Add |sandboxed download without user activation browsing context flag…

…| and relevant specifications.

Add |sandboxed download without user activation browsing context flag| and relevant specifications.

See whatwg#3236 for more context.

source

@@ -23302,6 +23302,35 @@ document.body.appendChild(wbr);</code></pre>
   nefarious activity. (This is to protect users from being made to download sensitive personal or
   confidential information without their full understanding.)</p>
 
+  <p>The following <dfn>allowed to download algorithm</dfn> returns if download is allowed:</p>
+
+  <ol>
+    <li><p>Let <var>initiator browsing context</var> be null.</p></li>
+
+    <li><p>Let <var>instantiator browsing context</var> be null.</p></li>
+
+    <li><p>If the download was from a <span data-x="downloading hyperlinks">hyperlink</span> with
+    download attribute, set <var>initiator browsing context</var> to be the
+    <span data-x="concept-document-bc">browsing context</span> of the <code>Document</code> having
+    the hyperlink.</p></li>
+
+    <li><p>Otherwise, the download was resulted from a
+    <span data-x="process a navigate response">navigation</span>. Set <var>initiator browsing
+    context</var> to be the <span>source browsing context</span> of the navigation.
+    Set <var>instantiator browsing context</var> to the browsing context being
+    <span data-x="navigate">navigated</span>.</p></li>
+
+    <li><p>If any one of the <var>initiator browsing context</var> or the <var>instantiator browsing
+    context</var>'s <span>active sandboxing flag set</span> has its <span>sandboxed download without
+    user activation browsing context flag</span> set, and the hyperlink activation or the navigation
+    action was not <span>triggered by user activation</span>, return false.</p></li>
+
+    <li><p>Optionally, act in a user-agent-defined manner to safeguard the user from a potentially
+    hostile download and return false.</p></li>
+
+    <li><p>Return true.</p></li>
+  </ol>
+
   <div w-nodev>
 
   <hr>
@@ -23312,6 +23341,7 @@ document.body.appendChild(wbr);</code></pre>
 
   <ol>
    <li><p>If <var>subject</var> <span>cannot navigate</span>, then return.</p></li>
+   <li><p>If the <span>allowed to download algorithm</span> returns false, then return.</p></li>
 
    <li><p><span data-x="parse a url">Parse</span> the <span>URL</span> given by
    <var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute, relative to
@@ -23343,11 +23373,18 @@ document.body.appendChild(wbr);</code></pre>
    </li>
   </ol>
 
-  <p>When a user agent is to handle a resource obtained from a fetch <dfn>as a download</dfn>, act
-  in a user-agent-defined manner to safeguard the user from a potentially hostile download. If the
-  download is not to be aborted, it should provide the user with a way to save the resource for
-  later use, if a resource is successfully obtained; or otherwise should report any problems
-  downloading the file to the user.</p>
+  <p>When a user agent is to handle a resource obtained from a fetch <dfn>as a download</dfn>, it
+  should run the <span>allowed to download algorithm</span> if the algorithm didn't run before the
+  fetch, and</p>
+
+  <ol>
+    <li><p>If the algorithm already ran before fetch, or if the algorithm returns true, the user
+    agent should provide the user with a way to save the resource for later use, if a resource is
+    successfully obtained; or otherwise should report any problems downloading the file to the
+    user.</p></li>
+    <li><p>Otherwise (if the algorithm returns false), the user agent should cancel the ongoing
+    fetch if it's still in progress. The resource is no longer in need to be handled.</p></li>
+  </ol>
 
   <p>If the user agent needs a file name for a resource being handled <span>as a download</span>, it
   should select one using the following algorithm.</p>
@@ -30136,8 +30173,10 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   <code data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code>, <code
   data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
   data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, <code
-  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, and <code
-  data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>.</p>
+  data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, <code
+  data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">
+  allow-top-navigation-by-user-activation</code>, and <code
+  data-x="attr-iframe-sandbox-allow-downloads-without-user-activation">allow-downloads-without-user-activation</code>.</p>
 
   <p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
   forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
@@ -80386,6 +80425,18 @@ interface <dfn>BarProp</dfn> {
 
    </dd>
 
+   <dt>The <dfn data-export="">sandboxed download without user activation browsing context flag
+   </dfn></dt>
+
+   <dd>
+
+    <p>This flag prevents content from initiating or instantiating downloads without user
+    activation, whether through <span data-x="downloading hyperlinks">downloading hyperlinks</span>
+    or through <span data-x="process a navigate response">navigation</span> that gets handled <span>as a
+    download</span>.</p>
+
+   </dd>
+
  </dl>
 
   <p>When the user agent is to <dfn data-export="">parse a sandboxing directive</dfn>, given a
@@ -80487,6 +80538,11 @@ interface <dfn>BarProp</dfn> {
      data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code></dfn>
      keyword.</p></li>
 
+     <li><p>The <span>sandboxed download without user activation browsing context flag</span>,
+     unless <var>tokens</var> contains the <dfn><code
+     data-x="attr-iframe-sandbox-allow-downloads-without-user-activation">
+     allow-downloads-without-user-activation</code></dfn> keyword.</p></li>
+
     </ul>
 
    </li>