W3C home > Mailing lists > Public > public-html-commits@w3.org > June 2011

html5/spec Overview.html,1.4986,1.4987

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 14 Jun 2011 02:08:13 +0000
To: public-html-commits@w3.org
Message-Id: <E1QWJ37-000174-I8@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv4257

Modified Files:
	Overview.html 
Log Message:
Introduce <object type='' data='' typemustmatch> to help when referencing resources from a remote host. (whatwg r6222)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4986
retrieving revision 1.4987
diff -u -d -r1.4986 -r1.4987
--- Overview.html	14 Jun 2011 00:33:11 -0000	1.4986
+++ Overview.html	14 Jun 2011 02:08:09 -0000	1.4987
@@ -20792,12 +20792,12 @@
   </div><div class="example">
 
    <p>Here's a way to embed a resource that requires a proprietary
-   plug-in, like Flash:</p>
+   plugin, like Flash:</p>
 
    <pre>&lt;embed src="catgame.swf"&gt;</pre>
 
-   <p>If the user does not have the plug-in (for example if the
-   plug-in vendor doesn't support the user's platform), then the user
+   <p>If the user does not have the plugin (for example if the
+   plugin vendor doesn't support the user's platform), then the user
    will be unable to use the resource.</p>
 
    <p>To pass the plugin a parameter "quality" with the value "high",
@@ -20826,6 +20826,7 @@
    <dd><a href="#global-attributes">Global attributes</a></dd>
    <dd><code title="attr-object-data"><a href="#attr-object-data">data</a></code></dd>
    <dd><code title="attr-object-type"><a href="#attr-object-type">type</a></code></dd>
+   <dd><code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code></dd>
    <dd><code title="attr-object-name"><a href="#attr-object-name">name</a></code></dd>
    <dd><code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">usemap</a></code></dd>
    <dd><code title="attr-fae-form"><a href="#attr-fae-form">form</a></code></dd>
@@ -20836,6 +20837,7 @@
 <pre class="idl">interface <dfn id="htmlobjectelement">HTMLObjectElement</dfn> : <a href="#htmlelement">HTMLElement</a> {
            attribute DOMString <a href="#dom-object-data" title="dom-object-data">data</a>;
            attribute DOMString <a href="#dom-object-type" title="dom-object-type">type</a>;
+           attribute boolean <a href="#dom-object-typemustmatch" title="dom-object-typeMustMatch">typeMustMatch</a>;
            attribute DOMString <a href="#dom-object-name" title="dom-object-name">name</a>;
            attribute DOMString <a href="#dom-object-usemap" title="dom-object-useMap">useMap</a>;
   readonly attribute <a href="#htmlformelement">HTMLFormElement</a>? <a href="#dom-fae-form" title="dom-fae-form">form</a>;
@@ -20863,9 +20865,20 @@
   <a href="#plugin">plugin</a>.<p>The <dfn id="attr-object-data" title="attr-object-data"><code>data</code></dfn>
   attribute, if present, specifies the address of the resource. If
   present, the attribute must be a <a href="#valid-non-empty-url-potentially-surrounded-by-spaces">valid non-empty
-  URL potentially surrounded by spaces</a>.<p>The <dfn id="attr-object-type" title="attr-object-type"><code>type</code></dfn>
+  URL potentially surrounded by spaces</a>.<p class="warning">Authors who reference resources from other <a href="#origin" title="origin">origins</a> that they do not trust are urged to
+  use the <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code>
+  attribute defined below. Without that attribute, it is possible in
+  certain cases for an attacker on the remote host to use the plugin
+  mechanism to run arbitrary scripts, even if the author has used
+  features such as the Flash "allowScriptAccess" parameter.</p><p>The <dfn id="attr-object-type" title="attr-object-type"><code>type</code></dfn>
   attribute, if present, specifies the type of the resource. If
-  present, the attribute must be a <a href="#valid-mime-type">valid MIME type</a>.<p>At least one of either the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute or the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute must be present.<p>The <dfn id="attr-object-name" title="attr-object-name"><code>name</code></dfn>
+  present, the attribute must be a <a href="#valid-mime-type">valid MIME type</a>.<p>At least one of either the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute or the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute must be present.<p>The <dfn id="attr-object-typemustmatch" title="attr-object-typemustmatch"><code>typemustmatch</code></dfn>
+  attribute is a <a href="#boolean-attribute">boolean attribute</a> whose precense
+  indicates that the resource specified by the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute is only to be used if
+  the value of the <code title="attr-object-type"><a href="#attr-object-type">type</a></code>
+  attribute and the <a href="#content-type">Content-Type</a> of the aforementioned
+  resource match.<p>The <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code>
+  attribute must not be specified unless both the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute and the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute are present.<p>The <dfn id="attr-object-name" title="attr-object-name"><code>name</code></dfn>
   attribute, if present, must be a <a href="#valid-browsing-context-name">valid browsing context
   name</a>. The given value is used to name the <a href="#nested-browsing-context">nested
   browsing context</a>, if applicable.<div class="impl">
@@ -20999,6 +21012,28 @@
 
        <li>
 
+        <p>If the <code><a href="#the-object-element">object</a></code> element has a <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute and a <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code>
+        attribute, and the resource has <a href="#content-type" title="Content-Type">associated Content-Type metadata</a>,
+        and the type specified in <a href="#content-type" title="Content-Type">the
+        resource's Content-Type metadata</a> is an <a href="#ascii-case-insensitive">ASCII
+        case-insensitive</a> match for the value of the element's
+        <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute, then let
+        <var title="">resource type</var> be that type and jump to the
+        step below labeled <i>handler</i>.</p>
+
+        
+
+       </li>
+
+       <li>
+
+        <p>If the <code><a href="#the-object-element">object</a></code> element has a <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code>
+        attribute, jump to the step below labeled <i>handler</i>.</p>
+
+       </li>
+
+       <li>
+
         
 
         <p>If the user agent is configured to strictly obey
@@ -21009,6 +21044,12 @@
         metadata</a>, and jump to the step below labeled
         <i>handler</i>.</p>
 
+        <p class="warning">This can introduce a vulnerability, wherein
+        a site is trying to embed a resource that uses a particular
+        plugin, but the remote site overrides that and instead
+        furnishes the user agent with a resource that triggers a
+        different plugin with different security characteristics. </p>
+
        </li>
 
        <li>
@@ -21143,9 +21184,10 @@
 
        </li>
 
-      </ol><p class="note">It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
-      the substeps above to jump straight to the next step. In both
-      cases, the next step will trigger fallback.</p>
+      </ol><p class="note">It is possible for this step to finish, or for
+      one of the substeps above to jump straight to the next step,
+      with <var title="">resource type</var> still being unknown. In
+      both cases, the next step will trigger fallback.</p>
 
      </li>
 
@@ -21366,6 +21408,10 @@
   <a href="#reflect">reflect</a> the respective content attributes of the same
   name.</p>
 
+  <p>The <dfn id="dom-object-typemustmatch" title="dom-object-typeMustMatch"><code>typeMustMatch</code></dfn> IDL
+  attribute must <a href="#reflect">reflect</a> the <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code> content
+  attribute.</p>
+
   <p>The <dfn id="dom-object-contentdocument" title="dom-object-contentDocument"><code>contentDocument</code></dfn>
   IDL attribute must return the <code><a href="#document">Document</a></code> object of the
   <a href="#active-document">active document</a> of the <code><a href="#the-object-element">object</a></code> element's
@@ -22393,7 +22439,7 @@
  var videoSection = document.getElementById('video');
  var videoElement = document.createElement('video');
  var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
    // not confident of browser support
    // but we have a plugin
    // so use plugin instead
@@ -69373,6 +69419,7 @@
      <td><a href="#global-attributes" title="global attributes">globals</a>;
          <code title="attr-object-data"><a href="#attr-object-data">data</a></code>;
          <code title="attr-object-type"><a href="#attr-object-type">type</a></code>;
+         <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">typemustmatch</a></code>;
          <code title="attr-object-name"><a href="#attr-object-name">name</a></code>;
          <code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">usemap</a></code>;
          <code title="attr-fae-form"><a href="#attr-fae-form">form</a></code>;
@@ -70733,6 +70780,10 @@
      <td> <code title="attr-menu-type"><a href="#attr-menu-type">menu</a></code>
      <td> Type of menu
      <td> "<code title="context menu state"><a href="#context-menu-state">context</a></code>"; "<code title="toolbar state"><a href="#toolbar-state">toolbar</a></code>"
+    <tr><th> <code title="">typemustmatch</code>
+     <td> <code title="attr-object-typemustmatch"><a href="#attr-object-typemustmatch">object</a></code>
+     <td> Whether the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute and the <a href="#content-type">Content-Type</a> value need to match for the resource to be used
+     <td> <a href="#boolean-attribute">Boolean attribute</a>
     <tr><th> <code title="">usemap</code>
      <td> <code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">img</a></code>;
           <code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">object</a></code>
Received on Tuesday, 14 June 2011 02:08:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 June 2011 02:08:23 GMT