[html5] r5713 - [e] (0) note advice from an anonymous IANA reviewer

whatwg at whatwg.org whatwg at whatwg.org
Tue Dec 7 16:52:00 PST 2010


Author: ianh
Date: 2010-12-07 16:51:58 -0800 (Tue, 07 Dec 2010)
New Revision: 5713

Modified:
   complete.html
   index
   source
Log:
[e] (0) note advice from an anonymous IANA reviewer

Modified: complete.html
===================================================================
--- complete.html	2010-12-08 00:27:54 UTC (rev 5712)
+++ complete.html	2010-12-08 00:51:58 UTC (rev 5713)
@@ -89019,6 +89019,15 @@
     as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
     <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
     resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+    <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+    type impacts the origin security model, authors should be careful
+    to prevent tampering with the MIME type labeling mechanism itself
+    when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
+    an attacker can cause a file to be served as
+    <code><a href=#text/html>text/html</a></code> instead of
+    <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
+    take effect and a cross-site scripting attack will become
+    possible.</p>
     <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
     and the same considerations apply.</p>
    </dd>

Modified: index
===================================================================
--- index	2010-12-08 00:27:54 UTC (rev 5712)
+++ index	2010-12-08 00:51:58 UTC (rev 5713)
@@ -84923,6 +84923,15 @@
     as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
     <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
     resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+    <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+    type impacts the origin security model, authors should be careful
+    to prevent tampering with the MIME type labeling mechanism itself
+    when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
+    an attacker can cause a file to be served as
+    <code><a href=#text/html>text/html</a></code> instead of
+    <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
+    take effect and a cross-site scripting attack will become
+    possible.</p>
     <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
     and the same considerations apply.</p>
    </dd>

Modified: source
===================================================================
--- source	2010-12-08 00:27:54 UTC (rev 5712)
+++ source	2010-12-08 00:51:58 UTC (rev 5713)
@@ -102111,6 +102111,15 @@
     <code>text/html</code> files, authors should avoid using the <code
     title="">.html</code> or <code title="">.htm</code> extensions for
     resources labeled as <code>text/html-sandboxed</code>.</p>
+    <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
+    type impacts the origin security model, authors should be careful
+    to prevent tampering with the MIME type labeling mechanism itself
+    when documents are labeled as <code>text/html-sandboxed</code>. If
+    an attacker can cause a file to be served as
+    <code>text/html</code> instead of
+    <code>text/html-sandboxed</code>, then the sandboxing will not
+    take effect and a cross-site scripting attack will become
+    possible.</p>
     <p>Beyond this, the type is identical to <code>text/html</code>,
     and the same considerations apply.</p>
    </dd>




More information about the Commit-Watchers mailing list