Browse files

[cgiow] (0) Introduce <object type='' data='' typemustmatch> to help …

…when referencing resources from a remote host.

git-svn-id: 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent 3814376 commit 4030e7130384a45147421f757e80ecd26f5b0a1e @Hixie Hixie committed Jun 14, 2011
Showing with 225 additions and 22 deletions.
  1. +71 −7 complete.html
  2. +71 −7 index
  3. +83 −8 source
@@ -24849,12 +24849,12 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
<div class=example>
<p>Here's a way to embed a resource that requires a proprietary
- plug-in, like Flash:</p>
+ plugin, like Flash:</p>
<pre>&lt;embed src="catgame.swf"&gt;</pre>
- <p>If the user does not have the plug-in (for example if the
- plug-in vendor doesn't support the user's platform), then the user
+ <p>If the user does not have the plugin (for example if the
+ plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>
<p>To pass the plugin a parameter "quality" with the value "high",
@@ -24890,6 +24890,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<dd><a href=#global-attributes>Global attributes</a></dd>
<dd><code title=attr-object-data><a href=#attr-object-data>data</a></code></dd>
<dd><code title=attr-object-type><a href=#attr-object-type>type</a></code></dd>
+ <dd><code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code></dd>
<dd><code title=attr-object-name><a href=#attr-object-name>name</a></code></dd>
<dd><code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code></dd>
<dd><code title=attr-fae-form><a href=#attr-fae-form>form</a></code></dd>
@@ -24900,6 +24901,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<pre class=idl>interface <dfn id=htmlobjectelement>HTMLObjectElement</dfn> : <a href=#htmlelement>HTMLElement</a> {
attribute DOMString <a href=#dom-object-data title=dom-object-data>data</a>;
attribute DOMString <a href=#dom-object-type title=dom-object-type>type</a>;
+ attribute boolean <a href=#dom-object-typemustmatch title=dom-object-typeMustMatch>typeMustMatch</a>;
attribute DOMString <a href=#dom-object-name title=dom-object-name>name</a>;
attribute DOMString <a href=#dom-object-usemap title=dom-object-useMap>useMap</a>;
readonly attribute <a href=#htmlformelement>HTMLFormElement</a>? <a href=#dom-fae-form title=dom-fae-form>form</a>;
@@ -24931,12 +24933,33 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
present, the attribute must be a <a href=#valid-non-empty-url-potentially-surrounded-by-spaces>valid non-empty
URL potentially surrounded by spaces</a>.</p>
+ <p class=warning>Authors who reference resources from other <a href=#origin title=origin>origins</a> that they do not trust are urged to
+ use the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute defined below. Without that attribute, it is possible in
+ certain cases for an attacker on the remote host to use the plugin
+ mechanism to run arbitrary scripts, even if the author has used
+ features such as the Flash "allowScriptAccess" parameter.</p> <!--
+ for example, if the user doesn't have flash installed but does have
+ java installed, and the remote site unexpectedly returns java
+ instead of flash, then java will run, and it will ignore the
+ allowScriptAccess thing -->
<p>The <dfn id=attr-object-type title=attr-object-type><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <a href=#valid-mime-type>valid MIME type</a>.</p>
<p>At least one of either the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute or the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute must be present.</p>
+ <p>The <dfn id=attr-object-typemustmatch title=attr-object-typemustmatch><code>typemustmatch</code></dfn>
+ attribute is a <a href=#boolean-attribute>boolean attribute</a> whose precense
+ indicates that the resource specified by the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute is only to be used if
+ the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
+ attribute and the <a href=#content-type>Content-Type</a> of the aforementioned
+ resource match.</p>
+ <p>The <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute must not be specified unless both the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute and the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute are present.</p>
<p>The <dfn id=attr-object-name title=attr-object-name><code>name</code></dfn>
attribute, if present, must be a <a href=#valid-browsing-context-name>valid browsing context
name</a>. The given value is used to name the <a href=#nested-browsing-context>nested
@@ -25153,6 +25176,28 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, and the resource has <a href=#content-type title=Content-Type>associated Content-Type metadata</a>,
+ and the type specified in <a href=#content-type title=Content-Type>the
+ resource's Content-Type metadata</a> is an <a href=#ascii-case-insensitive>ASCII
+ case-insensitive</a> match for the value of the element's
+ <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then let
+ <var title="">resource type</var> be that type and jump to the
+ step below labeled <i>handler</i>.</p>
+ <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+ </li>
+ <li>
+ <p>If the <code><a href=#the-object-element>object</a></code> element has a <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>
+ attribute, jump to the step below labeled <i>handler</i>.</p>
+ </li>
+ <li>
<!-- by request: -->
<p>If the user agent is configured to strictly obey
@@ -25163,6 +25208,15 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
metadata</a>, and jump to the step below labeled
+ <p class=warning>This can introduce a vulnerability, wherein
+ a site is trying to embed a resource that uses a particular
+ plugin, but the remote site overrides that and instead
+ furnishes the user agent with a resource that triggers a
+ different plugin with different security characteristics. <!--
+ e.g. the example given above, where the site is expecting
+ Flash with allowScriptAccess=never, and instead gets back Java
+ with its unrestricted DOM access --></p>
@@ -25300,9 +25354,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
- </ol><p class=note>It is possible for this step to finish with <var title="">resource type</var> still being unknown, or for one of
- the substeps above to jump straight to the next step. In both
- cases, the next step will trigger fallback.</p>
+ </ol><p class=note>It is possible for this step to finish, or for
+ one of the substeps above to jump straight to the next step,
+ with <var title="">resource type</var> still being unknown. In
+ both cases, the next step will trigger fallback.</p>
@@ -25534,6 +25589,10 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
<a href=#reflect>reflect</a> the respective content attributes of the same
+ <p>The <dfn id=dom-object-typemustmatch title=dom-object-typeMustMatch><code>typeMustMatch</code></dfn> IDL
+ attribute must <a href=#reflect>reflect</a> the <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code> content
+ attribute.</p>
<p>The <dfn id=dom-object-contentdocument title=dom-object-contentDocument><code>contentDocument</code></dfn>
IDL attribute must return the <code><a href=#document>Document</a></code> object of the
<a href=#active-document>active document</a> of the <code><a href=#the-object-element>object</a></code> element's
@@ -26905,7 +26964,7 @@ <h5 id=mime-types><span class=secno> </span>MIME types</h5>
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
@@ -97086,6 +97145,7 @@ <h3 class=no-num id=elements-1>Elements</h3>
<td><a href=#global-attributes title="global attributes">globals</a>;
<code title=attr-object-data><a href=#attr-object-data>data</a></code>;
<code title=attr-object-type><a href=#attr-object-type>type</a></code>;
+ <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>typemustmatch</a></code>;
<code title=attr-object-name><a href=#attr-object-name>name</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>usemap</a></code>;
<code title=attr-fae-form><a href=#attr-fae-form>form</a></code>;
@@ -98503,6 +98563,10 @@ <h3 class=no-num id=element-content-categories>Element content categories</h3>
<td> <code title=attr-menu-type><a href=#attr-menu-type>menu</a></code>
<td> Type of menu
<td> "<code title="context menu state"><a href=#context-menu-state>context</a></code>"; "<code title="toolbar state"><a href=#toolbar-state>toolbar</a></code>"
+ <tr><th> <code title="">typemustmatch</code>
+ <td> <code title=attr-object-typemustmatch><a href=#attr-object-typemustmatch>object</a></code>
+ <td> Whether the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute and the <a href=#content-type>Content-Type</a> value need to match for the resource to be used
+ <td> <a href=#boolean-attribute>Boolean attribute</a>
<tr><th> <code title="">usemap</code>
<td> <code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>img</a></code>;
<code title=attr-hyperlink-usemap><a href=#attr-hyperlink-usemap>object</a></code>
Oops, something went wrong.

0 comments on commit 4030e71

Please sign in to comment.