- From: poot <cvsmail@w3.org>
- Date: Wed, 8 Dec 2010 09:54:09 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: note advice from an anonymous IANA reviewer (whatwg r5713)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4577&r2=1.4578&f=h
http://html5.org/tools/web-apps-tracker?from=5712&to=5713
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4577
retrieving revision 1.4578
diff -u -d -r1.4577 -r1.4578
--- Overview.html 8 Dec 2010 00:28:00 -0000 1.4577
+++ Overview.html 8 Dec 2010 00:52:03 -0000 1.4578
@@ -67215,6 +67215,15 @@
as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> as regular
<code><a href="#text-html">text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
resources labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>.</p>
+ <p>Furthermore, since the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME
+ type impacts the origin security model, authors should be careful
+ to prevent tampering with the MIME type labeling mechanism itself
+ when documents are labeled as <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>. If
+ an attacker can cause a file to be served as
+ <code><a href="#text-html">text/html</a></code> instead of
+ <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code>, then the sandboxing will not
+ take effect and a cross-site scripting attack will become
+ possible.</p>
<p>Beyond this, the type is identical to <code><a href="#text-html">text/html</a></code>,
and the same considerations apply.</p>
</dd>
Received on Wednesday, 8 December 2010 00:54:39 UTC