- From: poot <cvsmail@w3.org>
- Date: Sun, 24 Jan 2010 19:47:21 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Mention that this example should use text/html-sandboxed. (whatwg
r4625)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3685&r2=1.3686&f=h
http://html5.org/tools/web-apps-tracker?from=4624&to=4625
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3685
retrieving revision 1.3686
diff -u -d -r1.3685 -r1.3686
--- Overview.html 24 Jan 2010 10:29:44 -0000 1.3685
+++ Overview.html 24 Jan 2010 10:47:10 -0000 1.3686
@@ -17118,6 +17118,13 @@
visible in the <code title="dom-document-cookie"><a href="#dom-document-cookie">document.cookie</a></code> IDL
attribute.</p>
+ <p class="warning">It is important that the server serve the
+ user-provided HTML using the <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> MIME
+ type so that if the attacker convinces the user to visit that page
+ directly, the page doesn't run in the context of the site's origin,
+ which would make the user vulnerable to any attack found in the
+ page.</p>
+
</div><div class="example">
<p>In this example, a gadget from another site is embedded. The
Received on Sunday, 24 January 2010 10:47:50 UTC