[html5] r7021 - [e] (0) Mention iframe sandbox in the context of http+aes. Affected topics: HTML [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue Mar 6 16:40:52 PST 2012
Author: ianh
Date: 2012-03-06 16:40:51 -0800 (Tue, 06 Mar 2012)
New Revision: 7021
Modified:
complete.html
index
source
Log:
[e] (0) Mention iframe sandbox in the context of http+aes.
Affected topics: HTML, Security
Modified: complete.html
===================================================================
--- complete.html 2012-03-06 23:44:49 UTC (rev 7020)
+++ complete.html 2012-03-07 00:40:51 UTC (rev 7021)
@@ -240,7 +240,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 6 March 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 7 March 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -94884,6 +94884,14 @@
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
+ <p>Authors should take care not to embed arbitrary content from
+ the same site using the same scheme, as all content using the
+ <code title="">http+aes</code> scheme on the same host (and same
+ port) shares the same <a href=#origin>origin</a> and can therefore leak
+ the keys of any other content also opened at that origin. This
+ problem can be mitigated using the <code><a href=#the-iframe-element>iframe</a></code> element and
+ the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute to embed such content.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
@@ -94908,7 +94916,9 @@
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>URI scheme semantics:</dt>
- <dd>Same as <code title="">http+aes</code>.</dd>
+ <dd>Same as <code title="">http+aes</code>, but using HTTP over TLS
+ (as in, HTTPS) instead of HTTP, and defaulting to the HTTPS port
+ instead of HTTP's port.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
Modified: index
===================================================================
--- index 2012-03-06 23:44:49 UTC (rev 7020)
+++ index 2012-03-07 00:40:51 UTC (rev 7021)
@@ -240,7 +240,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 6 March 2012</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 7 March 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -94884,6 +94884,14 @@
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
+ <p>Authors should take care not to embed arbitrary content from
+ the same site using the same scheme, as all content using the
+ <code title="">http+aes</code> scheme on the same host (and same
+ port) shares the same <a href=#origin>origin</a> and can therefore leak
+ the keys of any other content also opened at that origin. This
+ problem can be mitigated using the <code><a href=#the-iframe-element>iframe</a></code> element and
+ the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code>
+ attribute to embed such content.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
@@ -94908,7 +94916,9 @@
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>URI scheme semantics:</dt>
- <dd>Same as <code title="">http+aes</code>.</dd>
+ <dd>Same as <code title="">http+aes</code>, but using HTTP over TLS
+ (as in, HTTPS) instead of HTTP, and defaulting to the HTTPS port
+ instead of HTTP's port.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
Modified: source
===================================================================
--- source 2012-03-06 23:44:49 UTC (rev 7020)
+++ source 2012-03-07 00:40:51 UTC (rev 7021)
@@ -110770,6 +110770,14 @@
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
+ <p>Authors should take care not to embed arbitrary content from
+ the same site using the same scheme, as all content using the
+ <code title="">http+aes</code> scheme on the same host (and same
+ port) shares the same <span>origin</span> and can therefore leak
+ the keys of any other content also opened at that origin. This
+ problem can be mitigated using the <code>iframe</code> element and
+ the <code title="attr-iframe-sandbox">sandbox</code>
+ attribute to embed such content.</p>
<p>The security considerations that apply to <code
title="">http</code> apply as well.</p>
</dd>
@@ -110799,7 +110807,9 @@
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>URI scheme semantics:</dt>
- <dd>Same as <code title="">http+aes</code>.</dd>
+ <dd>Same as <code title="">http+aes</code>, but using HTTP over TLS
+ (as in, HTTPS) instead of HTTP, and defaulting to the HTTPS port
+ instead of HTTP's port.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
More information about the Commit-Watchers
mailing list