W3C home > Mailing lists > Public > public-html-commits@w3.org > December 2010

html5/spec iana.html,1.344,1.345 spec.html,1.1347,1.1348

From: Michael Smith via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 08 Dec 2010 01:46:41 +0000
To: public-html-commits@w3.org
Message-Id: <E1PQ97B-0004o2-3b@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv18452

Modified Files:
	iana.html spec.html 
Log Message:
note advice from an anonymous IANA reviewer (whatwg r5713)

[updated by splitter]


Index: iana.html
===================================================================
RCS file: /sources/public/html5/spec/iana.html,v
retrieving revision 1.344
retrieving revision 1.345
diff -u -d -r1.344 -r1.345
--- iana.html	5 Dec 2010 09:44:13 -0000	1.344
+++ iana.html	8 Dec 2010 01:46:38 -0000	1.345
@@ -514,6 +514,15 @@
     as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> as regular
     <code><a href="#text-html">text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
     resources labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>.</p>
+    <p>Furthermore, since the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME
+    type impacts the origin security model, authors should be careful
+    to prevent tampering with the MIME type labeling mechanism itself
+    when documents are labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>. If
+    an attacker can cause a file to be served as
+    <code><a href="#text-html">text/html</a></code> instead of
+    <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>, then the sandboxing will not
+    take effect and a cross-site scripting attack will become
+    possible.</p>
     <p>Beyond this, the type is identical to <code><a href="#text-html">text/html</a></code>,
     and the same considerations apply.</p>
    </dd>

Index: spec.html
===================================================================
RCS file: /sources/public/html5/spec/spec.html,v
retrieving revision 1.1347
retrieving revision 1.1348
diff -u -d -r1.1347 -r1.1348
--- spec.html	8 Dec 2010 00:47:22 -0000	1.1347
+++ spec.html	8 Dec 2010 01:46:38 -0000	1.1348
@@ -385,7 +385,7 @@
     <a href="Overview.html">single page HTML</a>,
     <a href="spec.html">multipage HTML</a>,
     <a href="author/">web developer edition</a>.
-This is revision 1.4577.
+This is revision 1.4578.
    </p> 
      <p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a>
    &#169; 2010 <a href="http://www.w3.org/"><abbr title="World Wide
Received on Wednesday, 8 December 2010 01:46:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 8 December 2010 01:46:45 GMT