hixie: Mention iframe sandbox in the context of http+aes. (whatwg r7021) from poot on 2012-03-07 (public-html-diffs@w3.org from March 2012)

From: poot <cvsmail@w3.org>
Date: Tue, 06 Mar 2012 19:41:07 -0500
To: public-html-diffs@w3.org
Message-Id: <E1S54wF-0004t6-GH@jay.w3.org>
hixie: Mention iframe sandbox in the context of http+aes. (whatwg r7021)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5606&r2=1.5607&f=h
http://html5.org/tools/web-apps-tracker?from=7020&to=7021

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5606
retrieving revision 1.5607
diff -u -d -r1.5606 -r1.5607
--- Overview.html 6 Mar 2012 23:44:54 -0000 1.5606
+++ Overview.html 7 Mar 2012 00:40:57 -0000 1.5607
@@ -320,7 +320,7 @@
 
    <h1>HTML5</h1>
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
-   <h2 class="no-num no-toc" id="editor-s-draft-6-march-2012">Editor's Draft 6 March 2012</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-7-march-2012">Editor's Draft 7 March 2012</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
   Group</a> is the W3C working group responsible for this
   specification's progress along the W3C Recommendation
   track.
-  This specification is the 6 March 2012 Editor's Draft.
+  This specification is the 7 March 2012 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
   actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
   group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -71193,6 +71193,14 @@
     Otherwise, an attacker can use commonalities in the resources'
     plaintexts to determine the key and decrypt all the resources
     sharing a key.</p>
+    <p>Authors should take care not to embed arbitrary content from
+    the same site using the same scheme, as all content using the
+    <code title="">http+aes</code> scheme on the same host (and same
+    port) shares the same <a href="#origin">origin</a> and can therefore leak
+    the keys of any other content also opened at that origin. This
+    problem can be mitigated using the <code><a href="#the-iframe-element">iframe</a></code> element and
+    the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
+    attribute to embed such content.</p>
     <p>The security considerations that apply to <code title="">http</code> apply as well.</p>
    </dd>
 
@@ -71213,7 +71221,9 @@
    <dt>URI scheme syntax:</dt>
    <dd>Same as <code title="">http+aes</code>.</dd>
    <dt>URI scheme semantics:</dt>
-   <dd>Same as <code title="">http+aes</code>.</dd>
+   <dd>Same as <code title="">http+aes</code>, but using HTTP over TLS
+   (as in, HTTPS) instead of HTTP, and defaulting to the HTTPS port
+   instead of HTTP's port.</dd>
    <dt>Encoding considerations:</dt>
    <dd>Same as <code title="">http+aes</code>.</dd>
    <dt>Applications/protocols that use this URI scheme name:</dt>
Received on Wednesday, 7 March 2012 00:41:09 UTC