- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Sun, 24 Jan 2010 10:47:14 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv5152
Modified Files:
Overview.html
Log Message:
Mention that this example should use text/html-sandboxed. (whatwg r4625)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3685
retrieving revision 1.3686
diff -u -d -r1.3685 -r1.3686
--- Overview.html 24 Jan 2010 10:29:44 -0000 1.3685
+++ Overview.html 24 Jan 2010 10:47:10 -0000 1.3686
@@ -17118,6 +17118,13 @@
visible in the <code title="dom-document-cookie"><a href="#dom-document-cookie">document.cookie</a></code> IDL
attribute.</p>
+ <p class="warning">It is important that the server serve the
+ user-provided HTML using the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME
+ type so that if the attacker convinces the user to visit that page
+ directly, the page doesn't run in the context of the site's origin,
+ which would make the user vulnerable to any attack found in the
+ page.</p>
+
</div><div class="example">
<p>In this example, a gadget from another site is embedded. The
Received on Sunday, 24 January 2010 10:47:15 UTC