[html5] r5713 - [e] (0) note advice from an anonymous IANA reviewer
whatwg at whatwg.org
whatwg at whatwg.org
Tue Dec 7 16:52:00 PST 2010
Author: ianh
Date: 2010-12-07 16:51:58 -0800 (Tue, 07 Dec 2010)
New Revision: 5713
Modified:
complete.html
index
source
Log:
[e] (0) note advice from an anonymous IANA reviewer
Modified: complete.html
===================================================================
--- complete.html 2010-12-08 00:27:54 UTC (rev 5712)
+++ complete.html 2010-12-08 00:51:58 UTC (rev 5713)
@@ -89019,6 +89019,15 @@
as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
<code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+ type impacts the origin security model, authors should be careful
+ to prevent tampering with the MIME type labeling mechanism itself
+ when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
+ an attacker can cause a file to be served as
+ <code><a href=#text/html>text/html</a></code> instead of
+ <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
+ take effect and a cross-site scripting attack will become
+ possible.</p>
<p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
and the same considerations apply.</p>
</dd>
Modified: index
===================================================================
--- index 2010-12-08 00:27:54 UTC (rev 5712)
+++ index 2010-12-08 00:51:58 UTC (rev 5713)
@@ -84923,6 +84923,15 @@
as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
<code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
+ type impacts the origin security model, authors should be careful
+ to prevent tampering with the MIME type labeling mechanism itself
+ when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
+ an attacker can cause a file to be served as
+ <code><a href=#text/html>text/html</a></code> instead of
+ <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
+ take effect and a cross-site scripting attack will become
+ possible.</p>
<p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
and the same considerations apply.</p>
</dd>
Modified: source
===================================================================
--- source 2010-12-08 00:27:54 UTC (rev 5712)
+++ source 2010-12-08 00:51:58 UTC (rev 5713)
@@ -102111,6 +102111,15 @@
<code>text/html</code> files, authors should avoid using the <code
title="">.html</code> or <code title="">.htm</code> extensions for
resources labeled as <code>text/html-sandboxed</code>.</p>
+ <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
+ type impacts the origin security model, authors should be careful
+ to prevent tampering with the MIME type labeling mechanism itself
+ when documents are labeled as <code>text/html-sandboxed</code>. If
+ an attacker can cause a file to be served as
+ <code>text/html</code> instead of
+ <code>text/html-sandboxed</code>, then the sandboxing will not
+ take effect and a cross-site scripting attack will become
+ possible.</p>
<p>Beyond this, the type is identical to <code>text/html</code>,
and the same considerations apply.</p>
</dd>
More information about the Commit-Watchers
mailing list