28520 – Should the sandboxing flags be captured when setting up the refresh?

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 28520 - Should the sandboxing flags be captured when setting up the refresh?

Summary: Should the sandboxing flags be captured when setting up the refresh?

Status:	RESOLVED MOVED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	P3 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:	https://html.spec.whatwg.org/#table-h...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-04-20 18:42 UTC by contributor
Modified:	2016-12-20 20:54 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description contributor 2015-04-20 18:42:47 UTC

Specification: https://html.spec.whatwg.org/multipage/semantics.html
Multipage: https://html.spec.whatwg.org/multipage/#table-http-equiv
Complete: https://html.spec.whatwg.org/#table-http-equiv
Referrer: https://html.spec.whatwg.org/multipage/

Comment:
Should the sandboxing flags be captured when setting up the refresh?

Posted from: 98.110.194.132
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0

Comment 1 Boris Zbarsky 2015-04-20 18:44:14 UTC

In particular, if the <meta> is adopted into a different document the allow-scripts flag on its node document can effectively change between when https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-refresh starts running and when the refresh comes due.

Comment 2 Boris Zbarsky 2015-04-20 19:22:49 UTC

A quick test shows that Chrome, at least, does not wait for the refresh to come due before checking the sandbox flags.

Comment 3 Domenic Denicola 2016-04-08 23:31:16 UTC

Mike, could you check the current spec here to see if it aligns with your intentions, per Boris's question? That is, I'd love to pass this issue off to you instead of having to try to understand it myself :).

Comment 4 Domenic Denicola 2016-12-13 14:05:20 UTC

Going through older issues...

This is actually pretty easy to understand. Boris, what did you end up implementing in Gecko? If it matches Blink per comment #2, we should just update the spec. Did you write tests for the edge case in question that we can use to solidify a spec change?

Comment 5 Boris Zbarsky 2016-12-13 14:15:48 UTC

Gecko's implementation is quite different from the spec's in various ways (e.g. we handle meta refresh in the parser only, not on general <meta> addition to the DOM), but we do check the sandbox flag up front before doing any work at all.  In terms of the spec algorithm, it's the equivalent of doing it before step 2 of https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-refresh for sure, in that we do it before we even get the value of the "content" attribute.

It's worth checking what other UAs do around this stuff, including whether they actually implement this as an action on element insertion.

It doesn't look like we wrote tests for the edge case.  See https://bug1156059.bmoattachments.org/attachment.cgi?id=8598598 for the tests we did write (which aren't even web platform tests, sadly).

Comment 6 Domenic Denicola 2016-12-20 20:54:22 UTC

https://github.com/whatwg/html/pull/2198