hixie: rel=stylesheet should only override HTTP same-origin, to avoid cross-origin data theft (whatwg r5353) from poot on 2010-08-26 (public-html-diffs@w3.org from August 2010)

From: poot <cvsmail@w3.org>
Date: Thu, 26 Aug 2010 10:53:07 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20100826015307.543682BC88@toro.w3.mag.keio.ac.jp>

hixie: rel=stylesheet should only override HTTP same-origin, to avoid
cross-origin data theft (whatwg r5353)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4269&r2=1.4270&f=h
http://html5.org/tools/web-apps-tracker?from=5352&to=5353

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4269
retrieving revision 1.4270
diff -u -d -r1.4269 -r1.4270
--- Overview.html 26 Aug 2010 00:54:02 -0000 1.4269
+++ Overview.html 26 Aug 2010 01:47:02 -0000 1.4270
@@ -39876,9 +39876,11 @@
   <code><a href="#the-link-element">link</a></code> element, with a non-empty value.<p>The default type for resources given by the <code title="rel-stylesheet"><a href="#link-type-stylesheet">stylesheet</a></code> keyword is <code title="">text/css</code>.<div class="impl">
 
   <p><strong>Quirk</strong>: If the document has been set to
-  <a href="#quirks-mode">quirks mode</a> and the <a href="#content-type" title="Content-Type">Content-Type metadata</a> of the external
-  resource is not a supported style sheet type, the user agent must
-  instead assume it to be <code title="">text/css</code>.</p>
+  <a href="#quirks-mode">quirks mode</a>, has the <a href="#same-origin">same origin</a> as the
+  <a href="#url">URL</a> of the external resource<!-- CVE-2010-0654 -->, and
+  the <a href="#content-type" title="Content-Type">Content-Type metadata</a> of the
+  external resource is not a supported style sheet type, the user
+  agent must instead assume it to be <code title="">text/css</code>.</p>
 
   </div><h5 id="link-type-sidebar"><span class="secno">4.12.4.15 </span>Link type "<dfn title="rel-sidebar"><code>sidebar</code></dfn>"</h5><p class="XXX annotation"><b>Status: </b><i>Last call for comments</i><p>The <code title="rel-sidebar"><a href="#link-type-sidebar">sidebar</a></code> keyword may be used
   with <code><a href="#the-link-element">link</a></code>, <code><a href="#the-a-element">a</a></code>, and <code><a href="#the-area-element">area</a></code>

Received on Thursday, 26 August 2010 01:47:54 UTC