hixie: Mention that this example should use text/html-sandboxed. (whatwg r4625)

hixie: Mention that this example should use text/html-sandboxed. (whatwg
r4625)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3685&r2=1.3686&f=h
http://html5.org/tools/web-apps-tracker?from=4624&to=4625

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3685
retrieving revision 1.3686
diff -u -d -r1.3685 -r1.3686
--- Overview.html 24 Jan 2010 10:29:44 -0000 1.3685
+++ Overview.html 24 Jan 2010 10:47:10 -0000 1.3686
@@ -17118,6 +17118,13 @@
    visible in the <code title="dom-document-cookie"><a href="#dom-document-cookie">document.cookie</a></code> IDL
    attribute.</p>
 
+   <p class="warning">It is important that the server serve the
+   user-provided HTML using the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME
+   type so that if the attacker convinces the user to visit that page
+   directly, the page doesn't run in the context of the site's origin,
+   which would make the user vulnerable to any attack found in the
+   page.</p>
+
   </div><div class="example">
 
    <p>In this example, a gadget from another site is embedded. The

Received on Sunday, 24 January 2010 10:47:50 UTC