Permalink
Browse files

[cgiow] (0) Introduce <object type='' data='' typemustmatch> to help …

…when referencing resources from a remote host.

git-svn-id: http://svn.whatwg.org/webapps@6222 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent 3814376 commit 4030e7130384a45147421f757e80ecd26f5b0a1e @Hixie Hixie committed Jun 14, 2011
Showing with 225 additions and 22 deletions.
  1. +71 −7 complete.html
  2. +71 −7 index
  3. +83 −8 source
View
78 complete.html
@@ -24849,12 +24849,12 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
<div class=example>
<p>Here's a way to embed a resource that requires a proprietary
- plug-in, like Flash:</p>
+ plugin, like Flash:</p>
<pre>&lt;embed src="catgame.swf"&gt;</pre>
- <p>If the user does not have the plug-in (for example if the
- plug-in vendor doesn't support the user's platform), then the user
+ <p>If the user does not have the plugin (for example if the
+ plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>
<p>To pass the plugin a parameter "quality" with the value "high",
@@ -24890,6 +24890,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
<dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
+ <dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
<dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
@@ -24900,6 +24901,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
+ attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
@@ -24931,12 +24933,33 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>
+ <p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
+ use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute defined below. Without that attribute, it is possible in
+ certain cases for an attacker on the remote host to use the plugin
+ mechanism to run arbitrary scripts, even if the author has used
+ features such as the Flash "allowScriptAccess" parameter.</p> <!--
+ for example, if the user doesn't have flash installed but does have
+ java installed, and the remote site unexpectedly returns java
+ instead of flash, then java will run, and it will ignore the
+ allowScriptAccess thing -->
+
<p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>
<p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>
+ <p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
+ attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
+ indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
+ the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
+ attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
+ resource match.</p>
+
+ <p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>
+
<p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
@@ -25153,6 +25176,28 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<li>
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
+ and the type specified in <a href=#content-type title=Content-Type>the
+ resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
+ case-insensitive</a> match for the value of the element's
+ <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
+ <var title="">resource type</var> be that type and jump to the
+ step below labeled <i>handler</i>.</p>
+
+ <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+ </li>
+
+ <li>
+
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, jump to the step below labeled <i>handler</i>.</p>
+
+ </li>
+
+ <li>
+
<!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
<p>If the user agent is configured to strictly obey
@@ -25163,6 +25208,15 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
metadata</a>, and jump to the step below labeled
<i>handler</i>.</p>
+ <p class=warning>This can introduce a vulnerability, wherein
+ a site is trying to embed a resource that uses a particular
+ plugin, but the remote site overrides that and instead
+ furnishes the user agent with a resource that triggers a
+ different plugin with different security characteristics. <!--
+ e.g. the example given above, where the site is expecting
+ Flash with allowScriptAccess=never, and instead gets back Java
+ with its unrestricted DOM access --></p>
+
</li>
<li>
@@ -25300,9 +25354,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
</li>
- </ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
- the substeps above to jump straight to the next step. In both
- cases, the next step will trigger fallback.</p>
+ </ol><p class=note>It is possible for this step to finish, or for
+ one of the substeps above to jump straight to the next step,
+ with <var title="">resource type</var> still being unknown. In
+ both cases, the next step will trigger fallback.</p>
</li>
@@ -25534,6 +25589,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content
+ attribute.</p>
+
<p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
IDL attribute must return the <code><a href=#document>Document</a></code> object of the
<a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
@@ -26905,7 +26964,7 @@ <h5 id=mime-types><span class=secno>4.8.10.3 </span>MIME types</h5>
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
@@ -97086,6 +97145,7 @@ <h3 class=no-num id=elements-1>Elements</h3>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-object-data><a href=#attr-object-data>data</a></code>;
<code title=attr-object-type><a href=#attr-object-type>type</a></code>;
+ <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
<code title=attr-object-name><a href=#attr-object-name>name</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
@@ -98503,6 +98563,10 @@ <h3 class=no-num id=element-content-categories>Element content categories</h3>
<td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
<td> Type of menu
<td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
+ <tr><th> <code title="">typemustmatch</code>
+ <td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
+ <td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
+ <td> <a href=#boolean-attribute>Boolean attribute</a>
<tr><th> <code title="">usemap</code>
<td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>
View
78 index
@@ -24842,12 +24842,12 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<div class=example>
<p>Here's a way to embed a resource that requires a proprietary
- plug-in, like Flash:</p>
+ plugin, like Flash:</p>
<pre>&lt;embed src="catgame.swf"&gt;</pre>
- <p>If the user does not have the plug-in (for example if the
- plug-in vendor doesn't support the user's platform), then the user
+ <p>If the user does not have the plugin (for example if the
+ plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>
<p>To pass the plugin a parameter "quality" with the value "high",
@@ -24883,6 +24883,7 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
<dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
+ <dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
<dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
@@ -24893,6 +24894,7 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
+ attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
@@ -24924,12 +24926,33 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>
+ <p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
+ use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute defined below. Without that attribute, it is possible in
+ certain cases for an attacker on the remote host to use the plugin
+ mechanism to run arbitrary scripts, even if the author has used
+ features such as the Flash "allowScriptAccess" parameter.</p> <!--
+ for example, if the user doesn't have flash installed but does have
+ java installed, and the remote site unexpectedly returns java
+ instead of flash, then java will run, and it will ignore the
+ allowScriptAccess thing -->
+
<p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>
<p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>
+ <p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
+ attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
+ indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
+ the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
+ attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
+ resource match.</p>
+
+ <p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>
+
<p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
@@ -25146,6 +25169,28 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<li>
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
+ and the type specified in <a href=#content-type title=Content-Type>the
+ resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
+ case-insensitive</a> match for the value of the element's
+ <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
+ <var title="">resource type</var> be that type and jump to the
+ step below labeled <i>handler</i>.</p>
+
+ <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+ </li>
+
+ <li>
+
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, jump to the step below labeled <i>handler</i>.</p>
+
+ </li>
+
+ <li>
+
<!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
<p>If the user agent is configured to strictly obey
@@ -25156,6 +25201,15 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
metadata</a>, and jump to the step below labeled
<i>handler</i>.</p>
+ <p class=warning>This can introduce a vulnerability, wherein
+ a site is trying to embed a resource that uses a particular
+ plugin, but the remote site overrides that and instead
+ furnishes the user agent with a resource that triggers a
+ different plugin with different security characteristics. <!--
+ e.g. the example given above, where the site is expecting
+ Flash with allowScriptAccess=never, and instead gets back Java
+ with its unrestricted DOM access --></p>
+
</li>
<li>
@@ -25293,9 +25347,10 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
</li>
- </ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
- the substeps above to jump straight to the next step. In both
- cases, the next step will trigger fallback.</p>
+ </ol><p class=note>It is possible for this step to finish, or for
+ one of the substeps above to jump straight to the next step,
+ with <var title="">resource type</var> still being unknown. In
+ both cases, the next step will trigger fallback.</p>
</li>
@@ -25527,6 +25582,10 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>
+ <p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content
+ attribute.</p>
+
<p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
IDL attribute must return the <code><a href=#document>Document</a></code> object of the
<a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
@@ -26898,7 +26957,7 @@ interface <dfn id=htmlaudioelement>HTMLAudioElement</dfn> : <a href=#htmlmediael
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
@@ -92803,6 +92862,7 @@ interface <a href=#htmldocument>HTMLDocument</a> {
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-object-data><a href=#attr-object-data>data</a></code>;
<code title=attr-object-type><a href=#attr-object-type>type</a></code>;
+ <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
<code title=attr-object-name><a href=#attr-object-name>name</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
@@ -94220,6 +94280,10 @@ interface <a href=#htmldocument>HTMLDocument</a> {
<td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
<td> Type of menu
<td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
+ <tr><th> <code title="">typemustmatch</code>
+ <td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
+ <td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
+ <td> <a href=#boolean-attribute>Boolean attribute</a>
<tr><th> <code title="">usemap</code>
<td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>
View
91 source
@@ -26893,12 +26893,12 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<div class="example">
<p>Here's a way to embed a resource that requires a proprietary
- plug-in, like Flash:</p>
+ plugin, like Flash:</p>
<pre>&lt;embed src="catgame.swf"></pre>
- <p>If the user does not have the plug-in (for example if the
- plug-in vendor doesn't support the user's platform), then the user
+ <p>If the user does not have the plugin (for example if the
+ plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>
<p>To pass the plugin a parameter "quality" with the value "high",
@@ -26935,6 +26935,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<dd><span>Global attributes</span></dd>
<dd><code title="attr-object-data">data</code></dd>
<dd><code title="attr-object-type">type</code></dd>
+ <dd><code title="attr-object-typemustmatch">typemustmatch</code></dd>
<dd><code title="attr-object-name">name</code></dd>
<dd><code title="attr-hyperlink-usemap">usemap</code></dd>
<dd><code title="attr-fae-form">form</code></dd>
@@ -26945,6 +26946,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<pre class="idl">interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
attribute DOMString <span title="dom-object-data">data</span>;
attribute DOMString <span title="dom-object-type">type</span>;
+ attribute boolean <span title="dom-object-typeMustMatch">typeMustMatch</span>;
attribute DOMString <span title="dom-object-name">name</span>;
attribute DOMString <span title="dom-object-useMap">useMap</span>;
readonly attribute <span>HTMLFormElement</span>? <span title="dom-fae-form">form</span>;
@@ -26978,6 +26980,18 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
present, the attribute must be a <span>valid non-empty
URL potentially surrounded by spaces</span>.</p>
+ <p class="warning">Authors who reference resources from other <span
+ title="origin">origins</span> that they do not trust are urged to
+ use the <code title="attr-object-typemustmatch">typemustmatch</code>
+ attribute defined below. Without that attribute, it is possible in
+ certain cases for an attacker on the remote host to use the plugin
+ mechanism to run arbitrary scripts, even if the author has used
+ features such as the Flash "allowScriptAccess" parameter.</p> <!--
+ for example, if the user doesn't have flash installed but does have
+ java installed, and the remote site unexpectedly returns java
+ instead of flash, then java will run, and it will ignore the
+ allowScriptAccess thing -->
+
<p>The <dfn title="attr-object-type"><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <span>valid MIME type</span>.</p>
@@ -26986,6 +27000,20 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
title="attr-object-data">data</code> attribute or the <code
title="attr-object-type">type</code> attribute must be present.</p>
+ <p>The <dfn
+ title="attr-object-typemustmatch"><code>typemustmatch</code></dfn>
+ attribute is a <span>boolean attribute</span> whose precense
+ indicates that the resource specified by the <code
+ title="attr-object-data">data</code> attribute is only to be used if
+ the value of the <code title="attr-object-type">type</code>
+ attribute and the <span>Content-Type</span> of the aforementioned
+ resource match.</p>
+
+ <p>The <code title="attr-object-typemustmatch">typemustmatch</code>
+ attribute must not be specified unless both the <code
+ title="attr-object-data">data</code> attribute and the <code
+ title="attr-object-type">type</code> attribute are present.</p>
+
<p>The <dfn title="attr-object-name"><code>name</code></dfn>
attribute, if present, must be a <span>valid browsing context
name</span>. The given value is used to name the <span>nested
@@ -27218,6 +27246,32 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<li>
+ <p>If the <code>object</code> element has a <code
+ title="attr-object-type">type</code> attribute and a <code
+ title="attr-object-typemustmatch">typemustmatch</code>
+ attribute, and the resource has <span
+ title="Content-Type">associated Content-Type metadata</span>,
+ and the type specified in <span title="Content-Type">the
+ resource's Content-Type metadata</span> is an <span>ASCII
+ case-insensitive</span> match for the value of the element's
+ <code title="attr-object-type">type</code> attribute, then let
+ <var title="">resource type</var> be that type and jump to the
+ step below labeled <i>handler</i>.</p>
+
+ <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+ </li>
+
+ <li>
+
+ <p>If the <code>object</code> element has a <code
+ title="attr-object-typemustmatch">typemustmatch</code>
+ attribute, jump to the step below labeled <i>handler</i>.</p>
+
+ </li>
+
+ <li>
+
<!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
<p>If the user agent is configured to strictly obey
@@ -27229,6 +27283,15 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
metadata</span>, and jump to the step below labeled
<i>handler</i>.</p>
+ <p class="warning">This can introduce a vulnerability, wherein
+ a site is trying to embed a resource that uses a particular
+ plugin, but the remote site overrides that and instead
+ furnishes the user agent with a resource that triggers a
+ different plugin with different security characteristics. <!--
+ e.g. the example given above, where the site is expecting
+ Flash with allowScriptAccess=never, and instead gets back Java
+ with its unrestricted DOM access --></p>
+
</li>
<li>
@@ -27392,10 +27455,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
</ol>
- <p class="note">It is possible for this step to finish with <var
- title="">resource type</var> still being unknown, or for one of
- the substeps above to jump straight to the next step. In both
- cases, the next step will trigger fallback.</p>
+ <p class="note">It is possible for this step to finish, or for
+ one of the substeps above to jump straight to the next step,
+ with <var title="">resource type</var> still being unknown. In
+ both cases, the next step will trigger fallback.</p>
</li>
@@ -27654,6 +27717,12 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
name.</p>
<p>The <dfn
+ title="dom-object-typeMustMatch"><code>typeMustMatch</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-object-typemustmatch">typemustmatch</code> content
+ attribute.</p>
+
+ <p>The <dfn
title="dom-object-contentDocument"><code>contentDocument</code></dfn>
IDL attribute must return the <code>Document</code> object of the
<span>active document</span> of the <code>object</code> element's
@@ -29195,7 +29264,7 @@ interface <dfn>HTMLAudioElement</dfn> : <span>HTMLMediaElement</span> {};</pre>
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
@@ -110513,6 +110582,7 @@ interface <span>HTMLDocument</span> {
<td><span title="global attributes">globals</span>;
<code title="attr-object-data">data</code>;
<code title="attr-object-type">type</code>;
+ <code title="attr-object-typemustmatch">typemustmatch</code>;
<code title="attr-object-name">name</code>;
<code title="attr-hyperlink-usemap">usemap</code>;
<code title="attr-fae-form">form</code>;
@@ -112213,6 +112283,11 @@ interface <span>HTMLDocument</span> {
<td> Type of menu
<td> "<code title="context menu state">context</code>"; "<code title="toolbar state">toolbar</code>"
<tr>
+ <th> <code title="">typemustmatch</code>
+ <td> <code title="attr-object-typemustmatch">object</code>
+ <td> Whether the <code title="attr-object-type">type</code> attribute and the <span>Content-Type</span> value need to match for the resource to be used
+ <td> <span>Boolean attribute</span>
+ <tr>
<th> <code title="">usemap</code>
<td> <code title="attr-hyperlink-usemap">img</code>;
<code title="attr-hyperlink-usemap">object</code>

0 comments on commit 4030e71

Please sign in to comment.