Comment on attachment 633735 iframe sandbox v17
>+ static PRUint32 ParseSandboxAttributeToFlags(const nsAString& >+ aSandboxAttr); Odd indentation. aSandboxAttr should fit in to the previous line.
>+ if (token.LowerCaseEqualsLiteral("allow-scripts")) { >+ out &= ~SANDBOXED_SCRIPTS; >+ } else if (token.LowerCaseEqualsLiteral("allow-same-origin")) { >+ out &= ~SANDBOXED_ORIGIN; >+ } else if (token.LowerCaseEqualsLiteral("allow-forms")) { >+ out &= ~SANDBOXED_FORMS; >+ } else if (token.LowerCaseEqualsLiteral("allow-scripts")) { >+ // allow-scripts removes both SANDBOXED_SCRIPTS and >+ // SANDBOXED_AUTOMATIC_FEATURES. >+ out &= ~SANDBOXED_SCRIPTS; >+ out &= ~SANDBOXED_AUTOMATIC_FEATURES; >+ } else if (token.LowerCaseEqualsLiteral("allow-top-navigation")) { >+ out &= ~SANDBOXED_TOPLEVEL_NAVIGATION; >+ } >+ } >+ }
So why you don't handle allow-popups? And why you handle allow-scripts twice? Do you have any tests for not having SANDBOXED_AUTOMATIC_FEATURES?
Comment on attachment 633735
iframe sandbox v17
>+ static PRUint32 ParseSandboxAtt ributeToFlags( const nsAString&
>+ aSandboxAttr);
Odd indentation. aSandboxAttr should fit in to the previous line.
>+ if (token. LowerCaseEquals Literal( "allow- scripts" )) { LowerCaseEquals Literal( "allow- same-origin" )) { LowerCaseEquals Literal( "allow- forms") ) { LowerCaseEquals Literal( "allow- scripts" )) { AUTOMATIC_ FEATURES. AUTOMATIC_ FEATURES; LowerCaseEquals Literal( "allow- top-navigation" )) { TOPLEVEL_ NAVIGATION;
>+ out &= ~SANDBOXED_SCRIPTS;
>+ } else if (token.
>+ out &= ~SANDBOXED_ORIGIN;
>+ } else if (token.
>+ out &= ~SANDBOXED_FORMS;
>+ } else if (token.
>+ // allow-scripts removes both SANDBOXED_SCRIPTS and
>+ // SANDBOXED_
>+ out &= ~SANDBOXED_SCRIPTS;
>+ out &= ~SANDBOXED_
>+ } else if (token.
>+ out &= ~SANDBOXED_
>+ }
>+ }
>+ }
So why you don't handle allow-popups? AUTOMATIC_ FEATURES?
And why you handle allow-scripts twice?
Do you have any tests for not having SANDBOXED_