Bug 18647 - Add sandboxed pointer lock flag to HTML Sandboxing
Add sandboxed pointer lock flag to HTML Sandboxing
Status: RESOLVED FIXED
Product: WebAppsWG
Classification: Unclassified
Component: Pointer Lock
unspecified
Other other
: P3 normal
: ---
Assigned To: scheib
public-webapps-bugzilla
:
Depends on:
Blocks: 19752 19773
  Show dependency treegraph
 
Reported: 2012-08-21 20:19 UTC by scheib
Modified: 2013-01-04 17:56 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description scheib 2012-08-21 20:19:19 UTC
Pointer Lock API [1] adds capability that should be restricted by a sandbox flag unless an iframe is marked explicitly with sandbox="allow-pointer-lock"

Rough edit suggestion to HTML:
http://dev.w3.org/html5/spec/origin-0.html#sandboxing

Add a section for The sandboxed pointer lock flag
+ "The sandboxed pointer lock flag
+  This flag prevents content from using the Pointer Lock API"
   with link to http://www.w3.org/TR/pointerlock/

Add a new flag parsing item:
After the text: "When the user agent is to parse a sandboxing directive ..."
Add
+ "The sandboxed pointer lock flag, unless tokens contains the allow-pointer-lock keyword"


[1] http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html
Comment 1 Ian 'Hixie' Hickson 2012-10-25 18:10:19 UTC
Ok, I have added "allow-pointer-lock" to the HTML spec.

In the Pointer Lock spec, add the following clause somewhere:

   If [the Document object]'s _active sandboxing flag set_ has the _sandboxed 
   pointer lock browsing context flag_, then [the user agent must not lock the
   pointer].

...where

   "the Document object" should be expanded to a reference to the Document object 
   for which pointer lock is being enabled, whatever that is.

   "active sandboxing flag set" and "sandboxed pointer lock browsing context flag" 
   are terms now defined in the HTML spec.

   "the user agent must not lock the pointer" is whatever conformance requirement 
   you need to add to your spec to make it not lock the pointer.
Comment 2 contributor 2012-10-25 18:10:58 UTC
Checked in as WHATWG revision r7485.
Check-in comment: Add sandbox=allow-pointer-lock, and some nearby cleanup.
http://html5.org/tools/web-apps-tracker?from=7484&to=7485