Skip to content
Browse files

[cgiow] (0) Introduce <object type='' data='' typemustmatch> to help …

…when referencing resources from a remote host.

git-svn-id: 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Jun 14, 2011
1 parent 3814376 commit 4030e7130384a45147421f757e80ecd26f5b0a1e
Showing with 225 additions and 22 deletions.
  1. +71 −7 complete.html
  2. +71 −7 index
  3. +83 −8 source
<div class=example>

<p>Here's a way to embed a resource that requires a proprietary
plug-in, like Flash:</p>
plugin, like Flash:</p>

<pre>&lt;embed src="catgame.swf"&gt;</pre>

<p>If the user does not have the plug-in (for example if the
plug-in vendor doesn't support the user's platform), then the user
<p>If the user does not have the plugin (for example if the
plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>

<p>To pass the plugin a parameter "quality" with the value "high",
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
<dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
<dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
<dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
<pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>

<p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute defined below. Without that attribute, it is possible in
certain cases for an attacker on the remote host to use the plugin
mechanism to run arbitrary scripts, even if the author has used
features such as the Flash "allowScriptAccess" parameter.</p> <!--
for example, if the user doesn't have flash installed but does have
java installed, and the remote site unexpectedly returns java
instead of flash, then java will run, and it will ignore the
allowScriptAccess thing -->

<p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>

<p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>

<p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
resource match.</p>

<p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>

<p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
name</a>. The given value is used to name the <a href=#nested-browsing-context>nested



<p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
and the type specified in <a href=#content-type title=Content-Type>the
resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
case-insensitive</a> match for the value of the element's
<code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
<var title="">resource type</var> be that type and jump to the
step below labeled <i>handler</i>.</p>

<!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->



<p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute, jump to the step below labeled <i>handler</i>.</p>



<!-- by request: -->
metadata</a>, and jump to the step below labeled

<p class=warning>This can introduce a vulnerability, wherein
a site is trying to embed a resource that uses a particular
plugin, but the remote site overrides that and instead
furnishes the user agent with a resource that triggers a
different plugin with different security characteristics. <!--
e.g. the example given above, where the site is expecting
Flash with allowScriptAccess=never, and instead gets back Java
with its unrestricted DOM access --></p>




</ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
the substeps above to jump straight to the next step. In both
cases, the next step will trigger fallback.</p>
</ol><p class=note>It is possible for this step to finish, or for
one of the substeps above to jump straight to the next step,
with <var title="">resource type</var> still being unknown. In
both cases, the next step will trigger fallback.</p>


<a href=#reflect>reflect</a> the respective content attributes of the same

<p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content

<p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
IDL attribute must return the <code><a href=#document>Document</a></code> object of the
<a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-object-data><a href=#attr-object-data>data</a></code>;
<code title=attr-object-type><a href=#attr-object-type>type</a></code>;
<code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
<code title=attr-object-name><a href=#attr-object-name>name</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
<td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
<td> Type of menu
<td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
<tr><th> <code title="">typemustmatch</code>
<td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
<td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
<td> <a href=#boolean-attribute>Boolean attribute</a>
<tr><th> <code title="">usemap</code>
<td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>

0 comments on commit 4030e71

Please sign in to comment.
You can’t perform that action at this time.