Add allow-top-navigation-by-user-activation sandbox token

domenic · Alice Boxhall · commit c7ba397f0a4c · 2019-01-08T09:48:02.000+11:00
Fixes WICG/interventions#42.
diff --git a/source b/source
@@ -28453,8 +28453,9 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   data-x="attr-iframe-sandbox-allow-popups-to-escape-sandbox">allow-popups-to-escape-sandbox</code>,
   <code data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code>, <code
   data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
-  data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, and <code
-  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>.</p>
+  data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, <code
+  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, and <code
+  data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>.</p>
 
   <p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
   forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
@@ -28463,7 +28464,11 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   the content to be treated as being from its real origin instead of forcing it into a unique
   origin; the <code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>
   keyword allows the content to <span>navigate</span> its <span>top-level browsing context</span>;
-  and the <code data-x="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
+  the <code
+  data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
+  keyword behaves similarly but only allows such <span data-x="navigate">navigation</span> when
+  <span>triggered by user activation</span>; and the <code
+  data-x="attr-iframe-sandbox-allow-forms">allow-forms</code>, <code
   data-x="attr-iframe-sandbox-allow-modals">allow-modals</code>, <code
   data-x="attr-iframe-sandbox-allow-orientation-lock">allow-orientation-lock</code>, <code
   data-x="attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</code>, <code
@@ -28476,6 +28481,13 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   context">auxiliary browsing contexts</span> respectively. <ref spec=POINTERLOCK>
   <ref spec=SCREENORIENTATION> <ref spec=PRESENTATION></p>
 
+  <p>The <code
+  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> and <code
+  data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
+  keywords must not both be specified, as doing so is redundant; only <code
+  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> will have an effect
+  in such non-conformant markup.</p>
+
   <p class="warning">Setting both the <code
   data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and <code
   data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the
@@ -77280,11 +77292,23 @@ console.assert(iframeWindow.frameElement === null);
    document</span>'s <span>active sandboxing flag set</span> has its <span>sandboxed navigation
    browsing context flag</span> set, then abort these steps negatively.</p></li>
 
-   <li><p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is one of the
-   <span data-x="ancestor browsing context">ancestor browsing contexts</span> of <var>A</var>, and
-   <var>A</var>'s <span>active document</span>'s <span>active sandboxing flag set</span> has its
-   <span>sandboxed top-level navigation browsing context flag</span> set, then abort these steps
-   negatively.</p></li>
+   <li>
+    <p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is one of the
+    <span data-x="ancestor browsing context">ancestor browsing contexts</span> of <var>A</var>,
+    then:</p>
+
+    <ol>
+     <li><p>If this algorithm is <span>triggered by user activation</span> and <var>A</var>'s
+     <span>active document</span>'s <span>active sandboxing flag set</span> has its <span>sandboxed
+     top-level navigation with user activation browsing context flag</span> set, then abort these
+     steps negatively.</p></li>
+
+     <li><p>Otherwise, If this algorithm is not <span>triggered by user activation</span> and
+     <var>A</var>'s <span>active document</span>'s <span>active sandboxing flag set</span> has its
+     <span>sandboxed top-level navigation without user activation browsing context flag</span> set,
+     then abort these steps negatively.</p></li>
+    </ol>
+   </li>
 
    <li><p>Otherwise, if <var>B</var> is a <span>top-level browsing context</span>, and is
    neither <var>A</var> nor one of the <span data-x="ancestor browsing context">ancestor
@@ -79615,7 +79639,8 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
     <span data-x="auxiliary browsing context">auxiliary browsing contexts</span> (which are protected
     by the <span>sandboxed auxiliary navigation browsing context flag</span> defined next), and the
     <span>top-level browsing context</span> (which is protected by the <span>sandboxed top-level
-    navigation browsing context flag</span> defined below).</p>
+    navigation without user activation browsing context flag</span> and <span>sandboxed top-level
+    navigation with user activation browsing context flag</span> defined below).</p>
 
     <p>If the <span>sandboxed auxiliary navigation browsing context flag</span> is not set, then in
     certain cases the restrictions nonetheless allow popups (new <span data-x="top-level browsing
@@ -79639,19 +79664,39 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
    </dd>
 
 
-   <dt>The <dfn data-export="">sandboxed top-level navigation browsing context flag</dfn></dt>
+   <dt>The <dfn data-export="">sandboxed top-level navigation without user activation browsing
+   context flag</dfn></dt>
+
+   <dd>
+
+    <p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
+    browsing context</span></a> and <a href="#sandboxClose">prevents content from closing their
+    <span>top-level browsing context</span></a>. It is consulted only from algorithms that are
+    <em>not</em> <span>triggered by user activation</span>.</p>
+
+    <p>When the <span>sandboxed top-level navigation without user activation browsing context
+    flag</span> is <em>not</em> set, content can navigate its <span>top-level browsing
+    context</span>, but other <span data-x="browsing context">browsing contexts</span> are still
+    protected by the <span>sandboxed navigation browsing context flag</span> and possibly
+    the <span>sandboxed auxiliary navigation browsing context flag</span>.</p>
+
+   </dd>
+
+
+   <dt>The <dfn data-export="">sandboxed top-level navigation with user activation browsing context
+   flag</dfn></dt>
 
    <dd>
 
     <p>This flag <a href="#sandboxLinks">prevents content from navigating their <span>top-level
     browsing context</span></a> and <a href="#sandboxClose">prevents content from closing their
-    <span>top-level browsing context</span></a>.</p>
+    <span>top-level browsing context</span></a>. It is consulted only from algorithms that
+    <em>are</em> <span>triggered by user activation</span>.</p>
 
-    <p>When the <span>sandboxed top-level navigation browsing context flag</span> is <em>not</em>
-    set, content can navigate its <span>top-level browsing context</span>, but other <span
-    data-x="browsing context">browsing contexts</span> are still protected by the <span>sandboxed
-    navigation browsing context flag</span> and possibly the <span>sandboxed auxiliary navigation
-    browsing context flag</span>.</p>
+    <p>As with the <span>sandboxed top-level navigation without user activation browsing context
+    flag</span>, this flag only affects the <span>top-level browsing context</span>; if it is not
+    set, other <span data-x="browsing context">browsing contexts</span> might still be protected by
+    other flags.</p>
 
    </dd>
 
@@ -79811,8 +79856,21 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
      <li><p>The <span>sandboxed auxiliary navigation browsing context flag</span>, unless <var>tokens</var> contains the <dfn><code data-x="attr-iframe-sandbox-allow-popups">allow-popups</code></dfn> keyword.</p></li>
 
-     <li><p>The <span>sandboxed top-level navigation browsing context flag</span>, unless <var>tokens</var> contains the <dfn><code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code></dfn>
-     keyword.</p></li>
+     <li><p>The <span>sandboxed top-level navigation without user activation browsing context flag</span>, unless
+     <var>tokens</var> contains the <dfn><code
+     data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code></dfn> keyword.</p></li>
+
+     <li>
+      <p>The <span>sandboxed top-level navigation with user activation browsing context flag</span>, unless
+      <var>tokens</var> contains either the <dfn><code
+      data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code></dfn>
+      keyword or the <code data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> keyword.</p>
+
+      <p class="note">This means that if the <code
+      data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> is present, the <code
+      data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
+      keyword will have no effect. For this reason, specifying both is a document conformance error.</p>
+     </li>
 
      <li><p>The <span>sandboxed plugins browsing context flag</span>.</p></li>
 
