Specify the sandbox directive
authorAdam Barth <w3c@adambarth.com>
Mon, 05 Dec 2011 15:09:21 -0800
changeset 684c2800b7c1b4
parent 67 2d30c32f5a36
child 69 10800f38ca22
Specify the sandbox directive
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Tue Nov 29 12:03:08 2011 -0800
     1.2 +++ b/csp-specification.dev.html	Mon Dec 05 15:09:21 2011 -0800
     1.3 @@ -1001,9 +1001,26 @@
     1.4        <section>
     1.5          <h4><code>sandbox</code></h4>
     1.6  
     1.7 -        <p class="issue">A future version of this document might include a
     1.8 -        <code>sandbox</code> directive for controlling the HTML5 sandbox
     1.9 -        flags.</p>
    1.10 +        <p>The <code>sandbox</code> directive specifies an HTML sandbox policy
    1.11 +        that the user agent applies to the protected document. The syntax for
    1.12 +        the name and value of the directive are described by the following
    1.13 +        ABNF grammar:</p>
    1.14 +
    1.15 +<pre>
    1.16 +directive-name    = "sandbox"
    1.17 +directive-value   = token *( 1*WSP token )
    1.18 +token             = &lt;token from RFC 2616&gt;
    1.19 +</pre>
    1.20 +
    1.21 +        <p>When enforcing the <code>sandbox</code> directive, the user agent
    1.22 +        MUST set the <a href="http://www.w3.org/TR/html5/the-iframe-element.html#attr-iframe-sandbox">sandbox
    1.23 +        flags</a> for the protected document as if the document where a nested
    1.24 +        browsing context within a document with sandbox flags given by the the
    1.25 +        <code>directive-value</code>.</p>
    1.26 +
    1.27 +        <p class="issue">The <code>sandbox</code> directive might be removed
    1.28 +        from a future version of this document. See <a
    1.29 +        href="http://www.w3.org/2011/webappsec/track/issues/6">ISSUE-6</a>.</p>
    1.30        </section>
    1.31  
    1.32        <section>