Open Bug 752551 Opened 12 years ago Updated 2 years ago

iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh

Categories

(Core :: Security, defect)

defect

Tracking

()

People

(Reporter: imelven, Unassigned, Mentored)

References

Details

see http://dev.w3.org/html5/spec/origin-0.html#sandboxed-automatic-features-browsing-context-flag

according to Microsoft's test suite[1], webkit has not implemented this either

the spec mentions autoplaying video and automatically focusing on a text box - Microsoft has also decided that refresh via <meta> should also be blocked in this case

i'd like to fix these in a followup to the initial iframe sandbox work (bug 341604) landing, after discussion on whether we really want to do this and if so, which pieces of it (and if we can think of anything else we'd like to block that's an "automatic feature") 

[1] http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox
Depends on: framesandbox
Whiteboard: [mentor=imelven lang=c++]
a note on <meta refresh> - Microsoft seem to consider it an 'automatic feature' also (http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-automatic-features-browsing-context-flag) based on http://samples.msdn.microsoft.com/ietestcenter/#html5Sandbox - Webkit seems to not block it fwiw
Summary: iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus → iframe sandbox's sandbox automatic features flag should block autoplay of video and autofocus and possibly meta refresh
Hello,

Can I try as my first bug?
Ian are you still willing to mentor this bug?
Flags: needinfo?(ian.melven)
(In reply to Curtis Koenig [:curtisk] from comment #3)
> Ian are you still willing to mentor this bug?

I'd love to but it's pretty unlikely I'll have time - I've removed myself as mentor and cc'd Bob in case he's willing to mentor another iframe sandbox bug.. :)
Flags: needinfo?(ian.melven)
Whiteboard: [mentor=imelven lang=c++]
(In reply to Ian Melven :imelven from comment #4)
> (In reply to Curtis Koenig [:curtisk] from comment #3)
> > Ian are you still willing to mentor this bug?
> 
> I'd love to but it's pretty unlikely I'll have time - I've removed myself as
> mentor and cc'd Bob in case he's willing to mentor another iframe sandbox
> bug.. :)

I don't know this particular part of the sandbox code, but I'm happy to help where I can.
Mentor: bobowencode
See Also: → 1156059
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.