Skip to content

Commit

Permalink
[cgiow] (0) Introduce <object type='' data='' typemustmatch> to help …
Browse files Browse the repository at this point in the history
…when referencing resources from a remote host.

git-svn-id: http://svn.whatwg.org/webapps@6222 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Jun 14, 2011
1 parent 3814376 commit 4030e71
Show file tree
Hide file tree
Showing 3 changed files with 225 additions and 22 deletions.
78 changes: 71 additions & 7 deletions complete.html
Expand Up @@ -24849,12 +24849,12 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
<div class=example>

<p>Here's a way to embed a resource that requires a proprietary
plug-in, like Flash:</p>
plugin, like Flash:</p>

<pre>&lt;embed src="catgame.swf"&gt;</pre>

<p>If the user does not have the plug-in (for example if the
plug-in vendor doesn't support the user's platform), then the user
<p>If the user does not have the plugin (for example if the
plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>

<p>To pass the plugin a parameter "quality" with the value "high",
Expand Down Expand Up @@ -24890,6 +24890,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
<dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
<dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
<dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
Expand All @@ -24900,6 +24901,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
Expand Down Expand Up @@ -24931,12 +24933,33 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>

<p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute defined below. Without that attribute, it is possible in
certain cases for an attacker on the remote host to use the plugin
mechanism to run arbitrary scripts, even if the author has used
features such as the Flash "allowScriptAccess" parameter.</p> <!--
for example, if the user doesn't have flash installed but does have
java installed, and the remote site unexpectedly returns java
instead of flash, then java will run, and it will ignore the
allowScriptAccess thing -->

<p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>

<p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>

<p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
resource match.</p>

<p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>

<p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
Expand Down Expand Up @@ -25151,6 +25174,28 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</

</li>

<li>

<p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
and the type specified in <a href=#content-type title=Content-Type>the
resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
case-insensitive</a> match for the value of the element's
<code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
<var title="">resource type</var> be that type and jump to the
step below labeled <i>handler</i>.</p>

<!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->

</li>

<li>

<p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
attribute, jump to the step below labeled <i>handler</i>.</p>

</li>

<li>

<!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
Expand All @@ -25163,6 +25208,15 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
metadata</a>, and jump to the step below labeled
<i>handler</i>.</p>

<p class=warning>This can introduce a vulnerability, wherein
a site is trying to embed a resource that uses a particular
plugin, but the remote site overrides that and instead
furnishes the user agent with a resource that triggers a
different plugin with different security characteristics. <!--
e.g. the example given above, where the site is expecting
Flash with allowScriptAccess=never, and instead gets back Java
with its unrestricted DOM access --></p>

</li>

<li>
Expand Down Expand Up @@ -25300,9 +25354,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</

</li>

</ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
the substeps above to jump straight to the next step. In both
cases, the next step will trigger fallback.</p>
</ol><p class=note>It is possible for this step to finish, or for
one of the substeps above to jump straight to the next step,
with <var title="">resource type</var> still being unknown. In
both cases, the next step will trigger fallback.</p>

</li>

Expand Down Expand Up @@ -25534,6 +25589,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<a href=#reflect>reflect</a> the respective content attributes of the same
name.</p>

<p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content
attribute.</p>

<p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
IDL attribute must return the <code><a href=#document>Document</a></code> object of the
<a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
Expand Down Expand Up @@ -26905,7 +26964,7 @@ <h5 id=mime-types><span class=secno>4.8.10.3 </span>MIME types</h5>
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
Expand Down Expand Up @@ -97086,6 +97145,7 @@ <h3 class=no-num id=elements-1>Elements</h3>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-object-data><a href=#attr-object-data>data</a></code>;
<code title=attr-object-type><a href=#attr-object-type>type</a></code>;
<code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
<code title=attr-object-name><a href=#attr-object-name>name</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
Expand Down Expand Up @@ -98503,6 +98563,10 @@ <h3 class=no-num id=element-content-categories>Element content categories</h3>
<td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
<td> Type of menu
<td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
<tr><th> <code title="">typemustmatch</code>
<td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
<td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
<td> <a href=#boolean-attribute>Boolean attribute</a>
<tr><th> <code title="">usemap</code>
<td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>
Expand Down

0 comments on commit 4030e71

Please sign in to comment.