[html5] r7152 - [giow] (0) DND security: add some more vague suggestions. Affected topics: HTML, [...]
whatwg at whatwg.org
whatwg at whatwg.org
Thu Jun 28 14:21:56 PDT 2012
Author: ianh
Date: 2012-06-28 14:21:55 -0700 (Thu, 28 Jun 2012)
New Revision: 7152
Modified:
complete.html
index
source
Log:
[giow] (0) DND security: add some more vague suggestions.
Affected topics: HTML, Security
Modified: complete.html
===================================================================
--- complete.html 2012-06-28 05:36:02 UTC (rev 7151)
+++ complete.html 2012-06-28 21:21:55 UTC (rev 7152)
@@ -79023,12 +79023,13 @@
<p>User agents should filter potentially active (scripted) content
(e.g. HTML) when it is dragged and when it is dropped, using a
- whitelist of known-safe features. This specification does not
- specify how this is performed.</p>
+ whitelist of known-safe features. Similarly, relative URLs should be
+ turned into absolute URLs to avoid references changing in unexpected
+ ways. This specification does not specify how this is performed.</p>
<div class=example>
- <p>Consider a hostile page providing some content and gettuing the
+ <p>Consider a hostile page providing some content and getting the
user to select and drag and drop (or indeed, copy and paste) that
content to a victim page's <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> region. If the
browser does not ensure that only safe content is dragged,
Modified: index
===================================================================
--- index 2012-06-28 05:36:02 UTC (rev 7151)
+++ index 2012-06-28 21:21:55 UTC (rev 7152)
@@ -79023,12 +79023,13 @@
<p>User agents should filter potentially active (scripted) content
(e.g. HTML) when it is dragged and when it is dropped, using a
- whitelist of known-safe features. This specification does not
- specify how this is performed.</p>
+ whitelist of known-safe features. Similarly, relative URLs should be
+ turned into absolute URLs to avoid references changing in unexpected
+ ways. This specification does not specify how this is performed.</p>
<div class=example>
- <p>Consider a hostile page providing some content and gettuing the
+ <p>Consider a hostile page providing some content and getting the
user to select and drag and drop (or indeed, copy and paste) that
content to a victim page's <code title=attr-contenteditable><a href=#attr-contenteditable>contenteditable</a></code> region. If the
browser does not ensure that only safe content is dragged,
Modified: source
===================================================================
--- source 2012-06-28 05:36:02 UTC (rev 7151)
+++ source 2012-06-28 21:21:55 UTC (rev 7152)
@@ -92553,12 +92553,13 @@
<p>User agents should filter potentially active (scripted) content
(e.g. HTML) when it is dragged and when it is dropped, using a
- whitelist of known-safe features. This specification does not
- specify how this is performed.</p>
+ whitelist of known-safe features. Similarly, relative URLs should be
+ turned into absolute URLs to avoid references changing in unexpected
+ ways. This specification does not specify how this is performed.</p>
<div class="example">
- <p>Consider a hostile page providing some content and gettuing the
+ <p>Consider a hostile page providing some content and getting the
user to select and drag and drop (or indeed, copy and paste) that
content to a victim page's <code
title="attr-contenteditable">contenteditable</code> region. If the
More information about the Commit-Watchers
mailing list