W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: PDF alternative using HTML (proposal)

From: James May <whatwg@fowlsmurf.net>
Date: Tue, 19 Jan 2016 09:14:23 +1100
Message-ID: <CABY6sLg1DBRsRKUXEyFJJiV=GmOb-Tn17TKgRmQESzEG5NVxgw@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: public-webappsec@w3.org
On 12 January 2016 at 21:54, Craig Francis <craig@craigfrancis.co.uk> wrote:
> Unfortunately you can't just email a HTML document to someone, as this
> causes a range of security problems, and including resources can be
> difficult (you can inline them, or use MHTML, but these are tricky to
> create).
> So I was wondering if we could take the approach that Microsoft Word did
> with the docx format, Java with JAR, PHP with PHAR, etc...

I think perhaps you dismiss MHTML to quickly ;)

I'm not sure what advantage using a ZIP container has over the
multipart MIME container -  They are already supported by IE for
reading and writing, with Chrome support behind a flag and Firefox via
an extension[1].

I'm also not sure why a ZIP container would make it any easier to
generate or "self-contain"arbitrary content. For new content intended
to be delivered this way it obviously wouldn't be a problem.

> Then from a security point of view, it can be locked down to its own little
> box, so no access to other files on the file system, probably no access to
> cookies/localstorage, no ability to connect to another host (maybe).

I think careful application of CSP headers could allow safe hosting of
arbitrary content, but I'd imagine that specifying/enhancing the
security model of web hosted MHTL files to make it safe 'by default'
would be desirable.

> And from the users point of view, the document could be protected with a
> password (a feature that ZIP/GZIP provides already, and the browser can
> prompt for when opening).

Well, S/MIME exists.

-- James

[1] https://en.wikipedia.org/wiki/MHTML

> So would this help with the security aspects of emailing HTML files to
> people (e.g. reports), and be better than PDFs?
> Craig
> https://code.google.com/p/chromium/issues/detail?id=575677
> https://bugzilla.mozilla.org/show_bug.cgi?id=1237990
Received on Tuesday, 19 January 2016 13:59:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC