Automatic features should work in sandboxed iframes if "allow-scripts" flag is set

https://bugs.webkit.org/show_bug.cgi?id=93961

Patch by Christophe Dumez <christophe.dumez@intel.com> on 2012-09-04
Reviewed by Adam Barth.

Source/WebCore:

Allow automatic features (video autoplay and form control
autofocus) in a sandboxed iframe that has "allow-scripts"
flag set. This behavior is according to the latest
specification at:
http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin

This sandboxed automatic features browsing context flag is
relaxed by the same keyword as scripts, because when
scripts are enabled these features are trivially possible
anyway, and it would be unfortunate to force authors to
use script to do them when sandboxed rather than allowing
them to use the declarative features.

Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html
       media/auto-play-in-sandbox-with-allow-scripts.html

* dom/SecurityContext.cpp:
(WebCore::SecurityContext::parseSandboxPolicy):

LayoutTests:

Add layout tests to check that automatic features (video
autoplay and form control autofocus) are allowed / working
in sandboxed iframes if the "allow-scripts" flag is set.
This behavior is according to the latest specification at:
http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin

The tests to check that automatic features are blocked in
sandboxed iframes have been removed since they relied on
the "allow-scripts" flag to work.

* fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added.
* fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html.
* fast/forms/no-autofocus-in-sandbox-expected.txt: Removed.
* media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added.
* media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html.
* media/no-auto-play-in-sandbox-expected.txt: Removed.
* media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added.
* media/resources/no-auto-play-in-sandbox-iframe.html: Removed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127481 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c032831a
2012-09-04 Christophe Dumez <christophe.dumez@intel.com>
Automatic features should work in sandboxed iframes if "allow-scripts" flag is set
https://bugs.webkit.org/show_bug.cgi?id=93961
Reviewed by Adam Barth.
Add layout tests to check that automatic features (video
autoplay and form control autofocus) are allowed / working
in sandboxed iframes if the "allow-scripts" flag is set.
This behavior is according to the latest specification at:
http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin
The tests to check that automatic features are blocked in
sandboxed iframes have been removed since they relied on
the "allow-scripts" flag to work.
* fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added.
* fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html.
* fast/forms/no-autofocus-in-sandbox-expected.txt: Removed.
* media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added.
* media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html.
* media/no-auto-play-in-sandbox-expected.txt: Removed.
* media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added.
* media/resources/no-auto-play-in-sandbox-iframe.html: Removed.
2012-09-04 Tim Horton <timothy_horton@apple.com>
ASSERTion failure when SVG element is removed from document and readded
ALERT: INPUT
This test passes if the activeElement is the input element rather than the body (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).
......@@ -2,7 +2,7 @@
if (window.testRunner)
testRunner.dumpAsText();
</script>
This test passes if the activeElement is the body rather than the input element
(which it would be if the sandbox didn't succeed in blocking autofocus).
This test passes if the activeElement is the input element rather than the body
(which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).
<iframe sandbox="allow-scripts"
src="data:text/html,<input autofocus onfocus><script>alert(document.activeElement.tagName)</script>"></iframe>
ALERT: BODY
This test passes if the activeElement is the body rather than the input element (which it would be if the sandbox didn't succeed in blocking autofocus).
......@@ -3,10 +3,10 @@
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
Test that play event does not fire when "src" set with an autoplay attribute in a sandbox.
Test that play event fires when "src" set with an autoplay attribute in a sandbox with allows-scripts.
EXPECTED (video.paused == 'true') OK
EVENT(canplaythrough)
EXPECTED (video.paused == 'true') OK
EVENT(play)
PLAY fired OK
END OF TEST
......@@ -7,4 +7,4 @@ if (window.testRunner) {
<iframe
style="width: 400px; height: 600px"
sandbox="allow-scripts allow-same-origin"
src="resources/no-auto-play-in-sandbox-iframe.html"></iframe>
src="resources/auto-play-in-sandbox-with-allow-scripts-iframe.html"></iframe>
<base href="..">
<video autoplay controls></video>
<p>Test that play event does not fire when "src" set with an autoplay attribute in a sandbox.</p>
<p>Test that play event fires when "src" set with an autoplay attribute in a sandbox with allows-scripts.</p>
<script src=media-file.js></script>
<script src=video-test.js></script>
<script>
testExpected("video.paused", true);
waitForEvent('play', function () {
logResult(false, "PLAY fired");
waitForEvent('play', function () {
logResult(true, "PLAY fired");
endTest();
} );
function testPaused ()
{
testExpected("video.paused", true);
endTest();
}
waitForEvent('canplaythrough', function () { setTimeout(testPaused, 500);} );
video.src = findMediaFile("video", "content/test");
</script>
2012-09-04 Christophe Dumez <christophe.dumez@intel.com>
Automatic features should work in sandboxed iframes if "allow-scripts" flag is set
https://bugs.webkit.org/show_bug.cgi?id=93961
Reviewed by Adam Barth.
Allow automatic features (video autoplay and form control
autofocus) in a sandboxed iframe that has "allow-scripts"
flag set. This behavior is according to the latest
specification at:
http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin
This sandboxed automatic features browsing context flag is
relaxed by the same keyword as scripts, because when
scripts are enabled these features are trivially possible
anyway, and it would be unfortunate to force authors to
use script to do them when sandboxed rather than allowing
them to use the declarative features.
Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html
media/auto-play-in-sandbox-with-allow-scripts.html
* dom/SecurityContext.cpp:
(WebCore::SecurityContext::parseSandboxPolicy):
2012-09-04 Sami Kyostila <skyostil@google.com>
Register scrolling layers with ScrollingCoordinator
......@@ -106,9 +106,10 @@ SandboxFlags SecurityContext::parseSandboxPolicy(const String& policy)
flags &= ~SandboxOrigin;
else if (equalIgnoringCase(sandboxToken, "allow-forms"))
flags &= ~SandboxForms;
else if (equalIgnoringCase(sandboxToken, "allow-scripts"))
else if (equalIgnoringCase(sandboxToken, "allow-scripts")) {
flags &= ~SandboxScripts;
else if (equalIgnoringCase(sandboxToken, "allow-top-navigation"))
flags &= ~SandboxAutomaticFeatures;
} else if (equalIgnoringCase(sandboxToken, "allow-top-navigation"))
flags &= ~SandboxTopNavigation;
else if (equalIgnoringCase(sandboxToken, "allow-popups"))
flags &= ~SandboxPopups;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment