only select browsing contextt by name within unit of related...

First cut at matching Firefox/Chrome implementation fix #262
w3c · Apr 24, 2018 · dcf22f0 · dcf22f0
1 parent 9462db4
commit dcf22f0
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 14 deletions.
diff --git a/sections/acknowledgements.include b/sections/acknowledgements.include
@@ -137,6 +137,7 @@
   "SelenIT", <!-- github -->
   Shawn Steele,
   Stéphane Deschamps,
+  Stephen Cunnliffe,
   Steve Orvell,
   Steven Faulkner,
   Steven Skelton,
@@ -149,11 +150,13 @@
   Tomek Wytrębowicz,
   Tomer Cohen,
   Travis Leithead,
+  Travis Safford,
   Trey Shugart,
   "Unor", <!-- on github -->
   "wallabag.it", <!-- twitter -->
   William Chen,
   Wolfgang Illmeyer,
+  Xioran Wang,
   and Yves Lafon
 
   This specification incorporates work of the <a href="https://www.w3.org/webperf/">Web Performance Working Group</a>, the

diff --git a/sections/browsers.include b/sections/browsers.include
@@ -573,33 +573,33 @@
 
   <hr />
 
-  <dfn>The rules for choosing a browsing context given a browsing context name</dfn> are as
-  follows. The rules assume that they are being applied in the context of a <a>browsing
-  context</a>, as part of the execution of a <a>task</a>.
+  <dfn>The rules for choosing a browsing context</dfn> as part of the execution of a task,
+  from within a given browsing context <var>context</var>, for a <a>browsing context name</a> <var>name</var>,
+  are as follows:
 
   <ol>
 
-    <li>If the given browsing context name is the empty string or <code>_self</code>, then
+    <li>If <var>name</var> is the empty string or <code>_self</code>, then
     the chosen browsing context must be the current one.</li>
 
-    <li>If the given browsing context name is <code>_parent</code>, then the chosen
+    <li>If <var>name</var> is <code>_parent</code>, then the chosen
     browsing context must be the <a><em>parent</em> browsing context</a> of the current one,
     unless there isn't one, in which case the chosen browsing context must be the current browsing
     context.</li>
 
-    <li>If the given browsing context name is <code>_top</code>, then the chosen browsing
+    <li>If <var>name</var> is <code>_top</code>, then the chosen browsing
     context must be the <a>top-level browsing context</a> of the current one, if there is one,
     or else the current browsing context.</li>
 
-    <li>If the given browsing context name is not <code>_blank</code> and there exists a
-    browsing context whose <a lt="browsing context name">name</a> is the same as the given
-    browsing context name, and the current browsing context is familiar with that
-    browsing context, and the user agent determines that the two browsing contexts are related
-    enough that it is ok if they reach each other, then that browsing context must be the chosen
+    <li>If <var>name</var> is not <code>_blank</code> and there exists a
+    browsing context whose <a lt="browsing context name">name</a> is the same as <var>name</var>,
+    within the <a>unit of related browsing contexts</a>, then that browsing context must be the chosen
     one. If there are multiple matching browsing contexts, the user agent should select one in some
     arbitrary consistent manner, such as the most recently opened, most recently focused, or more
     closely related.</li>
 
+    <p class="warning">This non-deterministic approach is likely to change in a future version of HTML.</p>
+
     <li>
     Otherwise, a new browsing context is being requested, and what happens depends on the user
     agent's configuration and abilities — it is determined by the rules given for the first
@@ -1215,7 +1215,7 @@
     </li>
 
     <li>If <var>target browsing context</var> was just created, either as part of <a>the rules
-    for choosing a browsing context given a browsing context name</a> or due to the user
+    for choosing a browsing context</a> given a browsing context name or due to the user
     indicating a preference for navigating a new <a>top-level browsing context</a>, then let
     <var>new</var> be true. Otherwise, let it be false.</li>
 
@@ -2330,8 +2330,8 @@
 
   Every <a>top-level browsing context</a> has a <dfn>popup sandboxing flag set</dfn>, which
   is a <a>sandboxing flag set</a>. When a <a>browsing context</a> is created, its
-  <a>popup sandboxing flag set</a> must be empty. It is populated by <a>the rules for
-  choosing a browsing context given a browsing context name</a>.
+  <a>popup sandboxing flag set</a> must be empty. It is populated by
+  <a>the rules for choosing a browsing context</a>.
 
   Every <a>nested browsing context</a> has an <dfn><code>iframe</code> sandboxing flag
   set</dfn>, which is a <a>sandboxing flag set</a>. Which flags in a

diff --git a/sections/changes.include b/sections/changes.include
@@ -13,6 +13,9 @@
 <h3 id="changes-wd3">Changes since the <a href="https://www.w3.org/TR/2017/WD-html53-20170206/">HTML 5.3 Second Public Working Draft</a></h3>
 
   <dl>
+  <dt><a href="https://github.com/w3c/html/pull/1406">Only elect a browsing context by name</a>
+  from within the <a>unit of related browsing contexts</a>.</dt>
+  <dd>Match Firefox and Blink changes, to mitigate <a href="https://github.com/w3c/html/issues/262">an XSS attack vector</a>.</dd>
   <dt><a href="https://github.com/w3c/html/pull/1329">Add the <code>:defined</code> psuedo-class selector definition</a></dt>
    <dd>Substantive change for custom elements.</dd>
     <dt><a href="https://github.com/w3c/html/pull/1343">Add autonomous custom elements</a></dd>