Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an 'allow-popups-to-escape-sandbox' sandboxing token. #14

Merged
merged 1 commit into from
Aug 29, 2015
Merged

Add an 'allow-popups-to-escape-sandbox' sandboxing token. #14

merged 1 commit into from
Aug 29, 2015

Conversation

mikewest
Copy link
Member

This patch adds the sandbox-escaping functionality described at 1,
which will allow a sandboxed docuent to spawn new windows without
forcing the set of active sandboing flags upon them. This allows, for
example, a third-party advertisement to be (more) safely sandboxed
without forcing the same restrictions upon a landing page.

@mikewest
Copy link
Member Author

Hi, @domenic and @annevk! Thanks so much for doing the hard work to get things set up for direct, external contributions (and for letting me know about it)!

I have no idea how to generate the spec documents from source, so it's entirely possible that this patch doesn't do the right thing, but hopefully I've correctly understood the idioms in the document (100 columns, <span>-wrapped autolinking, data-x naming for attributes, strange indentation rules, etc).

Does this look like a reasonable approach to resolving https://www.w3.org/Bugs/Public/show_bug.cgi?id=28817? If so, wonderful. I have a million more patches for you. :)

@domenic
Copy link
Member

domenic commented Aug 28, 2015

I have no idea how to generate the spec documents from source, so it's entirely possible that this patch doesn't do the right thing

Yeah, we need to document this. Would you mind giving the procedures set up in https://github.com/whatwg/html-build a try? Note that it's kind of sucky in two ways, currently:

  • You have to build a Free Pascal program. We should look in to providing precompiled binaries for this.
  • You have to check out the build tools, but then also put the spec source (and cldr data) into that directory. And, the build tools will then output to that directory. So it's hard to disentangle which came from where.

I have visions of a web service that you upload a source file to and get out a singlepage.html, similar to Bikeshed, but that's not here yet.

Would love your feedback on the build process, if you can manage to get it working. Any that you can give will be incorporated into the readme.

@annevk
Copy link
Member

annevk commented Aug 28, 2015

@bzbarsky would you please go over this pull request to see whether you catch anything obviously wrong? Auxiliary browsing contexts is not my strong suit.

@bzbarsky
Copy link
Contributor

Looks reasonable to me.

@annevk
Copy link
Member

annevk commented Aug 29, 2015

Thank you @bzbarsky.

@mikewest, could you drop the period from the first line of the commit message and merge the two commits into a single commit using git push --force? That would make it easier to make a clean merge. Thank you.

@mikewest
Copy link
Member Author

Will do, whenever I can get to a computer today.

@mikewest
Add an 'allow-popups-to-escape-sandbox' sandboxing token
955fbaa 
This patch adds the sandbox-escaping functionality described at [1],
which will allow a sandboxed docuent to spawn new windows without
forcing the set of active sandboing flags upon them. This allows, for
example, a third-party advertisement to be (more) safely sandboxed
without forcing the same restrictions upon a landing page.

Discussed at [2] and [3].

[1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28817
[2]: https://lists.w3.org/Archives/Public/public-whatwg-archive/2015May/0035.html
[3]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/YtsqkySmTWcJ
@mikewest
Copy link
Member Author

Rebased, thanks!

@annevk annevk merged commit 955fbaa into whatwg:master Aug 29, 2015
@ricea ricea mentioned this pull request Feb 22, 2022
Closed
@rwlbuis rwlbuis mentioned this pull request Sep 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mikewest @domenic @annevk @bzbarsky