W3C home > Mailing lists > Public > www-validator@w3.org > November 2014

typesmustmatch xhtml

From: Alice Wonder <alice@domblogger.net>
Date: Mon, 10 Nov 2014 14:45:06 -0800
Message-ID: <54613FF2.2060005@domblogger.net>
To: www-validator@w3.org
When the object tag has the typesemustmatch attribute, the W3C validator 
states that it is not allowed in xhtml at this point.

Everything else will validate as html5

Why is that attribute listed in the html5 specification w/o a special 
note if it is not allowed when sending the content as 
application/xml+xhtml ?? How am I suppose to know what really is allowed 
when serving as XML if the spec does not tell me?

http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-typemustmatch

That says nothing about the tag not being allowed when an html5 document 
is sent as xml.

This is why that attribute is important to me, and why I would like it 
to be part of html5 even when sent as XML :

When the webapp I am writing scans content before serving, object nodes 
that are not in a whitelist of type attributes are removed, to help 
prevent XSS.

Object nodes within the whitelist, I want to add that attribute because 
if the browser is not implementing CSP then I don't want an 
intentionally mis-identified type attribute in an injection attack to 
allow a payload to be delivered to users.

I'm hoping typesmustmatch will help prevent that scenario.

I have to allow the object tag, it is useful for several things, but it 
is also dangerous.

Historically some browsers *cough*IE*cough* would sometimes think they 
were being helpful in scenarios where mime type didn't match what IE 
thought it was, resulting in attack vectors. I want to be able to 
specify that they MUST match for pages served from my app.

So I really want that attribute to be legal in html5 - even when I send 
as XML which is what I prefer to do.

Thank you,

Alice
Received on Monday, 10 November 2014 23:58:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 September 2016 06:30:31 UTC