28563 2015-04-27 07:40:12 +0000 As in most cases the http-equiv meta tags are equivalent to their corresponding HTTP header, would i [...] 2017-08-09 09:49:46 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other All RESOLVED MOVED https://html.spec.whatwg.org/#attr-meta-http-equiv-refresh P3 normal Unsorted 28339 1 contributor ian annevk bobowencode bzbarsky ian mike zcorpan contributor oldest_to_newest 119924 0 contributor 2015-04-27 07:40:12 +0000 Specification: https://html.spec.whatwg.org/ Multipage: https://html.spec.whatwg.org/multipage/#attr-meta-http-equiv-refresh Complete: https://html.spec.whatwg.org/#attr-meta-http-equiv-refresh Referrer: Comment: As in most cases the http-equiv meta tags are equivalent to their corresponding HTTP header, would it be worth mentioning in step 24 that the automatic features sandbox should not affect the corresponding Refresh HTTP header. I'm assuming that is what is intended and certainly blink allows the header when sandboxed. Either way it would be useful to make it clear. I am currently implementing the same behaviour as blink for gecko. Thanks, Bob Owen Posted from: 80.189.213.41 User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 120104 1 ian 2015-05-05 21:35:42 +0000 I presume whether it affects the header or not should be up to whatever spec defines the header. Which spec defines the header? Why would we not want the header to work the same way? Presumably any reason that applies to the <meta> element applies to the header too, no? 120133 2 bobowencode 2015-05-06 09:05:00 +0000 Copying in Boris, as he was involved in a brief discussion that we had about this. 120135 3 bzbarsky 2015-05-06 15:33:14 +0000 > Which spec defines the header? There is no spec defining the refresh header that I know of. Netscape made it up and no one ever standardized it. > Why would we not want the header to work the same way? That depends on what our goals are, I guess. If we're sandboxing source we don't fully trust that we put on our server, then there is a fundamental difference between <meta http-equiv="refresh"> and the refresh HTTP header: the former is under the control of the untrusted source, while the latter is under our control. If, on the other hand, we're sandboxing some URI loaded from some other server, then it makes sense to me to disallow the HTTP header too... 120137 4 ian 2015-05-06 16:02:20 +0000 Makes sense. In any case, the answer is someone should write a spec for it. I'm happy to add a note to the HTML spec saying that there's no HTTP header of this name defined, but that if there was, one should not assume it acts like the pragma. 128824 5 annevk 2017-08-09 09:49:46 +0000 Per the current PR for this the Refresh works in combination with sandboxing since that's what Chrome already did: https://github.com/whatwg/html/pull/2892