- From: Michael Smith via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 08 Dec 2010 01:46:41 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv18452 Modified Files: iana.html spec.html Log Message: note advice from an anonymous IANA reviewer (whatwg r5713) [updated by splitter] Index: iana.html =================================================================== RCS file: /sources/public/html5/spec/iana.html,v retrieving revision 1.344 retrieving revision 1.345 diff -u -d -r1.344 -r1.345 --- iana.html 5 Dec 2010 09:44:13 -0000 1.344 +++ iana.html 8 Dec 2010 01:46:38 -0000 1.345 @@ -514,6 +514,15 @@ as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> as regular <code><a href="#text-html">text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for resources labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>.</p> + <p>Furthermore, since the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME + type impacts the origin security model, authors should be careful + to prevent tampering with the MIME type labeling mechanism itself + when documents are labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>. If + an attacker can cause a file to be served as + <code><a href="#text-html">text/html</a></code> instead of + <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>, then the sandboxing will not + take effect and a cross-site scripting attack will become + possible.</p> <p>Beyond this, the type is identical to <code><a href="#text-html">text/html</a></code>, and the same considerations apply.</p> </dd> Index: spec.html =================================================================== RCS file: /sources/public/html5/spec/spec.html,v retrieving revision 1.1347 retrieving revision 1.1348 diff -u -d -r1.1347 -r1.1348 --- spec.html 8 Dec 2010 00:47:22 -0000 1.1347 +++ spec.html 8 Dec 2010 01:46:38 -0000 1.1348 @@ -385,7 +385,7 @@ <a href="Overview.html">single page HTML</a>, <a href="spec.html">multipage HTML</a>, <a href="author/">web developer edition</a>. -This is revision 1.4577. +This is revision 1.4578. </p> <p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2010 <a href="http://www.w3.org/"><abbr title="World Wide
Received on Wednesday, 8 December 2010 01:46:42 UTC