W3C home > Mailing lists > Public > www-tag@w3.org > August 2012

[ietf-types] Update to text/html registration (fwd)

From: Yves Lafon <ylafon@w3.org>
Date: Tue, 7 Aug 2012 09:54:23 -0400 (EDT)
To: www-tag@w3.org
Message-ID: <alpine.DEB.1.10.1208070953410.6518@wnl.j3.bet>

---------- Forwarded message ----------
Date: Tue, 7 Aug 2012 20:16:49 +0900
From: "Michael[tm] Smith" <mike@w3.org>
To: ietf-types@ietf.org
Subject: [ietf-types] Update to text/html registration

Please update the registration for the text/html media type to reference
the HTML5 specification instead of RFC 2854.


Type name:

Subtype name:

Required parameters:
   No required parameters

Optional parameters:
     The charset parameter may be provided to definitively specify the
     document's character encoding, overriding any character encoding
     declarations in the document. The parameter's value must be the name of
     the character encoding used to serialize the file, must be a valid
     character encoding name, and must be an ASCII case-insensitive match
     for the preferred MIME name for that encoding. [IANACHARSET]

Encoding considerations:
   8bit (see the section on character encoding declarations)

Security considerations:
   Entire novels have been written about the security considerations that
   apply to HTML documents. Many are listed in this document, to which the
   reader is referred for more details. Some general concerns bear
   mentioning here, however:

   HTML is scripted language, and has a large number of APIs (some of which
   are described in this document). Script can expose the user to potential
   risks of information leakage, credential leakage, cross-site scripting
   attacks, cross-site request forgeries, and a host of other problems.
   While the designs in this specification are intended to be safe if
   implemented correctly, a full implementation is a massive undertaking
   and, as with any software, user agents are likely to have security bugs.

   Even without scripting, there are specific features in HTML which, for
   historical reasons, are required for broad compatibility with legacy
   content but that expose the user to unfortunate security problems. In
   particular, the img element can be used in conjunction with some other
   features as a way to effect a port scan from the user's location on the
   Internet. This can expose local network topologies that the attacker
   would otherwise not be able to determine.

   HTML relies on a compartmentalization scheme sometimes known as the
   same-origin policy. An origin in most cases consists of all the pages
   served from the same host, on the same port, using the same protocol.

   It is critical, therefore, to ensure that any untrusted content that
   forms part of a site be hosted on a different origin than any sensitive
   content on that site. Untrusted content can easily spoof any other page
   on the same origin, read data from that origin, cause scripts in that
   origin to execute, submit forms to and from that origin even if they are
   protected from cross-site request forgery attacks by unique tokens, and
   make use of any third-party resources exposed to or rights granted to
   that origin.

Interoperability considerations:
   Rules for processing both conforming and non-conforming content are
   defined in the HTML5 specification.

Published specification:
   This HTML5 specification is the relevant specification. Labeling a
   resource with the text/html type asserts that the resource is an HTML
   document using the HTML syntax.

Applications that use this media type:
   Web browsers, tools for processing Web content, HTML authoring tools,
   search engines, validators.

Additional information:
   Magic number(s):
     No sequence of bytes can uniquely identify an HTML document. More
     information on detecting HTML documents is available in the Media Type
     Sniffing specification.

     File extension(s):
       "html" and "htm" are commonly, but certainly not exclusively, used as
       the extension for HTML documents.

     Macintosh file type code(s):

Person & email address to contact for further information:
    Michael[tm] Smith <mike@w3.org>

Intended usage:

Restrictions on usage:
   No restrictions apply.

   Ian Hickson <ian@hixie.ch>

Change controller:

Fragment identifiers used with text/html resources either refer to the
indicated part of the document or provide state information for in-page

Michael[tm] Smith http://people.w3.org/mike
ietf-types mailing list
Received on Tuesday, 7 August 2012 13:54:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:46 UTC