Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[agiow] (1) Make <iframe sandbox=''> block localStorage and openDatab…
…ase.

git-svn-id: http://svn.whatwg.org/webapps@4584 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Jan 13, 2010
1 parent be8552e commit 5159916
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 5 deletions.
8 changes: 6 additions & 2 deletions complete.html
Expand Up @@ -19748,7 +19748,7 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</

<p>This flag also <a href=#sandboxCookies>prevents script from
reading the <code title=dom-document-cookie>document.cookie</code> IDL
attribute</a>.</p>
attribute</a>, and blocks access to <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code> and <code title=dom-opendatabase>openDatabase()</code>.</p>

<div class=note>

Expand Down Expand Up @@ -58834,7 +58834,7 @@ <h4 id=the-localstorage-attribute><span class=secno>7.2.3 </span>The <code title
<p>When the <code title=dom-localStorage><a href=#dom-localstorage>localStorage</a></code>
attribute is accessed, the user agent must run the following steps:</p>

<ol><li><p>The user agent may raise a <code><a href=#security_err>SECURITY_ERR</a></code>
<ol><li><p>The user agent may throw a <code><a href=#security_err>SECURITY_ERR</a></code>
exception instead of returning a <code><a href=#storage-0>Storage</a></code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>
Expand All @@ -58844,6 +58844,10 @@ <h4 id=the-localstorage-attribute><span class=secno>7.2.3 </span>The <code title
<code>Document</code>'s <a href=#origin>origin</a>, then throw a
<code><a href=#security_err>SECURITY_ERR</a></code> exception and abort these steps.</li>

<li><p>If the <code>Document</code>'s <a href=#origin>origin</a> is not a
scheme/host/port tuple, then throw a <code><a href=#security_err>SECURITY_ERR</a></code>
exception and abort these steps.</li>

<li><p>Check to see if the user agent has allocated a local storage
area for the <a href=#origin>origin</a> of the <code>Document</code> of
the <code><a href=#window>Window</a></code> object on which the method was invoked. If
Expand Down
2 changes: 1 addition & 1 deletion index
Expand Up @@ -19648,7 +19648,7 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>

<p>This flag also <a href=#sandboxCookies>prevents script from
reading the <code title=dom-document-cookie>document.cookie</code> IDL
attribute</a>.</p>
attribute</a>, and blocks access to <code title=dom-localStorage>localStorage</code> and <code title=dom-opendatabase>openDatabase()</code>.</p>

<div class=note>

Expand Down
14 changes: 12 additions & 2 deletions source
Expand Up @@ -21017,7 +21017,9 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<p>This flag also <a href="#sandboxCookies">prevents script from
reading the <code
title="dom-document-cookie">document.cookie</code> IDL
attribute</a>.</p>
attribute</a>, and blocks access to <code
title="dom-localStorage">localStorage</code> and <code
title="dom-opendatabase">openDatabase()</code>.</p>

<div class="note">

Expand Down Expand Up @@ -66557,7 +66559,7 @@ interface <span>WindowLocalStorage</span> {

<ol>

<li><p>The user agent may raise a <code>SECURITY_ERR</code>
<li><p>The user agent may throw a <code>SECURITY_ERR</code>
exception instead of returning a <code>Storage</code> object if the
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</p></li>
Expand All @@ -66567,6 +66569,10 @@ interface <span>WindowLocalStorage</span> {
<code>Document</code>'s <span>origin</span>, then throw a
<code>SECURITY_ERR</code> exception and abort these steps.</p></li>

<li><p>If the <code>Document</code>'s <span>origin</span> is not a
scheme/host/port tuple, then throw a <code>SECURITY_ERR</code>
exception and abort these steps.</p></li>

<li><p>Check to see if the user agent has allocated a local storage
area for the <span>origin</span> of the <code>Document</code> of
the <code>Window</code> object on which the method was invoked. If
Expand Down Expand Up @@ -66883,6 +66889,10 @@ interface <dfn>DatabaseCallback</dfn> {

</li>

<li><p>If <var title="">origin</var> is not a scheme/host/port
tuple, then throw a <code>SECURITY_ERR</code> exception and abort
these steps.</p></li>

<li><p>If the database version provided is not the empty string,
and there is already a database with the given name from the origin
<var title="">origin</var>, but the database has a different
Expand Down

0 comments on commit 5159916

Please sign in to comment.