Changeset 127481 in webkit

Timestamp:

Sep 4, 2012 11:58:19 AM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Automatic features should work in sandboxed iframes if "allow-scripts" flag is set
​https://bugs.webkit.org/show_bug.cgi?id=93961

Patch by Christophe Dumez <Christophe Dumez> on 2012-09-04
Reviewed by Adam Barth.

Source/WebCore:

Allow automatic features (video autoplay and form control
autofocus) in a sandboxed iframe that has "allow-scripts"
flag set. This behavior is according to the latest
specification at:
​http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin

This sandboxed automatic features browsing context flag is
relaxed by the same keyword as scripts, because when
scripts are enabled these features are trivially possible
anyway, and it would be unfortunate to force authors to
use script to do them when sandboxed rather than allowing
them to use the declarative features.

Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html

media/auto-play-in-sandbox-with-allow-scripts.html

• dom/SecurityContext.cpp:

(WebCore::SecurityContext::parseSandboxPolicy):

LayoutTests:

Add layout tests to check that automatic features (video
autoplay and form control autofocus) are allowed / working
in sandboxed iframes if the "allow-scripts" flag is set.
This behavior is according to the latest specification at:
​http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin

The tests to check that automatic features are blocked in
sandboxed iframes have been removed since they relied on
the "allow-scripts" flag to work.

• fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added.
• fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html.
• fast/forms/no-autofocus-in-sandbox-expected.txt: Removed.
• media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added.
• media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html.
• media/no-auto-play-in-sandbox-expected.txt: Removed.
• media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added.
• media/resources/no-auto-play-in-sandbox-iframe.html: Removed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt (added)
• LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html (moved) (moved from trunk/LayoutTests/fast/forms/no-autofocus-in-sandbox.html) (1 diff)
• LayoutTests/fast/forms/no-autofocus-in-sandbox-expected.txt (deleted)
• LayoutTests/media/auto-play-in-sandbox-with-allow-scripts-expected.txt (added)
• LayoutTests/media/auto-play-in-sandbox-with-allow-scripts.html (moved) (moved from trunk/LayoutTests/media/no-auto-play-in-sandbox.html) (1 diff)
• LayoutTests/media/no-auto-play-in-sandbox-expected.txt (deleted)
• LayoutTests/media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html (added)
• LayoutTests/media/resources/no-auto-play-in-sandbox-iframe.html (deleted)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/SecurityContext.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-04  Christophe Dumez  <christophe.dumez@intel.com>
+
+        Automatic features should work in sandboxed iframes if "allow-scripts" flag is set
+        https://bugs.webkit.org/show_bug.cgi?id=93961
+
+        Reviewed by Adam Barth.
+
+        Add layout tests to check that automatic features (video
+        autoplay and form control autofocus) are allowed / working
+        in sandboxed iframes if the "allow-scripts" flag is set.
+        This behavior is according to the latest specification at:
+        http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin
+
+        The tests to check that automatic features are blocked in
+        sandboxed iframes have been removed since they relied on
+        the "allow-scripts" flag to work.
+
+        * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added.
+        * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html.
+        * fast/forms/no-autofocus-in-sandbox-expected.txt: Removed.
+        * media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added.
+        * media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html.
+        * media/no-auto-play-in-sandbox-expected.txt: Removed.
+        * media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added.
+        * media/resources/no-auto-play-in-sandbox-iframe.html: Removed.
+
 2012-09-04  Tim Horton  <timothy_horton@apple.com>
 

trunk/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-This test passes if the activeElement is the body rather than the input element
-(which it would be if the sandbox didn't succeed in blocking autofocus).
+This test passes if the activeElement is the input element rather than the body
+(which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).
 <iframe sandbox="allow-scripts"
     src="data:text/html,<input autofocus onfocus><script>alert(document.activeElement.tagName)</script>"></iframe>

trunk/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts.html

@@ -8 +8 @@
     style="width: 400px; height: 600px"
     sandbox="allow-scripts allow-same-origin"
-    src="resources/no-auto-play-in-sandbox-iframe.html"></iframe>
+    src="resources/auto-play-in-sandbox-with-allow-scripts-iframe.html"></iframe>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-09-04  Christophe Dumez  <christophe.dumez@intel.com>
+
+        Automatic features should work in sandboxed iframes if "allow-scripts" flag is set
+        https://bugs.webkit.org/show_bug.cgi?id=93961
+
+        Reviewed by Adam Barth.
+
+        Allow automatic features (video autoplay and form control
+        autofocus) in a sandboxed iframe that has "allow-scripts"
+        flag set. This behavior is according to the latest
+        specification at:
+        http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin
+
+        This sandboxed automatic features browsing context flag is
+        relaxed by the same keyword as scripts, because when
+        scripts are enabled these features are trivially possible
+        anyway, and it would be unfortunate to force authors to
+        use script to do them when sandboxed rather than allowing
+        them to use the declarative features.
+
+        Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html
+               media/auto-play-in-sandbox-with-allow-scripts.html
+
+        * dom/SecurityContext.cpp:
+        (WebCore::SecurityContext::parseSandboxPolicy):
+
 2012-09-04  Sami Kyostila  <skyostil@google.com>
 

trunk/Source/WebCore/dom/SecurityContext.cpp

@@ -107 +107 @@
         else if (equalIgnoringCase(sandboxToken, "allow-forms"))
             flags &= ~SandboxForms;
-        else if (equalIgnoringCase(sandboxToken, "allow-scripts"))
+        else if (equalIgnoringCase(sandboxToken, "allow-scripts")) {
             flags &= ~SandboxScripts;
-        else if (equalIgnoringCase(sandboxToken, "allow-top-navigation"))
+            flags &= ~SandboxAutomaticFeatures;
+        } else if (equalIgnoringCase(sandboxToken, "allow-top-navigation"))
             flags &= ~SandboxTopNavigation;
         else if (equalIgnoringCase(sandboxToken, "allow-popups"))