[html5] r4625 - [e] (0) Mention that this example should use text/html-sandboxed.

whatwg at whatwg.org whatwg at whatwg.org
Sun Jan 24 02:47:07 PST 2010 

Author: ianh
Date: 2010-01-24 02:47:05 -0800 (Sun, 24 Jan 2010)
New Revision: 4625

Modified:
   complete.html
   index
   source
Log:
[e] (0) Mention that this example should use text/html-sandboxed.

Modified: complete.html
===================================================================
--- complete.html	2010-01-24 10:29:37 UTC (rev 4624)
+++ complete.html	2010-01-24 10:47:05 UTC (rev 4625)
@@ -19960,6 +19960,13 @@
    visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
    attribute.</p>
 
+   <p class=warning>It is important that the server serve the
+   user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+   type so that if the attacker convinces the user to visit that page
+   directly, the page doesn't run in the context of the site's origin,
+   which would make the user vulnerable to any attack found in the
+   page.</p>
+
   </div>
 
   <div class=example>

Modified: index
===================================================================
--- index	2010-01-24 10:29:37 UTC (rev 4624)
+++ index	2010-01-24 10:47:05 UTC (rev 4625)
@@ -19860,6 +19860,13 @@
    visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
    attribute.</p>
 
+   <p class=warning>It is important that the server serve the
+   user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+   type so that if the attacker convinces the user to visit that page
+   directly, the page doesn't run in the context of the site's origin,
+   which would make the user vulnerable to any attack found in the
+   page.</p>
+
   </div>
 
   <div class=example>

Modified: source
===================================================================
--- source	2010-01-24 10:29:37 UTC (rev 4624)
+++ source	2010-01-24 10:47:05 UTC (rev 4625)
@@ -21257,6 +21257,13 @@
    title="dom-document-cookie">document.cookie</code> IDL
    attribute.</p>
 
+   <p class="warning">It is important that the server serve the
+   user-provided HTML using the <code>text/html-sandboxed</code> MIME
+   type so that if the attacker convinces the user to visit that page
+   directly, the page doesn't run in the context of the site's origin,
+   which would make the user vulnerable to any attack found in the
+   page.</p>
+
   </div>
 
   <div class="example">

More information about the Commit-Watchers mailing list