Pointer Lock API  adds capability that should be restricted by a sandbox flag unless an iframe is marked explicitly with sandbox="allow-pointer-lock"
Rough edit suggestion to HTML:
Add a section for The sandboxed pointer lock flag
+ "The sandboxed pointer lock flag
+ This flag prevents content from using the Pointer Lock API"
with link to http://www.w3.org/TR/pointerlock/
Add a new flag parsing item:
After the text: "When the user agent is to parse a sandboxing directive ..."
+ "The sandboxed pointer lock flag, unless tokens contains the allow-pointer-lock keyword"
Ok, I have added "allow-pointer-lock" to the HTML spec.
In the Pointer Lock spec, add the following clause somewhere:
If [the Document object]'s _active sandboxing flag set_ has the _sandboxed
pointer lock browsing context flag_, then [the user agent must not lock the
"the Document object" should be expanded to a reference to the Document object
for which pointer lock is being enabled, whatever that is.
"active sandboxing flag set" and "sandboxed pointer lock browsing context flag"
are terms now defined in the HTML spec.
"the user agent must not lock the pointer" is whatever conformance requirement
you need to add to your spec to make it not lock the pointer.
Checked in as WHATWG revision r7485.
Check-in comment: Add sandbox=allow-pointer-lock, and some nearby cleanup.