This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23857 - "allowed to navigate" algorithm technically blocks self navigation on sandboxed top-level browsing contexts.
Summary: "allowed to navigate" algorithm technically blocks self navigation on sandbox...
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: All All
: P2 minor
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-19 09:18 UTC by Bob Owen
Modified: 2013-11-19 22:37 UTC (History)
2 users (show)

See Also:


Attachments

Description Bob Owen 2013-11-19 09:18:01 UTC
Just noticed this minor point.

If we have a sandboxed auxiliary browsing context (opened from a sandboxed iframe with allow-popups) and it tries to navigate itself.

Following the allowed to navigate algorithm:
http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#allowed-to-navigate

Our browsing context is A and B, so:

1) A is same as B - move to next step.

2) B is top, but not ancestor of A - move to next step.

3) B is top, not ancestor of A, A is sandboxed and not one permitted sandboxed navigator of B - abort negatively!


The simplest fix, as far as I can see, is to add a new step at the start, which simply says "If A is the same browsing context as B, then terminate positively."
Also, remove, the now redundant, first condition from the old step 1.
Comment 1 Ian 'Hixie' Hickson 2013-11-19 22:24:37 UTC
I made step 3 exclude the case where A=B.
Comment 2 contributor 2013-11-19 22:24:56 UTC
Checked in as WHATWG revision r8301.
Check-in comment: Always allow a browsing context to navigate itself.
http://html5.org/tools/web-apps-tracker?from=8300&to=8301
Comment 3 Bob Owen 2013-11-19 22:37:56 UTC
(In reply to Ian 'Hixie' Hickson from comment #1)
> I made step 3 exclude the case where A=B.

That, of course, works just as well :)

Thanks Ian.