Open
Bug 752551
Opened 13 years ago
Updated 2 years ago
iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
NEW
People
(Reporter: imelven, Unassigned, Mentored)
References
Details
see http://dev.w3.org/html5/spec/origin-0.html#sandboxed-automatic-features-browsing-context-flag
according to Microsoft's test suite[1], webkit has not implemented this either
the spec mentions autoplaying video and automatically focusing on a text box - Microsoft has also decided that refresh via <meta> should also be blocked in this case
i'd like to fix these in a followup to the initial iframe sandbox work (bug 341604) landing, after discussion on whether we really want to do this and if so, which pieces of it (and if we can think of anything else we'd like to block that's an "automatic feature")
[1] http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox
Reporter | ||
Updated•13 years ago
|
Depends on: framesandbox
Reporter | ||
Updated•12 years ago
|
Whiteboard: [mentor=imelven lang=c++]
Reporter | ||
Comment 1•12 years ago
|
||
a note on <meta refresh> - Microsoft seem to consider it an 'automatic feature' also (http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-automatic-features-browsing-context-flag) based on http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox - Webkit seems to not block it fwiw
Summary: iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus → iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh
Ian are you still willing to mentor this bug?
Flags: needinfo?(ian.melven)
Reporter | ||
Comment 4•11 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #3)
> Ian are you still willing to mentor this bug?
I'd love to but it's pretty unlikely I'll have time - I've removed myself as mentor and cc'd Bob in case he's willing to mentor another iframe sandbox bug.. :)
Flags: needinfo?(ian.melven)
Whiteboard: [mentor=imelven lang=c++]
Comment 5•11 years ago
|
||
(In reply to Ian Melven :imelven from comment #4)
> (In reply to Curtis Koenig [:curtisk] from comment #3)
> > Ian are you still willing to mentor this bug?
>
> I'd love to but it's pretty unlikely I'll have time - I've removed myself as
> mentor and cc'd Bob in case he's willing to mentor another iframe sandbox
> bug.. :)
I don't know this particular part of the sandbox code, but I'm happy to help where I can.
Updated•10 years ago
|
Mentor: bobowencode
Updated•10 years ago
|
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•