (The <code title="dom-event-listener">listener</code>
+  otherwise. (The <var title="dom-event-listener">listener</var>
   argument is emphatically <em>not</em> the event handler attribute
   itself.)</p>
 
 
   <h5>Event firing</h5>
 
   <p class="big-issue">maybe this should be moved higher up
   (terminology? conformance? DOM?) Also, the whole terminology thing
   should be changed so that we don't define any specific events here,
   we only define 'simple event', 'progress event', 'mouse event', 'key
@@ -29786,20 +30019,35 @@ user reload must be equivalent to .reload()
   cause a browsing context to navigate.</p>
 
   <p>A user agent may also provide various ways for the user to
   explicitly cause a browsing context to navigate.</p>
 
   <p>When a browsing context is navigated, the user agent must run the
   following steps:</p>
 
   <ol>
 
+   <li id="sandboxLinks"><p>If the <span>source browsing
+   context</span> is not the same as the <span>browsing context</span>
+   being navigated, and the <span>source browsing context</span> is
+   not one of the <span title="ancestor browsing context">ancestor
+   browsing contexts</span> of the <span>browsing context</span> being
+   navigated, and the <span>source browsing context</span> has its
+   <span>sandboxed navigation browsing context</span> flag set, then
+   abort these steps. The user agent may offer to open the specified
+   resource in a new <span>top-level browsing context</span> or in the
+   <span>top-level browsing context</span> of the <span>source
+   browsing context</span>, at the user's option, in which case the
+   user agent must <span>navigate</span> that designated
+   <span>top-level browsing context</span> to the specified resource
+   as if the user had requested it independently.</p></li>
+
    <li id="seamlessLinks"><p>If the <span>source browsing
    context</span> is the same as the <span>browsing context</span>
    being navigated, and this browsing context has its <span>seamless
    browsing context</span> flag set, then find the nearest
    <span>ancestor browsing context</span> that does not have its
    <span>seamless browsing context</span> flag set, and continue these
    steps as if <em>that</em> <span>browsing context</span> was the one
    that was going to be <span title="navigate">navigated</span>
    instead.</p></li>
 
@@ -30285,20 +30533,25 @@ user reload must be equivalent to .reload()
 
   <p>After creating the <code>Document</code> object, but potentially
   before the page has finished fully loading, the user agent must
   <span>update the session history with the new page</span>.</p>
 
   <p>User agents may add content to the <code>head</code> element of
   the <code>Document</code>, or attributes to the <code>embed</code>
   element, e.g. to link to stylesheet or an XBL binding, or to give
   the document a <code>title</code>.</p>
 
+  <p class="note" id="sandboxPluginNavigate">If the <span>sandboxed
+  plugins browsing context</span> flag is set on the <span>browsing
+  context</span>, the synthesized <code>embed</code> element will <a
+  href="#sandboxPluginEmbed">fail to render the content</a>.</p>
+
 
   <h4 id="read-ua-inline"><dfn title="navigate-ua-inline">Page load processing model for inline content that doesn't have a DOM</dfn></h4>
 
   <p>When the user agent is to display a user agent page inline in a
   <span>browsing context</span>, the user agent should create a
   <code>Document</code> object, mark it as being an <span title="HTML
   documents">HTML document</span>, and then either associate that
   <code>Document</code> with a custom rendering that is not rendered
   using the normal <code>Document</code> rendering rules, or mutate
   that <code>Document</code> until it represents the content the user
@@ -34028,22 +34281,20 @@ at the first element with the given ID must be treated as if it was cloned and r
   position</dfn> that specifies where the current editing position
   is. It may also have a <span title="the
   selection">selection</span>.</p> <!-- XXX xref to later section -->
 
   <p class="note">How the caret and selection are represented depends
   entirely on the UA.</p>
 
   <!-- XXX rendering requirement: The current caret should affect the
   line-height (i.e. it acts at least like an empty inline element) -->
 
-  <!-- XXX document.designMode attribute -->
-
   <!-- XXX would be useful to have a way to mark an element as
   unremovable. -->
 
 
   <h4>User editing actions</h4>
 
   <p>There are several actions that the user agent should allow the
   user to perform while the user is interacting with an editing
   host. How exactly each action is triggered is not defined for every
   action, but when it is not defined, suggested key bindings are
@@ -34257,30 +34508,22 @@ at the first element with the given ID must be treated as if it was cloned and r
   <p>When <code title="dom-document-designMode">designMode</code> is
   enabled, the DOM attribute must return the value "<code
   title="">on</code>", and when it is disabled, it must return the
   value "<code title="">off</code>".</p>
 
   <p>The last state set must persist until the document is destroyed
   or the state is changed. Initially, documents must have their <code
   title="dom-document-designMode">designMode</code> disabled.</p>
 
   <p>Enabling <code title="dom-document-designMode">designMode</code>
-  causes scripts in general to be disabled and the document to become
-  editable.</p>
-
-  <p>When the <code>Document</code> has <code
-  title="dom-document-designMode">designMode</code> enabled, the
-  <span>event handler attributes</span> of the document and any
-  elements owned by the document must do nothing, and event listeners
-  registered on the document and any elements owned by the document
-  that are associated with script from the document must similarly do
-  nothing.</p>
+  <a href="#designModeScriptBlocked">causes scripts in general to be
+  disabled</a> and the document to become editable.</p>
 
 
 
   <h3 id="dnd"><dfn>Drag and drop</dfn></h3>
 
 <!--XXX
 
 http://msdn.microsoft.com/workshop/author/datatransfer/overview.asp
 http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp
 
@@ -39613,21 +39856,22 @@ function receiver(e) {
    these steps. (<span>fragment case</span>)</li> <!-- This is only
    here for now in case people think that the spec accidentally
    omitted it and try to "fix" it. Note that noscript-in-head is also
    handled this way. This is all intentional. The only thing it
    doesn't handle is the scripting-enabled fragment parsing case for a
    <head> element containing a <noscript> which itself contains
    something other than a <link> or a <style> element; you'd expect
    that to break out of the <noscript> but it doesn't. This is an edge
    case that doesn't affect the spec, since the algorithm for fragment
    parsing is only used for innerHTML, where we know scripting is
-   enabled. -->
+   enabled. (XXX except maybe if innerHTML is set from another
+   browsing context on a document with designMode set?) -->
 
    <li>If <var title="">node</var> is a <code>body</code> element,
    then switch the <span>insertion mode</span> to "<span
    title="insertion mode: in body">in body</span>" and abort these
    steps.</li>
 
    <li>If <var title="">node</var> is a <code>frameset</code> element,
    then switch the <span>insertion mode</span> to "<span
    title="insertion mode: in frameset">in frameset</span>" and abort
    these steps. (<span>fragment case</span>)</li>
@@ -39912,20 +40156,27 @@ function receiver(e) {
   implicitly or explicitly) the <span><code title="">head</code>
   element pointer</span> gets set to point to this node.</p>
 
   <p>The <span><code title="">form</code> element pointer</span>
   points to the last <code>form</code> element that was opened and
   whose end tag has not yet been seen. It is used to make form
   controls associate with forms in the face of dramatically bad
   markup, for historical reasons.</p>
 
 
+  <h5>The scripting state</h5>
+
+  <p>The <dfn>scripting flag</dfn> is set to "enabled" if the
+  <code>Document</code> with which the parser is associated was
+  <span>with script</span> when the parser was created, and "disabled"
+  otherwise.</p>
+
 
   <h4><dfn>Tokenisation</dfn></h4>
 
   <p>Implementations must act as if they used the following state
   machine to tokenise HTML. The state machine must start in the
   <span>data state</span>. Most states consume a single character,
   which may have various side-effects, and either switches the state
   machine to a new state to <em>reconsume</em> the same character, or
   switches it to a new state (to consume the next character), or
   repeats the same state (to consume the next character). Some states
@@ -42179,27 +42430,27 @@ function receiver(e) {
     encoding</span> to the encoding <var
     title="">encoding</var>.</p>
 
    </dd>
 
    <dt>A start tag whose tag name is "title"</dt>
    <dd>
     <p>Follow the <span>generic RCDATA parsing algorithm</span>.</p>
    </dd>
 
-   <dt>A start tag whose tag name is "noscript", if <span>scripting is enabled</span>:</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dt>A start tag whose tag name is "style"</dt>
    <dd>
     <p>Follow the <span>generic CDATA parsing algorithm</span>.</p>
    </dd>
 
-   <dt>A start tag whose tag name is "noscript", if <span>scripting is disabled</span>:</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is disabled:</dt>
    <dd>
 
     <p><span>Insert an HTML element</span> for the token.</p>
 
     <p>Switch the <span>insertion mode</span> to "<span
     title="insertion mode: in head noscript">in head
     noscript</span>".</p>
 
    </dd>
 
@@ -43477,24 +43728,22 @@ function receiver(e) {
 
     <p>The tokeniser's <span>content model flag</span> will have
     switched back to the PCDATA state.</p>
 
     <p>If the next token is an end tag token with the tag name
     "textarea", ignore it. Otherwise, this is a <span>parse
     error</span>.</p>
 
    </dd>
 
-   <dt>A start tag whose tag name is one of: "iframe",
-   "noembed", "noframes"</dt>
-   <dt>A start tag whose tag name is "noscript", if
-   <span>scripting is enabled</span>:</dt>
+   <dt>A start tag whose tag name is one of: "iframe", "noembed", "noframes"</dt>
+   <dt>A start tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dd>
     <p>Follow the <span>generic CDATA parsing algorithm</span>.</p>
    </dd>
 
    <dt>A start tag whose tag name is "select"</dt>
    <dd>
 
     <p><span>Reconstruct the active formatting elements</span>, if
     any.</p>
 
@@ -43579,22 +43828,21 @@ function receiver(e) {
    </dd>
 -->
    <dt>A start or end tag whose tag name is one of: "caption", "col",
    "colgroup", "frame", "frameset", "head", "option", "optgroup",
    "tbody", "td", "tfoot", "th", "thead", "tr"</dt>
    <dt>An end tag whose tag name is one of: "area", "basefont",
    "bgsound", "embed", "hr", "iframe", "image", "img", "input",
    "isindex", "noembed", "noframes", "param", "select", "spacer",
    "table", "textarea", "wbr"</dt> <!-- add keygen if we add the start
    tag -->
-   <dt>An end tag whose tag name is "noscript", if <span>scripting
-   is enabled</span>:</dt>
+   <dt>An end tag whose tag name is "noscript", if the <span>scripting flag</span> is enabled:</dt>
    <dd>
     <p><span>Parse error</span>. Ignore the token.</p>
    </dd>
 
    <dt>A start or end tag whose tag name is one of:
    "event-source", "section", "nav", "article", "aside", "header",
    "footer", "datagrid", "command"</dt>
 
    <dd>
 
@@ -45232,21 +45480,23 @@ http://lxr.mozilla.org/seamonkey/search?string=nested
        <dd>
 
         <p>If one of the ancestors of <var title="">current node</var>
         is a <code>style</code>, <code>script</code>,
         <code>xmp</code>, <code>iframe</code>, <code>noembed</code>,
         <code>noframes</code>, <code>noscript</code>, or
         <code>plaintext</code> element, then append the value of <var
         title="">current node</var>'s <code title="">data</code> DOM
         attribute literally.</p> <!-- note about noscript: we're
         assuming here that scripting is disabled. If this algorithm is
-        used with scripting disabled, this won't work right. -->
+        used with scripting disabled, this won't work right. XXX This
+        might affect calling innerHTML on nodes in a document that is
+        being designMode'd -->
 
         <p>Otherwise, append the value of <var title="">current
         node</var>'s <code title="">data</code> DOM attribute, <span
         title="escaping a string">escaped as described
         below</span>.</p>
 
        </dd>
 
 
        <dt>If <var title="">current node</var> is a <code
@@ -45404,23 +45654,24 @@ http://lxr.mozilla.org/seamonkey/search?string=nested
 
      <dt>If it is a <code>style</code>, <code>script</code>,
      <code>xmp</code>, <code>iframe</code>, <code>noembed</code>, or
      <code>noframes</code> element</dt>
 
      <dd>Set the <span>content model flag</span> to
      <em>CDATA</em>.</dd>
 
 
      <dt>If it is a <code>noscript</code> element</dt>
-     <dd>If <span>scripting is enabled</span>, set the <span>content
-     model flag</span> to <em>CDATA</em>. Otherwise, set the
-     <span>content model flag</span> to <em>PCDATA</em>.</dd>
+
+     <dd>If the <span>scripting flag</span> is enabled, set the
+     <span>content model flag</span> to <em>CDATA</em>. Otherwise, set
+     the <span>content model flag</span> to <em>PCDATA</em>.</dd>
 
 
      <dt>If it is a <code>plaintext</code> element</dt>
 
      <dd>Set the <span>content model flag</span> to
      <em>PLAINTEXT</em>.</dd>
 
 
      <dt>Otherwise</dt>
 
@@ -45747,21 +45998,28 @@ xh|section xh|section xh|section xh|section xh|section xh|h1 { /* same styles as
 
 
 
   <h4>The <dfn><code>applet</code></dfn> element</h4>
 
   <p>The <code>applet</code> element is a Java-specific variant of the
   <code>embed</code> element. In HTML5 the <code>applet</code> element
   is obsoleted so that all extension frameworks (Java, .NET, Flash,
   etc) are handled in a consistent manner.</p>
 
-  <p class="big-issue">define how the element works, if supported</p>
+  <p id="sandboxPluginApplet">If the <span>sandboxed plugins browsing
+  context</span> flag is set on the <span>browsing context</span> for
+  which the <code>applet</code> element's document is the <span>active
+  document</span>, then the element must be ignored (it represents
+  nothing).</p>
+
+  <p>Otherwise, <span class="big-issue">define how the element works,
+  if supported</span>.</p>
 
   <pre class="idl">[XXX] interface <span>HTMLDocument</span> {
   readonly attribute <span>HTMLCollection</span> <span title="dom-document-applets">applets</span>;
 };</pre>
 
   <p>The <dfn title="dom-document-applets"><code>applets</code></dfn>
   attribute must return an <code>HTMLCollection</code> rooted at the
   <code>Document</code> node, whose filter matches only
   <code>applet</code> elements.</p>
   

|