This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Pointer Lock API [1] adds capability that should be restricted by a sandbox flag unless an iframe is marked explicitly with sandbox="allow-pointer-lock" Rough edit suggestion to HTML: http://dev.w3.org/html5/spec/origin-0.html#sandboxing Add a section for The sandboxed pointer lock flag + "The sandboxed pointer lock flag + This flag prevents content from using the Pointer Lock API" with link to http://www.w3.org/TR/pointerlock/ Add a new flag parsing item: After the text: "When the user agent is to parse a sandboxing directive ..." Add + "The sandboxed pointer lock flag, unless tokens contains the allow-pointer-lock keyword" [1] http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html
Ok, I have added "allow-pointer-lock" to the HTML spec. In the Pointer Lock spec, add the following clause somewhere: If [the Document object]'s _active sandboxing flag set_ has the _sandboxed pointer lock browsing context flag_, then [the user agent must not lock the pointer]. ...where "the Document object" should be expanded to a reference to the Document object for which pointer lock is being enabled, whatever that is. "active sandboxing flag set" and "sandboxed pointer lock browsing context flag" are terms now defined in the HTML spec. "the user agent must not lock the pointer" is whatever conformance requirement you need to add to your spec to make it not lock the pointer.
Checked in as WHATWG revision r7485. Check-in comment: Add sandbox=allow-pointer-lock, and some nearby cleanup. http://html5.org/tools/web-apps-tracker?from=7484&to=7485