[html5] r6657 - [giow] (0) Drop text/html-sandboxed Fixing http://www.w3.org/Bugs/Public/show_bu [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Oct 10 17:26:12 PDT 2011
Author: ianh
Date: 2011-10-10 17:26:10 -0700 (Mon, 10 Oct 2011)
New Revision: 6657
Modified:
complete.html
index
source
Log:
[giow] (0) Drop text/html-sandboxed
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390
Modified: complete.html
===================================================================
--- complete.html 2011-10-10 22:37:27 UTC (rev 6656)
+++ complete.html 2011-10-11 00:26:10 UTC (rev 6657)
@@ -1341,18 +1341,17 @@
<li><a href=#iana><span class=secno>17 </span>IANA considerations</a>
<ol>
<li><a href=#text/html><span class=secno>17.1 </span><code>text/html</code></a></li>
- <li><a href=#text/html-sandboxed><span class=secno>17.2 </span><code>text/html-sandboxed</code></a></li>
- <li><a href=#multipart/x-mixed-replace><span class=secno>17.3 </span><code>multipart/x-mixed-replace</code></a></li>
- <li><a href=#application/xhtml+xml><span class=secno>17.4 </span><code>application/xhtml+xml</code></a></li>
- <li><a href=#application/x-www-form-urlencoded><span class=secno>17.5 </span><code>application/x-www-form-urlencoded</code></a></li>
- <li><a href=#text/cache-manifest><span class=secno>17.6 </span><code>text/cache-manifest</code></a></li>
- <li><a href=#text/ping><span class=secno>17.7 </span><code>text/ping</code></a></li>
- <li><a href=#text/vtt><span class=secno>17.8 </span><code>text/vtt</code></a></li>
- <li><a href=#application/microdata+json><span class=secno>17.9 </span><code>application/microdata+json</code></a></li>
- <li><a href=#application/html-peer-connection-data><span class=secno>17.10 </span><code>application/html-peer-connection-data</code></a></li>
- <li><a href=#ping-from><span class=secno>17.11 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>17.12 </span><code>Ping-To</code></a></li>
- <li><a href=#web+-scheme-prefix><span class=secno>17.13 </span><code>web+</code> scheme prefix</a></ol></li>
+ <li><a href=#multipart/x-mixed-replace><span class=secno>17.2 </span><code>multipart/x-mixed-replace</code></a></li>
+ <li><a href=#application/xhtml+xml><span class=secno>17.3 </span><code>application/xhtml+xml</code></a></li>
+ <li><a href=#application/x-www-form-urlencoded><span class=secno>17.4 </span><code>application/x-www-form-urlencoded</code></a></li>
+ <li><a href=#text/cache-manifest><span class=secno>17.5 </span><code>text/cache-manifest</code></a></li>
+ <li><a href=#text/ping><span class=secno>17.6 </span><code>text/ping</code></a></li>
+ <li><a href=#text/vtt><span class=secno>17.7 </span><code>text/vtt</code></a></li>
+ <li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
+ <li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
+ <li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
+ <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -3136,8 +3135,8 @@
SEMICOLON characters (;). In other words, if it consists only of a
type and subtype, with no MIME Type parameters. <a href=#refsHTTP>[HTTP]</a></p>
- <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the <a href=#mime-type title="MIME type">MIME types</a> <code><a href=#text/html>text/html</a></code> and
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the
+ <a href=#mime-type>MIME type</a> <code><a href=#text/html>text/html</a></code>.</p>
<p>A resource's <dfn id=critical-subresources>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9413,8 +9412,7 @@
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
context flag">sandboxed into a unique origin</a> (in an
- <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute) or the
- resource was labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, a
+ <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -24102,7 +24100,7 @@
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class=impl>
@@ -24289,28 +24287,20 @@
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
-<iframe sandbox src="getusercontent.cgi?id=12193"></iframe></pre>
+<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p>Note that cookies are still sent to the server in the <code title="">getusercontent.cgi</code> request, though they are not
- visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
- attribute.</p>
+ <p class=warning>It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
- <p class=warning>It is important that the server serve the
- user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
-
</div>
<div class=example>
@@ -24367,13 +24357,11 @@
</div>
- <p class=note>Potentially hostile files can be served from the
- same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
- by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of
- <code><a href=#text/html>text/html</a></code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from
+ the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
@@ -24663,7 +24651,6 @@
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
</ul><p>Whenever an <code><a href=#the-embed-element>embed</a></code> element that was not <a href=#concept-embed-active title=concept-embed-active>potentially active</a> becomes <a href=#concept-embed-active title=concept-embed-active>potentially active</a>, and whenever
@@ -24719,27 +24706,19 @@
be unloaded.</p>
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
- instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
+ context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
+ <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
+ <code><a href=#document>Document</a></code> was created, then the user agent must not
+ instantiate the <a href=#plugin>plugin</a>, and must instead render the
+ <code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
+ <a href=#plugin>plugin</a> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <a href=#plugin>plugin</a> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must not instantiate the
- <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
- element in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
<p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
sandboxed browsing contexts because they might not honor the
restrictions imposed by the sandbox (e.g. they might allow scripting
@@ -25525,19 +25504,12 @@
context</a>.</p>
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
- purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
+ purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> when the <code><a href=#document>Document</a></code> was created.</p>
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> when the <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p class=note>The above algorithm is independent of CSS properties
+ <p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -63290,9 +63262,6 @@
browsing context flag</a> was set when the
<code><a href=#document>Document</a></code> was created</dt>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a resource
- labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></dt>
-
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -64891,7 +64860,6 @@
following list, and process the resource as described there:</p>
<dl class=switch><!-- an <span>HTML MIME type</span> --><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
- <dt>"<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>"</dt>
<dd>Follow the steps given in the <a href=#read-html title=navigate-html>HTML document</a> section, and abort
these steps.</dd>
@@ -70859,7 +70827,6 @@
<ul class=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
<li><code>text/css</code></li>
- <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
<li><code><a href=#text/html>text/html</a></code></li>
<li><code><a href=#text/ping>text/ping</a></code></li>
<li><code>text/plain</code></li>
@@ -96280,10 +96247,7 @@
<a href=#fully-active>fully active</a>, and when the element's
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
<a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element's
- <code><a href=#document>Document</a></code> was parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined
- during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, and when the element has an
+ <code><a href=#document>Document</a></code> was created, and when the element has an
ancestor <a href=#media-element>media element</a>, and when the element has an
ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
@@ -97528,91 +97492,10 @@
provide state information for in-page scripts.</p>
- <h3 id=text/html-sandboxed><span class=secno>17.2 </span><dfn><code>text/html-sandboxed</code></dfn></h3>
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
- <!--
- To: ietf-types at iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
+ <h3 id=multipart/x-mixed-replace><span class=secno>17.2 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
- <dl><dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code><a href=#document>Document</a></code> objects generated from
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
- <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
- <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
- an attacker can cause a file to be served as
- <code><a href=#text/html>text/html</a></code> instead of
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> type asserts that the
- resource is an <a href=#html-documents title="HTML documents">HTML document</a>
- using <a href=#syntax>the HTML syntax</a>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl><dt>Magic number(s):</dt>
- <dd>Documents labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> are
- heuristically indistinguishable from those labeled as
- <code><a href=#text/html>text/html</a></code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl></dd>
- <dt>Person & email address to contact for further information:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl><p>Fragment identifiers used with <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>
- resources either refer to <a href=#the-indicated-part-of-the-document>the indicated part of the
- document</a> or provide state information for in-page
- scripts.</p>
-
-
- <h3 id=multipart/x-mixed-replace><span class=secno>17.3 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
-
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97676,7 +97559,7 @@
part as defined by the type used by that body part.</p>
- <h3 id=application/xhtml+xml><span class=secno>17.4 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
+ <h3 id=application/xhtml+xml><span class=secno>17.3 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97741,7 +97624,7 @@
type</a>. <a href=#refsRFC3023>[RFC3023]</a></p>
- <h3 id=application/x-www-form-urlencoded><span class=secno>17.5 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
+ <h3 id=application/x-www-form-urlencoded><span class=secno>17.4 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97808,7 +97691,7 @@
identifiers.</p>
- <h3 id=text/cache-manifest><span class=secno>17.6 </span><dfn><code>text/cache-manifest</code></dfn></h3>
+ <h3 id=text/cache-manifest><span class=secno>17.5 </span><dfn><code>text/cache-manifest</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97879,7 +97762,7 @@
<!--PING-->
- <h3 id=text/ping><span class=secno>17.7 </span><dfn><code>text/ping</code></dfn></h3>
+ <h3 id=text/ping><span class=secno>17.6 </span><dfn><code>text/ping</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97944,7 +97827,7 @@
<!--TTVTT-->
<div data-component="other Hixie drafts (editor: Ian Hickson)">
- <h3 id=text/vtt><span class=secno>17.8 </span><dfn><code>text/vtt</code></dfn></h3>
+ <h3 id=text/vtt><span class=secno>17.7 </span><dfn><code>text/vtt</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98025,7 +97908,7 @@
<!--MD-->
- <h3 id=application/microdata+json><span class=secno>17.9 </span><dfn><code>application/microdata+json</code></dfn></h3>
+ <h3 id=application/microdata+json><span class=secno>17.8 </span><dfn><code>application/microdata+json</code></dfn></h3>
<p>This registration is for community review and will be submitted
@@ -98097,7 +97980,7 @@
<!--PEERCONNECTION-->
- <h3 id=application/html-peer-connection-data><span class=secno>17.10 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
+ <h3 id=application/html-peer-connection-data><span class=secno>17.9 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98178,7 +98061,7 @@
<!--PING-->
- <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
+ <h3 id=ping-from><span class=secno>17.10 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98197,7 +98080,7 @@
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><h3 id=ping-to><span class=secno>17.12 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
+ </dl><h3 id=ping-to><span class=secno>17.11 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98216,7 +98099,7 @@
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.13 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
Modified: index
===================================================================
--- index 2011-10-10 22:37:27 UTC (rev 6656)
+++ index 2011-10-11 00:26:10 UTC (rev 6657)
@@ -1341,18 +1341,17 @@
<li><a href=#iana><span class=secno>17 </span>IANA considerations</a>
<ol>
<li><a href=#text/html><span class=secno>17.1 </span><code>text/html</code></a></li>
- <li><a href=#text/html-sandboxed><span class=secno>17.2 </span><code>text/html-sandboxed</code></a></li>
- <li><a href=#multipart/x-mixed-replace><span class=secno>17.3 </span><code>multipart/x-mixed-replace</code></a></li>
- <li><a href=#application/xhtml+xml><span class=secno>17.4 </span><code>application/xhtml+xml</code></a></li>
- <li><a href=#application/x-www-form-urlencoded><span class=secno>17.5 </span><code>application/x-www-form-urlencoded</code></a></li>
- <li><a href=#text/cache-manifest><span class=secno>17.6 </span><code>text/cache-manifest</code></a></li>
- <li><a href=#text/ping><span class=secno>17.7 </span><code>text/ping</code></a></li>
- <li><a href=#text/vtt><span class=secno>17.8 </span><code>text/vtt</code></a></li>
- <li><a href=#application/microdata+json><span class=secno>17.9 </span><code>application/microdata+json</code></a></li>
- <li><a href=#application/html-peer-connection-data><span class=secno>17.10 </span><code>application/html-peer-connection-data</code></a></li>
- <li><a href=#ping-from><span class=secno>17.11 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>17.12 </span><code>Ping-To</code></a></li>
- <li><a href=#web+-scheme-prefix><span class=secno>17.13 </span><code>web+</code> scheme prefix</a></ol></li>
+ <li><a href=#multipart/x-mixed-replace><span class=secno>17.2 </span><code>multipart/x-mixed-replace</code></a></li>
+ <li><a href=#application/xhtml+xml><span class=secno>17.3 </span><code>application/xhtml+xml</code></a></li>
+ <li><a href=#application/x-www-form-urlencoded><span class=secno>17.4 </span><code>application/x-www-form-urlencoded</code></a></li>
+ <li><a href=#text/cache-manifest><span class=secno>17.5 </span><code>text/cache-manifest</code></a></li>
+ <li><a href=#text/ping><span class=secno>17.6 </span><code>text/ping</code></a></li>
+ <li><a href=#text/vtt><span class=secno>17.7 </span><code>text/vtt</code></a></li>
+ <li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
+ <li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
+ <li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
+ <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -3136,8 +3135,8 @@
SEMICOLON characters (;). In other words, if it consists only of a
type and subtype, with no MIME Type parameters. <a href=#refsHTTP>[HTTP]</a></p>
- <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the <a href=#mime-type title="MIME type">MIME types</a> <code><a href=#text/html>text/html</a></code> and
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the
+ <a href=#mime-type>MIME type</a> <code><a href=#text/html>text/html</a></code>.</p>
<p>A resource's <dfn id=critical-subresources>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9413,8 +9412,7 @@
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
context flag">sandboxed into a unique origin</a> (in an
- <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute) or the
- resource was labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, a
+ <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -24102,7 +24100,7 @@
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class=impl>
@@ -24289,28 +24287,20 @@
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
-<iframe sandbox src="getusercontent.cgi?id=12193"></iframe></pre>
+<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p>Note that cookies are still sent to the server in the <code title="">getusercontent.cgi</code> request, though they are not
- visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
- attribute.</p>
+ <p class=warning>It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
- <p class=warning>It is important that the server serve the
- user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
-
</div>
<div class=example>
@@ -24367,13 +24357,11 @@
</div>
- <p class=note>Potentially hostile files can be served from the
- same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
- by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of
- <code><a href=#text/html>text/html</a></code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from
+ the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
@@ -24663,7 +24651,6 @@
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
</ul><p>Whenever an <code><a href=#the-embed-element>embed</a></code> element that was not <a href=#concept-embed-active title=concept-embed-active>potentially active</a> becomes <a href=#concept-embed-active title=concept-embed-active>potentially active</a>, and whenever
@@ -24719,27 +24706,19 @@
be unloaded.</p>
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
- instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
+ context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
+ <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
+ <code><a href=#document>Document</a></code> was created, then the user agent must not
+ instantiate the <a href=#plugin>plugin</a>, and must instead render the
+ <code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
+ <a href=#plugin>plugin</a> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <a href=#plugin>plugin</a> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must not instantiate the
- <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
- element in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
<p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
sandboxed browsing contexts because they might not honor the
restrictions imposed by the sandbox (e.g. they might allow scripting
@@ -25525,19 +25504,12 @@
context</a>.</p>
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
- purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
+ purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> when the <code><a href=#document>Document</a></code> was created.</p>
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> when the <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p class=note>The above algorithm is independent of CSS properties
+ <p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -63290,9 +63262,6 @@
browsing context flag</a> was set when the
<code><a href=#document>Document</a></code> was created</dt>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a resource
- labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></dt>
-
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -64891,7 +64860,6 @@
following list, and process the resource as described there:</p>
<dl class=switch><!-- an <span>HTML MIME type</span> --><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
- <dt>"<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>"</dt>
<dd>Follow the steps given in the <a href=#read-html title=navigate-html>HTML document</a> section, and abort
these steps.</dd>
@@ -70859,7 +70827,6 @@
<ul class=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
<li><code>text/css</code></li>
- <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
<li><code><a href=#text/html>text/html</a></code></li>
<li><code><a href=#text/ping>text/ping</a></code></li>
<li><code>text/plain</code></li>
@@ -96280,10 +96247,7 @@
<a href=#fully-active>fully active</a>, and when the element's
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
<a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element's
- <code><a href=#document>Document</a></code> was parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined
- during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, and when the element has an
+ <code><a href=#document>Document</a></code> was created, and when the element has an
ancestor <a href=#media-element>media element</a>, and when the element has an
ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
@@ -97528,91 +97492,10 @@
provide state information for in-page scripts.</p>
- <h3 id=text/html-sandboxed><span class=secno>17.2 </span><dfn><code>text/html-sandboxed</code></dfn></h3>
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
- <!--
- To: ietf-types at iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
+ <h3 id=multipart/x-mixed-replace><span class=secno>17.2 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
- <dl><dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code><a href=#document>Document</a></code> objects generated from
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
- <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
- <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
- an attacker can cause a file to be served as
- <code><a href=#text/html>text/html</a></code> instead of
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> type asserts that the
- resource is an <a href=#html-documents title="HTML documents">HTML document</a>
- using <a href=#syntax>the HTML syntax</a>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl><dt>Magic number(s):</dt>
- <dd>Documents labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> are
- heuristically indistinguishable from those labeled as
- <code><a href=#text/html>text/html</a></code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl></dd>
- <dt>Person & email address to contact for further information:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl><p>Fragment identifiers used with <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>
- resources either refer to <a href=#the-indicated-part-of-the-document>the indicated part of the
- document</a> or provide state information for in-page
- scripts.</p>
-
-
- <h3 id=multipart/x-mixed-replace><span class=secno>17.3 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
-
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97676,7 +97559,7 @@
part as defined by the type used by that body part.</p>
- <h3 id=application/xhtml+xml><span class=secno>17.4 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
+ <h3 id=application/xhtml+xml><span class=secno>17.3 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97741,7 +97624,7 @@
type</a>. <a href=#refsRFC3023>[RFC3023]</a></p>
- <h3 id=application/x-www-form-urlencoded><span class=secno>17.5 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
+ <h3 id=application/x-www-form-urlencoded><span class=secno>17.4 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97808,7 +97691,7 @@
identifiers.</p>
- <h3 id=text/cache-manifest><span class=secno>17.6 </span><dfn><code>text/cache-manifest</code></dfn></h3>
+ <h3 id=text/cache-manifest><span class=secno>17.5 </span><dfn><code>text/cache-manifest</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97879,7 +97762,7 @@
<!--PING-->
- <h3 id=text/ping><span class=secno>17.7 </span><dfn><code>text/ping</code></dfn></h3>
+ <h3 id=text/ping><span class=secno>17.6 </span><dfn><code>text/ping</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97944,7 +97827,7 @@
<!--TTVTT-->
<div data-component="other Hixie drafts (editor: Ian Hickson)">
- <h3 id=text/vtt><span class=secno>17.8 </span><dfn><code>text/vtt</code></dfn></h3>
+ <h3 id=text/vtt><span class=secno>17.7 </span><dfn><code>text/vtt</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98025,7 +97908,7 @@
<!--MD-->
- <h3 id=application/microdata+json><span class=secno>17.9 </span><dfn><code>application/microdata+json</code></dfn></h3>
+ <h3 id=application/microdata+json><span class=secno>17.8 </span><dfn><code>application/microdata+json</code></dfn></h3>
<p>This registration is for community review and will be submitted
@@ -98097,7 +97980,7 @@
<!--PEERCONNECTION-->
- <h3 id=application/html-peer-connection-data><span class=secno>17.10 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
+ <h3 id=application/html-peer-connection-data><span class=secno>17.9 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98178,7 +98061,7 @@
<!--PING-->
- <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
+ <h3 id=ping-from><span class=secno>17.10 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98197,7 +98080,7 @@
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><h3 id=ping-to><span class=secno>17.12 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
+ </dl><h3 id=ping-to><span class=secno>17.11 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98216,7 +98099,7 @@
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.13 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
Modified: source
===================================================================
--- source 2011-10-10 22:37:27 UTC (rev 6656)
+++ source 2011-10-11 00:26:10 UTC (rev 6657)
@@ -1993,9 +1993,8 @@
type and subtype, with no MIME Type parameters. <a
href="#refsHTTP">[HTTP]</a></p>
- <p>The term <dfn>HTML MIME type</dfn> is used to refer to the <span
- title="MIME type">MIME types</span> <code>text/html</code> and
- <code>text/html-sandboxed</code>.</p>
+ <p>The term <dfn>HTML MIME type</dfn> is used to refer to the
+ <span>MIME type</span> <code>text/html</code>.</p>
<p>A resource's <dfn>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9451,8 +9450,7 @@
<p>If the contents are <span title="sandboxed origin browsing
context flag">sandboxed into a unique origin</span> (in an
<code>iframe</code> with the <code
- title="attr-iframe-sandbox">sandbox</code> attribute) or the
- resource was labeled as <code>text/html-sandboxed</code>, a
+ title="attr-iframe-sandbox">sandbox</code> attribute), a
<code>SecurityError</code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -25812,7 +25810,7 @@
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code>iframe</code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code>text/html-sandboxed</code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class="impl">
@@ -26027,30 +26025,20 @@
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre><p>We're not scared of you! Here is your content, unedited:</p>
-<iframe sandbox src="getusercontent.cgi?id=12193"></iframe></pre>
+<iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
- <p>Note that cookies are still sent to the server in the <code
- title="">getusercontent.cgi</code> request, though they are not
- visible in the <code
- title="dom-document-cookie">document.cookie</code> IDL
- attribute.</p>
+ <p class="warning">It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
- <p class="warning">It is important that the server serve the
- user-provided HTML using the <code>text/html-sandboxed</code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
-
</div>
<div class="example">
@@ -26113,13 +26101,11 @@
</div>
- <p class="note">Potentially hostile files can be served from the
- same server as the file containing the <code>iframe</code> element
- by labeling them as <code>text/html-sandboxed</code> instead of
- <code>text/html</code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code
+ <p class="note">Potentially hostile files should not be served from
+ the same server as the file containing the <code>iframe</code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code
title="attr-iframe-sandbox">sandbox</code> attribute.</p>
<p class="warning">If the <code
@@ -26444,7 +26430,6 @@
<li>The element's <code>Document</code> is <span>fully active</span>.</li>
<li>The element has either a <code title="attr-embed-src">src</code> attribute set or a <code title="attr-embed-type">type</code> attribute set (or both).</li>
<li>The element's <code title="attr-embed-src">src</code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code>Document</code> was not parsed from a resource whose <span title="Content-Type sniffing">sniffed type</span> as determined during <span title="navigate">navigation</span> is <code>text/html-sandboxed</code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <span>media element</span>.</li>
<li>The element is not a descendant of an <code>object</code> element that is not showing its <span>fallback content</span>.</li>
</ul>
@@ -26516,32 +26501,19 @@
<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
instantiated but it cannot be <span
- title="concept-plugin-secure">secured</span> and either:
+ title="concept-plugin-secure">secured</span> and the <span>sandboxed
+ plugins browsing context flag</span> was set on the <span>browsing
+ context</span> for which the <code>embed</code> element's
+ <code>Document</code> is the <span>active document</span> when that
+ <code>Document</code> was created, then the user agent must not
+ instantiate the <span>plugin</span>, and must instead render the
+ <code>embed</code> element in a manner that conveys that the
+ <span>plugin</span> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <span>plugin</span> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <span>browsing context</span> for which the
- <code>embed</code> element's <code>Document</code> is the
- <span>active document</span> when that <code>Document</code> was
- created, or</li>
-
- <li>the <code>embed</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
-
- <p>...then the user agent must not instantiate the
- <span>plugin</span>, and must instead render the <code>embed</code>
- element in a manner that conveys that the <span>plugin</span> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <span>plugin</span> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
<p class="warning">Plugins that cannot be <span
title="concept-plugin-secure">secured</span> are disabled in
sandboxed browsing contexts because they might not honor the
@@ -27419,23 +27391,11 @@
context</span>.</p>
<p id="sandboxPluginObject">Plugins are considered sandboxed for the
- purpose of an <code>object</code> element if either:</p>
+ purpose of an <code>object</code> element if the <span>sandboxed
+ plugins browsing context flag</span> was set on the
+ <code>object</code> element's <code>Document</code>'s <span>browsing
+ context</span> when the <code>Document</code> was created.</p>
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <code>object</code> element's <code>Document</code>'s
- <span>browsing context</span> when the <code>Document</code> was
- created, or</li>
-
- <li>the <code>object</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
-
<p class="note">The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
@@ -71871,9 +71831,6 @@
browsing context flag</span> was set when the
<code>Document</code> was created</dt>
- <dt>If a <code>Document</code> was generated from a resource
- labeled as <code>text/html-sandboxed</code></dt>
-
<dd>The <span>origin</span> is a globally unique identifier
assigned when the <code>Document</code> is created.</dd>
@@ -73678,7 +73635,6 @@
<!-- an <span>HTML MIME type</span> -->
<dt>"<code>text/html</code>"</dt>
- <dt>"<code>text/html-sandboxed</code>"</dt>
<dd>Follow the steps given in the <span
title="navigate-html">HTML document</span> section, and abort
these steps.</dd>
@@ -80646,7 +80602,6 @@
<li><code>text/cache-manifest</code></li>
<li><code>text/css</code></li>
- <li><code>text/html-sandboxed</code></li>
<li><code>text/html</code></li>
<li><code>text/ping</code></li>
<li><code>text/plain</code></li>
@@ -109150,11 +109105,7 @@
<span>fully active</span>, and when the element's
<code>Document</code>'s <span>browsing context</span> had its
<span>sandboxed plugins browsing context flag</span> when that
- <code>Document</code> was created, and when the element's
- <code>Document</code> was parsed from a resource whose <span
- title="Content-Type sniffing">sniffed type</span> as determined
- during <span title="navigate">navigation</span> is
- <code>text/html-sandboxed</code>, and when the element has an
+ <code>Document</code> was created, and when the element has an
ancestor <span>media element</span>, and when the element has an
ancestor <code>object</code> element that is <em>not</em> showing
its <span>fallback content</span>, and when no Java Language runtime
@@ -110693,95 +110644,8 @@
provide state information for in-page scripts.</p>
- <h3><dfn><code>text/html-sandboxed</code></dfn></h3>
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
- <!--
- To: ietf-types at iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
-
- <dl>
- <dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code>text/html-sandboxed</code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code>Document</code> objects generated from
- resources labeled as <code>text/html-sandboxed</code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code>text/html-sandboxed</code> as regular
- <code>text/html</code> files, authors should avoid using the <code
- title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code>text/html-sandboxed</code>.</p>
- <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code>text/html-sandboxed</code>. If
- an attacker can cause a file to be served as
- <code>text/html</code> instead of
- <code>text/html-sandboxed</code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code>text/html</code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code>text/html-sandboxed</code> type asserts that the
- resource is an <span title="HTML documents">HTML document</span>
- using <span>the HTML syntax</span>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl>
- <dt>Magic number(s):</dt>
- <dd>Documents labeled as <code>text/html-sandboxed</code> are
- heuristically indistinguishable from those labeled as
- <code>text/html</code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl>
- </dd>
- <dt>Person & email address to contact for further information:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson <ian at hixie.ch></dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl>
-
- <p>Fragment identifiers used with <code>text/html-sandboxed</code>
- resources either refer to <span>the indicated part of the
- document</span> or provide state information for in-page
- scripts.</p>
-
-
<h3><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
<p>This registration is for community review and will be submitted
More information about the Commit-Watchers
mailing list