html5/spec-author-view Overview.html,1.619,1.620 acknowledgements.html,1.563,1.564 iana.html,1.19,1.20 spec.html,1.624,1.625 from Michael Smith via cvs-syncmail on 2010-01-27 (public-html-commits@w3.org from January 2010)

From: Michael Smith via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 27 Jan 2010 22:37:03 +0000
To: public-html-commits@w3.org
Message-Id: <E1NaGVU-0001Dc-0V@lionel-hutz.w3.org>
Update of /sources/public/html5/spec-author-view
In directory hutz:/tmp/cvs-serv4662

Modified Files:
	Overview.html acknowledgements.html iana.html spec.html 
Log Message:
Mention same-origin attacks and the importance of compartmentalization. (whatwg r4629)

[updated by splitter]


Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec-author-view/Overview.html,v
retrieving revision 1.619
retrieving revision 1.620
diff -u -d -r1.619 -r1.620
--- Overview.html	27 Jan 2010 08:36:59 -0000	1.619
+++ Overview.html	27 Jan 2010 22:37:00 -0000	1.620
@@ -283,7 +283,7 @@
    </dl><p>This specification is available in the following formats: 
     <a href="spec.html">single page HTML</a>,
     <a href="Overview.html">multipage HTML</a>.
-This is revision 1.3689.
+This is revision 1.3690.
    </p> 
    <p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a>
    &#169; 2009 <a href="http://www.w3.org/"><abbr title="World Wide

Index: iana.html
===================================================================
RCS file: /sources/public/html5/spec-author-view/iana.html,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -d -r1.19 -r1.20
--- iana.html	14 Jan 2010 08:12:45 -0000	1.19
+++ iana.html	27 Jan 2010 22:37:00 -0000	1.20
@@ -331,6 +331,21 @@
     Internet. This can expose local network topologies that the
     attacker would otherwise not be able to determine.</p>
 
+    <p>HTML relies on a compartmentalization scheme sometimes known as
+    the <i>same-origin policy</i>. An <a href="#origin">origin</a> in most
+    cases consists of all the pages served from the same host, on the
+    same port, using the same protocol.</p>
+
+    <p>It is critical, therefore, to ensure that any untrusted content
+    that forms part of a site be hosted on a different
+    <a href="#origin">origin</a> than any sensitive content on that site.
+    Untrusted content can easily spoof any other page on the same
+    origin, read data from that origin, cause scripts in that origin
+    to execute, submit forms to and from that origin even if they are
+    protected from cross-site request forgery attacks by unique
+    tokens, and make use of any third-party resources exposed to or
+    rights granted to that origin.</p>
+
    </dd>
    <dt>Interoperability considerations:</dt>
    <dd>

Index: spec.html
===================================================================
RCS file: /sources/public/html5/spec-author-view/spec.html,v
retrieving revision 1.624
retrieving revision 1.625
diff -u -d -r1.624 -r1.625
--- spec.html	27 Jan 2010 08:36:59 -0000	1.624
+++ spec.html	27 Jan 2010 22:37:00 -0000	1.625
@@ -281,7 +281,7 @@
    </dl><p>This specification is available in the following formats: 
     <a href=spec.html>single page HTML</a>,
     <a href=Overview.html>multipage HTML</a>.
-This is revision 1.3689.
+This is revision 1.3690.
    </p> 
    <p class=copyright><a href=http://www.w3.org/Consortium/Legal/ipr-notice#Copyright>Copyright</a>
    © 2009 <a href=http://www.w3.org/><abbr title="World Wide
@@ -24900,6 +24900,21 @@
     Internet. This can expose local network topologies that the
     attacker would otherwise not be able to determine.</p>
 
+    <p>HTML relies on a compartmentalization scheme sometimes known as
+    the <i>same-origin policy</i>. An <a href=#origin>origin</a> in most
+    cases consists of all the pages served from the same host, on the
+    same port, using the same protocol.</p>
+
+    <p>It is critical, therefore, to ensure that any untrusted content
+    that forms part of a site be hosted on a different
+    <a href=#origin>origin</a> than any sensitive content on that site.
+    Untrusted content can easily spoof any other page on the same
+    origin, read data from that origin, cause scripts in that origin
+    to execute, submit forms to and from that origin even if they are
+    protected from cross-site request forgery attacks by unique
+    tokens, and make use of any third-party resources exposed to or
+    rights granted to that origin.</p>
+
    </dd>
    <dt>Interoperability considerations:</dt>
    <dd>
@@ -28366,6 +28381,7 @@
   Ben Leslie,
   Ben Meadowcroft,
   Ben Millard,
+  Benjamin Carl Wiley Sittler,
   Benjamin Hawkes-Lewis,
   Bert Bos,
   Bijan Parsia,

Index: acknowledgements.html
===================================================================
RCS file: /sources/public/html5/spec-author-view/acknowledgements.html,v
retrieving revision 1.563
retrieving revision 1.564
diff -u -d -r1.563 -r1.564
--- acknowledgements.html	21 Jan 2010 00:11:15 -0000	1.563
+++ acknowledgements.html	27 Jan 2010 22:37:00 -0000	1.564
@@ -325,6 +325,7 @@
   Ben Leslie,
   Ben Meadowcroft,
   Ben Millard,
+  Benjamin Carl Wiley Sittler,
   Benjamin Hawkes-Lewis,
   Bert Bos,
   Bijan Parsia,
Received on Wednesday, 27 January 2010 22:37:05 UTC