This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: https://html.spec.whatwg.org/multipage/semantics.html Multipage: https://html.spec.whatwg.org/multipage/#table-http-equiv Complete: https://html.spec.whatwg.org/#table-http-equiv Referrer: https://html.spec.whatwg.org/multipage/ Comment: Should the sandboxing flags be captured when setting up the refresh? Posted from: 98.110.194.132 User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
In particular, if the <meta> is adopted into a different document the allow-scripts flag on its node document can effectively change between when https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-refresh starts running and when the refresh comes due.
A quick test shows that Chrome, at least, does not wait for the refresh to come due before checking the sandbox flags.
Mike, could you check the current spec here to see if it aligns with your intentions, per Boris's question? That is, I'd love to pass this issue off to you instead of having to try to understand it myself :).
Going through older issues... This is actually pretty easy to understand. Boris, what did you end up implementing in Gecko? If it matches Blink per comment #2, we should just update the spec. Did you write tests for the edge case in question that we can use to solidify a spec change?
Gecko's implementation is quite different from the spec's in various ways (e.g. we handle meta refresh in the parser only, not on general <meta> addition to the DOM), but we do check the sandbox flag up front before doing any work at all. In terms of the spec algorithm, it's the equivalent of doing it before step 2 of https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-refresh for sure, in that we do it before we even get the value of the "content" attribute. It's worth checking what other UAs do around this stuff, including whether they actually implement this as an action on element insertion. It doesn't look like we wrote tests for the edge case. See https://bug1156059.bmoattachments.org/attachment.cgi?id=8598598 for the tests we did write (which aren't even web platform tests, sadly).
https://github.com/whatwg/html/pull/2198