W3C home > Mailing lists > Public > public-html-commits@w3.org > October 2008

html5/spec Overview.html,1.1546,1.1547

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 28 Oct 2008 23:50:56 +0000
To: public-html-commits@w3.org
Message-Id: <E1KuyKu-00006P-79@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv373

Modified Files:
	Overview.html 
Log Message:
Mention that client-side validation is not secure. (whatwg r2375)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1546
retrieving revision 1.1547
diff -u -d -r1.1546 -r1.1547
--- Overview.html	28 Oct 2008 23:22:39 -0000	1.1546
+++ Overview.html	28 Oct 2008 23:50:53 -0000	1.1547
@@ -494,7 +494,8 @@
       <ol>
        <li><a href=#definitions><span class=secno>4.10.14.1 </span>Definitions</a></li>
        <li><a href=#constraint-validation><span class=secno>4.10.14.2 </span>Constraint validation</a></li>
-       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></ol></li>
+       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></li>
+       <li><a href=#security-0><span class=secno>4.10.14.4 </span>Security</a></ol></li>
      <li><a href=#form-submission-0><span class=secno>4.10.15 </span>Form submission</a>
       <ol>
        <li><a href=#url-encoded-form-data><span class=secno>4.10.15.1 </span>URL-encoded form data</a></li>
@@ -555,12 +556,12 @@
       <ol>
        <li><a href=#navigating-auxiliary-browsing-contexts-in-the-dom><span class=secno>5.1.2.1 </span>Navigating auxiliary browsing contexts in the DOM</a></ol></li>
      <li><a href=#secondary-browsing-contexts><span class=secno>5.1.3 </span>Secondary browsing contexts</a></li>
-     <li><a href=#security-0><span class=secno>5.1.4 </span>Security</a></li>
+     <li><a href=#security-1><span class=secno>5.1.4 </span>Security</a></li>
      <li><a href=#groupings-of-browsing-contexts><span class=secno>5.1.5 </span>Groupings of browsing contexts</a></li>
      <li><a href=#browsing-context-names><span class=secno>5.1.6 </span>Browsing context names</a></ol></li>
    <li><a href=#the-default-view><span class=secno>5.2 </span>The default view</a>
     <ol>
-     <li><a href=#security-1><span class=secno>5.2.1 </span>Security</a></li>
+     <li><a href=#security-2><span class=secno>5.2.1 </span>Security</a></li>
      <li><a href=#apis-for-creating-and-navigating-browsing-contexts-by-name><span class=secno>5.2.2 </span>APIs for creating and navigating browsing contexts by name</a></li>
      <li><a href=#accessing-other-browsing-contexts><span class=secno>5.2.3 </span>Accessing other browsing contexts</a></ol></li>
    <li><a href=#origin><span class=secno>5.3 </span>Origin</a>
@@ -616,7 +617,7 @@
      <li><a href=#activating-state-object-entries><span class=secno>5.8.3 </span>Activating state object entries</a></li>
      <li><a href=#the-location-interface><span class=secno>5.8.4 </span>The <code>Location</code> interface</a>
       <ol>
-       <li><a href=#security-2><span class=secno>5.8.4.1 </span>Security</a></ol></li>
+       <li><a href=#security-3><span class=secno>5.8.4.1 </span>Security</a></ol></li>
      <li><a href=#history-notes><span class=secno>5.8.5 </span>Implementation notes for session history</a></ol></li>
    <li><a href=#browsing-the-web><span class=secno>5.9 </span>Browsing the Web</a>
     <ol>
@@ -655,7 +656,7 @@
       <ol>
        <li><a href=#user-tracking><span class=secno>5.10.4.1 </span>User tracking</a></li>
        <li><a href=#cookie-resurrection><span class=secno>5.10.4.2 </span>Cookie resurrection</a></ol></li>
-     <li><a href=#security-3><span class=secno>5.10.5 </span>Security</a>
+     <li><a href=#security-4><span class=secno>5.10.5 </span>Security</a>
       <ol>
        <li><a href=#dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</a></li>
        <li><a href=#cross-directory-attacks><span class=secno>5.10.5.2 </span>Cross-directory attacks</a></li>
@@ -775,7 +776,7 @@
    <li><a href=#crossDocumentMessages><span class=secno>7.4 </span>Cross-document messaging</a>
     <ol>
      <li><a href=#introduction-4><span class=secno>7.4.1 </span>Introduction</a></li>
-     <li><a href=#security-4><span class=secno>7.4.2 </span>Security</a>
+     <li><a href=#security-5><span class=secno>7.4.2 </span>Security</a>
       <ol>
        <li><a href=#authors><span class=secno>7.4.2.1 </span>Authors</a></li>
        <li><a href=#user-agents><span class=secno>7.4.2.2 </span>User agents</a></ol></li>
@@ -22372,7 +22373,12 @@
   agent would show the user if this were the only form with a validity
   constraint problem. If the element is <a href=#suffering-from-a-custom-error>suffering from a custom
   error</a>, then the <a href=#custom-validity-error-message>custom validity error message</a>
-  should be present in the return value.<h4 id=form-submission-0><span class=secno>4.10.15 </span>Form submission</h4><p>When a form <var title="">form</var> is <dfn id=concept-form-submit title=concept-form-submit>submitted</dfn> from an element <var title="">submitter</var> (typically a button), the user agent must
+  should be present in the return value.<h5 id=security-0><span class=secno>4.10.14.4 </span>Security</h5><p>Servers should not rely on client-side validation. Client-side
+  validation can be intentionally bypassed by hostile users, and
+  unintentionally bypassed by users of older user agents or automated
+  tools that do not implement these features. The constraint
+  validation features are only intended to improve the user
+  experience, not to provide any kind of security mechanism.<h4 id=form-submission-0><span class=secno>4.10.15 </span>Form submission</h4><p>When a form <var title="">form</var> is <dfn id=concept-form-submit title=concept-form-submit>submitted</dfn> from an element <var title="">submitter</var> (typically a button), the user agent must
   run the following steps:<ol><li id=sandboxSubmitBlocked><p>If <var title="">form</var> is in
    a <code>Document</code> that has no associated <a href=#browsing-context>browsing
    context</a> or whose <a href=#browsing-context>browsing context</a> has its
@@ -25410,7 +25416,7 @@
   browsing context</a>), if there is one and it is still
   available.<h4 id=secondary-browsing-contexts><span class=secno>5.1.3 </span>Secondary browsing contexts</h4><p>User agents may support <dfn id=secondary-browsing-context title="secondary browsing
   context">secondary browsing contexts</dfn>, which are <a href=#browsing-context title="browsing context">browsing contexts</a> that form part of
-  the user agent's interface, apart from the main content area.<h4 id=security-0><span class=secno>5.1.4 </span>Security</h4><p>A <a href=#browsing-context>browsing context</a> <var title="">A</var> is
+  the user agent's interface, apart from the main content area.<h4 id=security-1><span class=secno>5.1.4 </span>Security</h4><p>A <a href=#browsing-context>browsing context</a> <var title="">A</var> is
   <dfn id=allowed-to-navigate>allowed to navigate</dfn> a second <a href=#browsing-context>browsing
   context</a> <var title="">B</var> if one of the following
   conditions is true:<ul><li>Either the <a href=#origin-0>origin</a> of the <a href=#active-document>active
@@ -25654,7 +25660,7 @@
   <code>Document</code>'s <a href=#default-view>default view</a>'s
   <code><a href=#window>Window</a></code> object. A <code>Document</code> object's
   <a href=#list-of-added-properties>list of added properties</a> must be empty when the
-  <code>Document</code> object is created.<h4 id=security-1><span class=secno>5.2.1 </span>Security</h4><p>User agents must raise a <a href=#security-exception>security exception</a> whenever
+  <code>Document</code> object is created.<h4 id=security-2><span class=secno>5.2.1 </span>Security</h4><p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#window>Window</a></code> object are accessed by
   scripts whose <a href=#effective-script-origin>effective script origin</a> is not the same
   as the <code><a href=#window>Window</a></code> object's <a href=#browsing-context>browsing context</a>'s
@@ -29024,7 +29030,7 @@
 reload on shared Document updates all of them
 
 user reload must be equivalent to .reload()
---><h5 id=security-2><span class=secno>5.8.4.1 </span>Security</h5><p>User agents must raise a <a href=#security-exception>security exception</a> whenever
+--><h5 id=security-3><span class=secno>5.8.4.1 </span>Security</h5><p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#location>Location</a></code> object are accessed by
   scripts whose <a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same origin">same</a> as the <code><a href=#location>Location</a></code>
   object's associated <code>Document</code>'s <a href=#effective-script-origin>effective script
@@ -30368,7 +30374,7 @@
   cookies, then users are likely to delete data in one and not the
   other. This would allow sites to use the two features as redundant
   backup for each other, defeating a user's attempts to protect his
-  privacy.<h4 id=security-3><span class=secno>5.10.5 </span>Security</h4><h5 id=dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</h5><p>Because of the potential for DNS spoofing attacks, one cannot
+  privacy.<h4 id=security-4><span class=secno>5.10.5 </span>Security</h4><h5 id=dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</h5><p>Because of the potential for DNS spoofing attacks, one cannot
   guarantee that a host claiming to be in a certain domain really is
   from that domain. To mitigate this, pages can use SSL. Pages using
   SSL can be sure that only pages using SSL that have certificates
@@ -34189,7 +34195,7 @@
    responds to by sending a message back to the document which sent
    the message in the first place.</p>
 
-  </div><h4 id=security-4><span class=secno>7.4.2 </span>Security</h4><h5 id=authors><span class=secno>7.4.2.1 </span>Authors</h5><p class=warning>Use of this API requires extra care to protect
+  </div><h4 id=security-5><span class=secno>7.4.2 </span>Security</h4><h5 id=authors><span class=secno>7.4.2.1 </span>Authors</h5><p class=warning>Use of this API requires extra care to protect
   users from hostile entities abusing a site for their own
   purposes.<p>Authors should check the <code title=dom-MessageEvent-origin><a href=#dom-messageevent-origin>origin</a></code> attribute to ensure
   that messages are only accepted from domains that they expect to
Received on Tuesday, 28 October 2008 23:51:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 28 October 2008 23:51:08 GMT