[html5] r5353 - [giow] (2) rel=stylesheet should only override HTTP same-origin, to avoid cross- [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Aug 25 18:46:59 PDT 2010
Author: ianh
Date: 2010-08-25 18:46:58 -0700 (Wed, 25 Aug 2010)
New Revision: 5353
Modified:
complete.html
index
source
Log:
[giow] (2) rel=stylesheet should only override HTTP same-origin, to avoid cross-origin data theft
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=9834
Modified: complete.html
===================================================================
--- complete.html 2010-08-26 00:53:58 UTC (rev 5352)
+++ complete.html 2010-08-26 01:46:58 UTC (rev 5353)
@@ -51688,9 +51688,11 @@
<div class=impl>
<p><strong>Quirk</strong>: If the document has been set to
- <a href=#quirks-mode>quirks mode</a> and the <a href=#content-type title=Content-Type>Content-Type metadata</a> of the external
- resource is not a supported style sheet type, the user agent must
- instead assume it to be <code title="">text/css</code>.</p>
+ <a href=#quirks-mode>quirks mode</a>, has the <a href=#same-origin>same origin</a> as the
+ <a href=#url>URL</a> of the external resource<!-- CVE-2010-0654 -->, and
+ the <a href=#content-type title=Content-Type>Content-Type metadata</a> of the
+ external resource is not a supported style sheet type, the user
+ agent must instead assume it to be <code title="">text/css</code>.</p>
</div>
Modified: index
===================================================================
--- index 2010-08-26 00:53:58 UTC (rev 5352)
+++ index 2010-08-26 01:46:58 UTC (rev 5353)
@@ -51613,9 +51613,11 @@
<div class=impl>
<p><strong>Quirk</strong>: If the document has been set to
- <a href=#quirks-mode>quirks mode</a> and the <a href=#content-type title=Content-Type>Content-Type metadata</a> of the external
- resource is not a supported style sheet type, the user agent must
- instead assume it to be <code title="">text/css</code>.</p>
+ <a href=#quirks-mode>quirks mode</a>, has the <a href=#same-origin>same origin</a> as the
+ <a href=#url>URL</a> of the external resource<!-- CVE-2010-0654 -->, and
+ the <a href=#content-type title=Content-Type>Content-Type metadata</a> of the
+ external resource is not a supported style sheet type, the user
+ agent must instead assume it to be <code title="">text/css</code>.</p>
</div>
Modified: source
===================================================================
--- source 2010-08-26 00:53:58 UTC (rev 5352)
+++ source 2010-08-26 01:46:58 UTC (rev 5353)
@@ -57815,10 +57815,12 @@
<div class="impl">
<p><strong>Quirk</strong>: If the document has been set to
- <span>quirks mode</span> and the <span
- title="Content-Type">Content-Type metadata</span> of the external
- resource is not a supported style sheet type, the user agent must
- instead assume it to be <code title="">text/css</code>.</p>
+ <span>quirks mode</span>, has the <span>same origin</span> as the
+ <span>URL</span> of the external resource<!-- CVE-2010-0654 -->, and
+ the <span title="Content-Type">Content-Type metadata</span> of the
+ external resource is not a supported style sheet type, the user
+ agent must instead assume it to be <code
+ title="">text/css</code>.</p>
</div>
More information about the Commit-Watchers
mailing list