If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh

NEW
Unassigned

Status

()

Core
Security
5 years ago
3 years ago

People

(Reporter: imelven, Unassigned, Mentored)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
see http://dev.w3.org/html5/spec/origin-0.html#sandboxed-automatic-features-browsing-context-flag

according to Microsoft's test suite[1], webkit has not implemented this either

the spec mentions autoplaying video and automatically focusing on a text box - Microsoft has also decided that refresh via <meta> should also be blocked in this case

i'd like to fix these in a followup to the initial iframe sandbox work (bug 341604) landing, after discussion on whether we really want to do this and if so, which pieces of it (and if we can think of anything else we'd like to block that's an "automatic feature") 

[1] http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox
(Reporter)

Updated

5 years ago
Depends on: 341604
(Reporter)

Updated

5 years ago
Whiteboard: [mentor=imelven lang=c++]
(Reporter)

Comment 1

5 years ago
a note on <meta refresh> - Microsoft seem to consider it an 'automatic feature' also (http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-automatic-features-browsing-context-flag) based on http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox - Webkit seems to not block it fwiw
Summary: iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus → iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh

Comment 2

3 years ago
Hello,

Can I try as my first bug?
Ian are you still willing to mentor this bug?
Flags: needinfo?(ian.melven)
(Reporter)

Comment 4

3 years ago
(In reply to Curtis Koenig [:curtisk] from comment #3)
> Ian are you still willing to mentor this bug?

I'd love to but it's pretty unlikely I'll have time - I've removed myself as mentor and cc'd Bob in case he's willing to mentor another iframe sandbox bug.. :)
Flags: needinfo?(ian.melven)
Whiteboard: [mentor=imelven lang=c++]

Comment 5

3 years ago
(In reply to Ian Melven :imelven from comment #4)
> (In reply to Curtis Koenig [:curtisk] from comment #3)
> > Ian are you still willing to mentor this bug?
> 
> I'd love to but it's pretty unlikely I'll have time - I've removed myself as
> mentor and cc'd Bob in case he's willing to mentor another iframe sandbox
> bug.. :)

I don't know this particular part of the sandbox code, but I'm happy to help where I can.

Updated

3 years ago
Mentor: bobowencode@gmail.com
Duplicate of this bug: 1156059
See Also: → bug 1156059
You need to log in before you can comment on or make changes to this bug.