- From: Alice Wonder <alice@domblogger.net>
- Date: Mon, 10 Nov 2014 14:45:06 -0800
- To: www-validator@w3.org
When the object tag has the typesemustmatch attribute, the W3C validator states that it is not allowed in xhtml at this point. Everything else will validate as html5 Why is that attribute listed in the html5 specification w/o a special note if it is not allowed when sending the content as application/xml+xhtml ?? How am I suppose to know what really is allowed when serving as XML if the spec does not tell me? http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-typemustmatch That says nothing about the tag not being allowed when an html5 document is sent as xml. This is why that attribute is important to me, and why I would like it to be part of html5 even when sent as XML : When the webapp I am writing scans content before serving, object nodes that are not in a whitelist of type attributes are removed, to help prevent XSS. Object nodes within the whitelist, I want to add that attribute because if the browser is not implementing CSP then I don't want an intentionally mis-identified type attribute in an injection attack to allow a payload to be delivered to users. I'm hoping typesmustmatch will help prevent that scenario. I have to allow the object tag, it is useful for several things, but it is also dangerous. Historically some browsers *cough*IE*cough* would sometimes think they were being helpful in scenarios where mime type didn't match what IE thought it was, resulting in attack vectors. I want to be able to specify that they MUST match for pages served from my app. So I really want that attribute to be legal in html5 - even when I send as XML which is what I prefer to do. Thank you, Alice
Received on Monday, 10 November 2014 23:58:21 UTC