Remove <object typemustmatch>

It did not get wide enough adoption and causes a minor cross-origin leak. See https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Jun/0144.html for its introduction and https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#object-typemustmatch for the leak. Tests: web-platform-tests/wpt#16656.
whatwg · May 3, 2019 · 2606f90 · 2606f90
1 parent c0b75ea
commit 2606f90
Showing 1 changed file with 17 additions and 51 deletions.
diff --git a/source b/source
@@ -30512,6 +30512,12 @@ interface <dfn>HTMLEmbedElement</dfn> : <span>HTMLElement</span> {
   the resource being embedded. The attribute, if present, must contain a <span>valid non-empty URL
   potentially surrounded by spaces</span>.</p>
 
+  <p class="warning">Authors should avoid referencing untrusted resources, as such a resource can be
+  used to instantiate plugins or run scripts, even if the author has used features such as the Flash
+  "allowScriptAccess" parameter.</p> <!-- for example, if the user doesn't have flash installed but
+  does have java installed, and the remote site unexpectedly returns java instead of flash, then
+  java will run, and it will ignore the allowScriptAccess thing -->
+
   <p>If the <code data-x="attr-itemprop">itemprop</code> attribute is specified on an
   <code>embed</code> element, then the <code data-x="attr-embed-src">src</code> attribute must also
   be specified.</p>
@@ -30882,7 +30888,6 @@ interface <dfn>HTMLEmbedElement</dfn> : <span>HTMLElement</span> {
    <dd><span>Global attributes</span></dd>
    <dd><code data-x="attr-object-data">data</code></dd>
    <dd><code data-x="attr-object-type">type</code></dd>
-   <dd><code data-x="attr-object-typemustmatch">typemustmatch</code></dd>
    <dd><code data-x="attr-object-name">name</code></dd>
    <dd><code data-x="attr-hyperlink-usemap">usemap</code></dd>
    <dd><code data-x="attr-fae-form">form</code></dd>
@@ -30895,7 +30900,6 @@ interface <dfn>HTMLEmbedElement</dfn> : <span>HTMLElement</span> {
 interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute USVString <span data-x="dom-object-data">data</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-object-type">type</span>;
-  [<span>CEReactions</span>] attribute boolean <span data-x="dom-object-typeMustMatch">typeMustMatch</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-object-name">name</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-object-useMap">useMap</span>;
   readonly attribute <span>HTMLFormElement</span>? <span data-x="dom-fae-form">form</span>;
@@ -30929,11 +30933,8 @@ interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
   <span>URL</span> of the resource. If present, the attribute must be a <span>valid non-empty URL
   potentially surrounded by spaces</span>.</p>
 
-  <p class="warning">Authors who reference resources from other <span data-x="origin">origins</span>
-  that they do not trust are urged to use the <code
-  data-x="attr-object-typemustmatch">typemustmatch</code> attribute defined below. Without that
-  attribute, it is possible in certain cases for an attacker on the remote host to use the plugin
-  mechanism to run arbitrary scripts, even if the author has used features such as the Flash
+  <p class="warning">Authors should avoid referencing untrusted resources, as such a resource can be
+  used to instantiate plugins or run scripts, even if the author has used features such as the Flash
   "allowScriptAccess" parameter.</p> <!-- for example, if the user doesn't have flash installed but
   does have java installed, and the remote site unexpectedly returns java instead of flash, then
   java will run, and it will ignore the allowScriptAccess thing -->
@@ -30947,16 +30948,6 @@ interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
   <p>If the <code data-x="attr-itemprop">itemprop</code> attribute is specified on an <code>object</code>
   element, then the <code data-x="attr-object-data">data</code> attribute must also be specified.</p>
 
-  <p>The <dfn><code data-x="attr-object-typemustmatch">typemustmatch</code></dfn> attribute is a
-  <span>boolean attribute</span> whose presence indicates that the resource specified by the <code
-  data-x="attr-object-data">data</code> attribute is only to be used if the value of the <code
-  data-x="attr-object-type">type</code> attribute and the <span>Content-Type</span> of the
-  aforementioned resource match.</p>
-
-  <p>The <code data-x="attr-object-typemustmatch">typemustmatch</code> attribute must not be
-  specified unless both the <code data-x="attr-object-data">data</code> attribute and the <code
-  data-x="attr-object-type">type</code> attribute are present.</p>
-
   <p>The <dfn><code data-x="attr-object-name">name</code></dfn> attribute, if present, must be a
   <span>valid browsing context name</span>. The given value is used to name the <span>nested
   browsing context</span>, if applicable, and if present when the <span>nested browsing
@@ -31195,29 +31186,6 @@ interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
 
        </li>
 
-       <li>
-
-        <p>If the <code>object</code> element has a <code data-x="attr-object-type">type</code>
-        attribute and a <code data-x="attr-object-typemustmatch">typemustmatch</code> attribute, and
-        the resource has <span data-x="Content-Type">associated Content-Type metadata</span>, and the
-        type specified in <span data-x="Content-Type">the resource's Content-Type metadata</span> is
-        an <span>ASCII case-insensitive</span> match for the value of the element's <code
-        data-x="attr-object-type">type</code> attribute, then let <var>resource type</var>
-        be that type and jump to the step below labeled <i>handler</i>.</p>
-
-        <!-- do we need to <span>strip leading and trailing ASCII whitespace</span> from anything
-        here? collapse sequences of spaces? drop parameters? -->
-
-       </li>
-
-       <li>
-
-        <p>If the <code>object</code> element has a <code
-        data-x="attr-object-typemustmatch">typemustmatch</code> attribute, jump to the step below
-        labeled <i>handler</i>.</p>
-
-       </li>
-
        <li>
 
         <!-- by request: https://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
@@ -31574,11 +31542,12 @@ interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
 
   <div w-nodev>
 
-  <p>The IDL attributes <dfn><code data-x="dom-object-data">data</code></dfn>, <dfn><code data-x="dom-object-type">type</code></dfn> and <dfn><code data-x="dom-object-name">name</code></dfn> each must <span>reflect</span> the respective
-  content attributes of the same name. The <dfn><code data-x="dom-object-typeMustMatch">typeMustMatch</code></dfn> IDL attribute must
-  <span>reflect</span> the <code data-x="attr-object-typemustmatch">typemustmatch</code> content
-  attribute. The <dfn><code data-x="dom-object-useMap">useMap</code></dfn> IDL attribute must
-  <span>reflect</span> the <code data-x="attr-hyperlink-usemap">usemap</code> content attribute.</p>
+  <p>The IDL attributes <dfn><code data-x="dom-object-data">data</code></dfn>, <dfn><code
+  data-x="dom-object-type">type</code></dfn> and <dfn><code
+  data-x="dom-object-name">name</code></dfn> each must <span>reflect</span> the respective
+  content attributes of the same name. The <dfn><code data-x="dom-object-useMap">useMap</code></dfn>
+  IDL attribute must <span>reflect</span> the <code data-x="attr-hyperlink-usemap">usemap</code>
+  content attribute.</p>
 
   <p>The <dfn><code data-x="dom-object-contentDocument">contentDocument</code></dfn> IDL attribute,
   on getting, must return the <code>object</code> element's <span
@@ -115253,6 +115222,9 @@ if (s = prompt('What is your name?')) {
    <dt><dfn><code data-x="attr-object-standby">standby</code></dfn> on <code>object</code> elements</dt>
    <dd><p>Optimize the linked resource so that it loads quickly or, at least, incrementally.</p></dd>
 
+   <dt><dfn><code data-x="attr-object-typemustmatch">typemustmatch</code></dfn> on <code>object</code> elements</dt>
+   <dd><p>Avoid using <code>object</code> elements with untrusted resources.</p></dd>
+
    <dt><dfn><code data-x="attr-param-type">type</code></dfn> on <code>param</code> elements</dt>
    <dt><dfn><code data-x="attr-param-valuetype">valuetype</code></dfn> on <code>param</code> elements</dt>
    <dd><p>Use the <code data-x="attr-param-name">name</code> and <code
@@ -118226,7 +118198,6 @@ interface <dfn>External</dfn> {
      <td><span data-x="global attributes">globals</span>;
          <code data-x="attr-object-data">data</code>;
          <code data-x="attr-object-type">type</code>;
-         <code data-x="attr-object-typemustmatch">typemustmatch</code>;
          <code data-x="attr-object-name">name</code>;
          <code data-x="attr-hyperlink-usemap">usemap</code>;
          <code data-x="attr-fae-form">form</code>;
@@ -120236,11 +120207,6 @@ interface <dfn>External</dfn> {
      <td> <code data-x="attr-script-type">script</code>
      <td> Type of script
      <td> "<code data-x="">module</code>"; a <span>valid MIME type string</span> that is not a <span>JavaScript MIME type essence match</span>
-    <tr>
-     <th> <code data-x="">typemustmatch</code>
-     <td> <code data-x="attr-object-typemustmatch">object</code>
-     <td> Whether the <code data-x="attr-object-type">type</code> attribute and the <span>Content-Type</span> value need to match for the resource to be used
-     <td> <span>Boolean attribute</span>
     <tr>
      <th> <code data-x="">usemap</code>
      <td> <code data-x="attr-hyperlink-usemap">img</code>;