[cgiow] (0) Introduce <object type='' data='' typemustmatch> to help …

…when referencing resources from a remote host.

git-svn-id: http://svn.whatwg.org/webapps@6222 340c8d12-0b0e-0410-8428-c7bf67bfef74

complete.html

@@ -24849,12 +24849,12 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
   <div class=example>
 
    <p>Here's a way to embed a resource that requires a proprietary
-   plug-in, like Flash:</p>
+   plugin, like Flash:</p>
 
    <pre>&lt;embed src="catgame.swf"&gt;</pre>
 
-   <p>If the user does not have the plug-in (for example if the
-   plug-in vendor doesn't support the user's platform), then the user
+   <p>If the user does not have the plugin (for example if the
+   plugin vendor doesn't support the user's platform), then the user
    will be unable to use the resource.</p>
 
    <p>To pass the plugin a parameter "quality" with the value "high",
@@ -24890,6 +24890,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
    <dd><a href=#global-attributes>Global attributes</a></dd>
    <dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
    <dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
+   <dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
    <dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
    <dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
    <dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
@@ -24900,6 +24901,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
 <pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
            attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
            attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
+           attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
            attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
            attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
   readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
@@ -24931,12 +24933,33 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
   present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
   URL potentially surrounded by spaces</a>.</p>
 
+  <p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
+  use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+  attribute defined below. Without that attribute, it is possible in
+  certain cases for an attacker on the remote host to use the plugin
+  mechanism to run arbitrary scripts, even if the author has used
+  features such as the Flash "allowScriptAccess" parameter.</p> <!--
+  for example, if the user doesn't have flash installed but does have
+  java installed, and the remote site unexpectedly returns java
+  instead of flash, then java will run, and it will ignore the
+  allowScriptAccess thing -->
+
   <p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
   attribute, if present, specifies the type of the resource. If
   present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>
 
   <p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>
 
+  <p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
+  attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
+  indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
+  the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
+  attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
+  resource match.</p>
+
+  <p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+  attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>
+
   <p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
   attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
   name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
@@ -25151,6 +25174,28 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
 
        </li>
 
+       <li>
+
+        <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+        attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
+        and the type specified in <a href=#content-type title=Content-Type>the
+        resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
+        case-insensitive</a> match for the value of the element's
+        <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
+        <var title="">resource type</var> be that type and jump to the
+        step below labeled <i>handler</i>.</p>
+
+        <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+       </li>
+
+       <li>
+
+        <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+        attribute, jump to the step below labeled <i>handler</i>.</p>
+
+       </li>
+
        <li>
 
         <!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
@@ -25163,6 +25208,15 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
         metadata</a>, and jump to the step below labeled
         <i>handler</i>.</p>
 
+        <p class=warning>This can introduce a vulnerability, wherein
+        a site is trying to embed a resource that uses a particular
+        plugin, but the remote site overrides that and instead
+        furnishes the user agent with a resource that triggers a
+        different plugin with different security characteristics. <!--
+        e.g. the example given above, where the site is expecting
+        Flash with allowScriptAccess=never, and instead gets back Java
+        with its unrestricted DOM access --></p>
+
        </li>
 
        <li>
@@ -25300,9 +25354,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
 
        </li>
 
-      </ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
-      the substeps above to jump straight to the next step. In both
-      cases, the next step will trigger fallback.</p>
+      </ol><p class=note>It is possible for this step to finish, or for
+      one of the substeps above to jump straight to the next step,
+      with <var title="">resource type</var> still being unknown. In
+      both cases, the next step will trigger fallback.</p>
 
      </li>
 
@@ -25534,6 +25589,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
   <a href=#reflect>reflect</a> the respective content attributes of the same
   name.</p>
 
+  <p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
+  attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content
+  attribute.</p>
+
   <p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
   IDL attribute must return the <code><a href=#document>Document</a></code> object of the
   <a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
@@ -26905,7 +26964,7 @@ <h5 id=mime-types><span class=secno>4.8.10.3 </span>MIME types</h5>
  var videoSection = document.getElementById('video');
  var videoElement = document.createElement('video');
  var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
    // not confident of browser support
    // but we have a plugin
    // so use plugin instead
@@ -97086,6 +97145,7 @@ <h3 class=no-num id=elements-1>Elements</h3>
      <td><a href=#global-attributes title="global attributes">globals</a>;
          <code title=attr-object-data><a href=#attr-object-data>data</a></code>;
          <code title=attr-object-type><a href=#attr-object-type>type</a></code>;
+         <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
          <code title=attr-object-name><a href=#attr-object-name>name</a></code>;
          <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
          <code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
@@ -98503,6 +98563,10 @@ <h3 class=no-num id=element-content-categories>Element content categories</h3>
      <td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
      <td> Type of menu
      <td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
+    <tr><th> <code title="">typemustmatch</code>
+     <td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
+     <td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
+     <td> <a href=#boolean-attribute>Boolean attribute</a>
     <tr><th> <code title="">usemap</code>
      <td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
           <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>