[acgiow] (1) Make sandbox='' disallow using both allow-same-origin an…

…d allow-scripts (and make same-origin win). git-svn-id: http://svn.whatwg.org/webapps@4577 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jan 12, 2010 · a1b52d9 · a1b52d9
1 parent 4d61e2c
commit a1b52d9
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 8 deletions.
diff --git a/complete.html b/complete.html
@@ -110,7 +110,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Draft Standard &mdash; 11 January 2010</h2>
+    <h2 class="no-num no-toc">Draft Standard &mdash; 12 January 2010</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -19657,11 +19657,15 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</
   prevented from targeting other <a href=#browsing-context title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p>The <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword
+  must not be specified if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+  keyword is specified.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -19781,6 +19785,7 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</
    the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
    value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
    spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
+   keyword set and <em>not </em> to have the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
    keyword set</dt>
 
    <dd>
@@ -19795,6 +19800,9 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</
     or elsewhere) will continue to run. Only <em>new</em> scripts will
     be prevented from executing by this flag.</p>
 
+    <p>This keyword is ignored if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+    keyword is set.</p>
+
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above

diff --git a/index b/index
@@ -112,7 +112,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
    <hgroup><h1>HTML5 (including next generation additions still in development)</h1>
-    <h2 class="no-num no-toc">Draft Standard &mdash; 11 January 2010</h2>
+    <h2 class="no-num no-toc">Draft Standard &mdash; 12 January 2010</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -19557,11 +19557,15 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
   prevented from targeting other <a href=#browsing-context title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p>The <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> keyword
+  must not be specified if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+  keyword is specified.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -19681,6 +19685,7 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
    the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute's
    value, when <a href=#split-a-string-on-spaces title="split a string on spaces">split on
    spaces</a>, is found to have the <dfn id=attr-iframe-sandbox-allow-scripts title=attr-iframe-sandbox-allow-scripts><code>allow-scripts</code></dfn>
+   keyword set and <em>not </em> to have the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
    keyword set</dt>
 
    <dd>
@@ -19695,6 +19700,9 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
     or elsewhere) will continue to run. Only <em>new</em> scripts will
     be prevented from executing by this flag.</p>
 
+    <p>This keyword is ignored if the <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+    keyword is set.</p>
+
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above

diff --git a/source b/source
@@ -20910,13 +20910,19 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   context">browsing contexts</span>, and plugins are disabled. The
   <code
   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code
   title="attr-iframe-sandbox-allow-forms">allow-forms</code> and <code
   title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p>The <code
+  title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> keyword
+  must not be specified if the <code
+  title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+  keyword is specified.</p>
+
   <div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
@@ -21050,6 +21056,8 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
    value, when <span title="split a string on spaces">split on
    spaces</span>, is found to have the <dfn
    title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
+   keyword set and <em>not </em> to have the <code
+   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
    keyword set</dt>
 
    <dd>
@@ -21065,6 +21073,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
     or elsewhere) will continue to run. Only <em>new</em> scripts will
     be prevented from executing by this flag.</p>
 
+    <p>This keyword is ignored if the <code
+    title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+    keyword is set.</p>
+
    </dd>
 
   </dl>