[acgiow] (0) Provide a safe way to host hostile content for use with …

…an <iframe sandbox> on the same site.

git-svn-id: http://svn.whatwg.org/webapps@4581 340c8d12-0b0e-0410-8428-c7bf67bfef74

complete.html

@@ -1193,12 +1193,13 @@ <h2 class="no-num no-toc" id=contents>Table of contents</h2>
  <li><a href=#iana><span class=secno>15 </span>IANA considerations</a>
   <ol>
    <li><a href=#text/html><span class=secno>15.1 </span><code>text/html</code></a></li>
-   <li><a href=#application/xhtml+xml><span class=secno>15.2 </span><code>application/xhtml+xml</code></a></li>
-   <li><a href=#text/cache-manifest><span class=secno>15.3 </span><code>text/cache-manifest</code></a></li>
-   <li><a href=#text/ping><span class=secno>15.4 </span><code>text/ping</code></a></li>
-   <li><a href=#application/microdata+json><span class=secno>15.5 </span><code>application/microdata+json</code></a></li>
-   <li><a href=#ping-from><span class=secno>15.6 </span><code>Ping-From</code></a></li>
-   <li><a href=#ping-to><span class=secno>15.7 </span><code>Ping-To</code></a></ol></li>
+   <li><a href=#text/sandboxed-html><span class=secno>15.2 </span><code>text/sandboxed-html</code></a></li>
+   <li><a href=#application/xhtml+xml><span class=secno>15.3 </span><code>application/xhtml+xml</code></a></li>
+   <li><a href=#text/cache-manifest><span class=secno>15.4 </span><code>text/cache-manifest</code></a></li>
+   <li><a href=#text/ping><span class=secno>15.5 </span><code>text/ping</code></a></li>
+   <li><a href=#application/microdata+json><span class=secno>15.6 </span><code>application/microdata+json</code></a></li>
+   <li><a href=#ping-from><span class=secno>15.7 </span><code>Ping-From</code></a></li>
+   <li><a href=#ping-to><span class=secno>15.8 </span><code>Ping-To</code></a></ol></li>
  <li><a class=no-num href=#index>Index</a>
   <ol>
    <li><a class=no-num href=#elements-1>Elements</a></li>
@@ -1465,10 +1466,10 @@ <h3 id=html-vs-xhtml><span class=secno>1.7 </span>HTML vs XHTML</h3>
 
   <p>The first such concrete syntax is the HTML syntax. This is the
   format suggested for most authors. It is compatible with most legacy
-  Web browsers. If a document is transmitted with the <a href=#mime-type>MIME
-  type</a> <code><a href=#text/html>text/html</a></code>, then it will be processed as an
-  HTML document by Web browsers. This specification defines version 5
-  of the HTML syntax, known as "HTML5".</p>
+  Web browsers. If a document is transmitted with an <a href=#html-mime-type>HTML MIME
+  type</a>, such as <code><a href=#text/html>text/html</a></code>, then it will be
+  processed as an HTML document by Web browsers. This specification
+  defines version 5 of the HTML syntax, known as "HTML5".</p>
 
   <p>The second concrete syntax is the XHTML syntax, which is an
   application of XML. When a document is transmitted with an <a href=#xml-mime-type>XML
@@ -1924,6 +1925,9 @@ <h4 id=resources><span class=secno>2.1.1 </span>Resources</h4>
   SEMICOLON characters (;). In other words, if it consists only of a
   type and subtype, with no MIME Type parameters. <a href=#refsHTTP>[HTTP]</a></p>
 
+  <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the <a href=#mime-type title="MIME type">MIME types</a> <code><a href=#text/html>text/html</a></code> and
+  <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code>.</p>
+
 
   <h4 id=xml><span class=secno>2.1.2 </span>XML</h4>
 
@@ -2151,8 +2155,9 @@ <h3 id=conformance-requirements><span class=secno>2.2 </span>Conformance require
     element that forms part of the transform.</p>
 
     <p>Web browsers that support <a href=#syntax>the HTML syntax</a> must
-    process documents labeled as <code><a href=#text/html>text/html</a></code> as described
-    in this specification, so that users can interact with them.</p>
+    process documents labeled with an <a href=#html-mime-type>HTML MIME type</a> as
+    described in this specification, so that users can interact with
+    them.</p>
 
     <p>User agents that support scripting must also be conforming
     implementations of the IDL fragments in this specification, as
@@ -6625,11 +6630,11 @@ <h3 id=namespaces><span class=secno>2.8 </span>Namespaces</h3>
   <p>The <dfn id=xmlns-namespace>XMLNS namespace</dfn> is: <code>http://www.w3.org/2000/xmlns/</code></p>
 
   <hr><p>Data mining tools and other user agents that perform operations
-  on <code><a href=#text/html>text/html</a></code> content without running scripts,
-  evaluating CSS or XPath expressions, or otherwise exposing the
-  resulting DOM to arbitrary content, may "support namespaces" by just
-  asserting that their DOM node analogues are in certain namespaces,
-  without actually exposing the above strings.</p>
+  on content without running scripts, evaluating CSS or XPath
+  expressions, or otherwise exposing the resulting DOM to arbitrary
+  content, may "support namespaces" by just asserting that their DOM
+  node analogues are in certain namespaces, without actually exposing
+  the above strings.</p>
 
 
   <h2 id=dom><span class=secno>3 </span>Semantics, structure, and APIs of HTML documents</h2>
@@ -19790,11 +19795,6 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</
     <p>This flag <a href=#sandboxScriptBlocked>blocks script
     execution</a>.</p>
 
-    <p class=warning>This flag only takes effect when the
-    <a href=#nested-browsing-context>nested browsing context</a> of the <code><a href=#the-iframe-element>iframe</a></code> is
-    <a href=#navigate title=navigate>navigated</a>. Removing it has no effect
-    on an already-loaded page.</p>
-
    </dd>
 
   </dl><p>These flags must not be set unless the conditions listed above
@@ -19843,6 +19843,22 @@ <h4 id=the-iframe-element><span class=secno>4.8.3 </span>The <dfn><code>iframe</
 
   </div>
 
+  <p class=note>Potentially hostile files can be served from the
+  same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
+  by labeling them as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> instead of
+  <code><a href=#text/html>text/html</a></code>. This ensures that scripts in the files are
+  unable to attack the site (as if they were actually served from
+  another server), even if the user is tricked into visiting those
+  pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+  <p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
+  keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+  keyword, and the file is from the <a href=#same-origin>same origin</a> as the
+  <code><a href=#the-iframe-element>iframe</a></code>'s <code>Document</code>, then a script in the
+  "sandboxed" iframe could just reach out, remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and then
+  reload itself, effectively breaking out of the sandbox
+  altogether.</p>
+
 
   <hr><!-- v2: Might be interesting to have a value on seamless that
   allowed event propagation of some sort, maybe based on the WICD
@@ -50674,6 +50690,9 @@ <h3 id=origin-0><span class=secno>6.4 </span>Origin</h3>
      browsing context flag</a> was set when the
      <code>Document</code> was created</dt>
 
+     <dt>If a <code>Document</code> was generated from a resource
+     labeled as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code></dt>
+
      <dd>The <a href=#origin>origin</a> is a globally unique identifier
      assigned when the <code>Document</code> is created.</dd>
 
@@ -56356,7 +56375,8 @@ <h4 id=navigating-across-documents><span class=secno>6.11.1 </span>Navigating ac
    of the following types, jump to the appropriate entry in the
    following list, and process the resource as described there:</p>
 
-    <dl class=switch><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
+    <dl class=switch><!-- an <span>HTML MIME type</span> --><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
+     <dt>"<code><a href=#text/sandboxed-html>text/sandboxed-html</a></code>"</dt>
      <dd>Follow the steps given in the <a href=#read-html title=navigate-html>HTML document</a> section, and abort
      these steps.</dd>
 
@@ -56790,9 +56810,10 @@ <h4 id=scroll-to-fragid><span class=secno>6.11.8 </span><dfn title=navigate-frag
   fragment identifiers for <a href=#xml-mime-type title="XML MIME type">XML MIME
   types</a> is the responsibility of RFC3023).</p>
 
-  <p>For HTML documents (and the <code><a href=#text/html>text/html</a></code> <a href=#mime-type>MIME type</a>),
-  the following processing model must be followed to determine what
-  <a href=#the-indicated-part-of-the-document>the indicated part of the document</a> is.</p>
+  <p>For HTML documents (and <a href=#html-mime-type title="HTML MIME type">HTML MIME
+  types</a>), the following processing model must be followed to
+  determine what <a href=#the-indicated-part-of-the-document>the indicated part of the document</a>
+  is.</p>
 
   <ol><li><p><a href=#parse-a-url title="parse a url">Parse</a> the <a href=#url>URL</a>,
    and let <var title="">fragid</var> be the <a href=#url-fragment title=url-fragment>&lt;fragment&gt;</a> component of the
@@ -68711,9 +68732,9 @@ <h5 id=ports-and-garbage-collection><span class=secno>10.5.3.1 </span>Ports and
 
   <h2 id=syntax><span class=secno>11 </span><dfn>The HTML syntax</dfn></h2>
 
-  <p class=note>This section only describes the rules for
-  <code><a href=#text/html>text/html</a></code> resources. Rules for XML resources are
-  discussed in the section below entitled "<a href=#the-xhtml-syntax>The XHTML
+  <p class=note>This section only describes the rules for resources
+  labeled with an <a href=#html-mime-type>HTML MIME type</a>. Rules for XML resources
+  are discussed in the section below entitled "<a href=#the-xhtml-syntax>The XHTML
   syntax</a>".</p>
 
 
@@ -83643,7 +83664,80 @@ <h3 id=text/html><span class=secno>15.1 </span><dfn><code>text/html</code></dfn>
   refer to <a href=#the-indicated-part-of-the-document>the indicated part of the document</a>.</p>
 
 
-  <h3 id=application/xhtml+xml><span class=secno>15.2 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
+  <h3 id=text/sandboxed-html><span class=secno>15.2 </span><dfn><code>text/sandboxed-html</code></dfn></h3>
+
+  <p>This registration is for community review and will be submitted
+  to the IESG for review, approval, and registration with IANA.</p>
+
+  <!--
+   To: ietf-types@iana.org
+   Subject: Registration of media type text/sandboxed-html
+  -->
+
+  <dl><dt>Type name:</dt>
+   <dd>text</dd>
+   <dt>Subtype name:</dt>
+   <dd>sandboxed-html</dd>
+   <dt>Required parameters:</dt>
+   <dd>No required parameters</dd>
+   <dt>Optional parameters:</dt>
+   <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
+   <dt>Encoding considerations:</dt>
+   <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
+   <dt>Security considerations:</dt>
+   <dd>
+    <p>The purpose of the <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> MIME type
+    is to provide a way for content providers to indicate that they
+    want the file to be interpreted in a manner that does not give the
+    file's contents access to the rest of the site. This is achieved
+    by assigning the <code>Document</code> objects generated from
+    resources labeled as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> unique
+    origins.</p>
+    <p>To avoid having legacy user agents treating resources labeled
+    as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> as regular
+    <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
+    resources labeled as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code>.</p>
+    <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
+    and the same considerations apply.</p>
+   </dd>
+   <dt>Interoperability considerations:</dt>
+   <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
+   <dt>Published specification:</dt>
+   <dd>
+    This document is the relevant specification. Labeling a resource
+    with the <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> type asserts that the
+    resource is an <a href=#html-documents title="HTML documents">HTML document</a>
+    using <a href=#syntax>the HTML syntax</a>.
+   </dd>
+   <dt>Applications that use this media type:</dt>
+   <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
+   <dt>Additional information:</dt>
+   <dd>
+    <dl><dt>Magic number(s):</dt>
+     <dd>Documents labeled as <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code> are
+     heuristically indistinguishable from those labeled as
+     <code><a href=#text/html>text/html</a></code>.</dd>
+     <dt>File extension(s):</dt>
+     <dd>"<code title="">sandboxed</code>"</dd>
+     <dt>Macintosh file type code(s):</dt>
+     <dd><code title="">TEXT</code></dd>
+    </dl></dd>
+   <dt>Person &amp; email address to contact for further information:</dt>
+   <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+   <dt>Intended usage:</dt>
+   <dd>Common</dd>
+   <dt>Restrictions on usage:</dt>
+   <dd>No restrictions apply.</dd>
+   <dt>Author:</dt>
+   <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+   <dt>Change controller:</dt>
+   <dd>W3C and WHATWG</dd>
+  </dl><p>Fragment identifiers used with <code><a href=#text/sandboxed-html>text/sandboxed-html</a></code>
+  resources refer to <a href=#the-indicated-part-of-the-document>the indicated part of the
+  document</a>.</p>
+
+
+  <h3 id=application/xhtml+xml><span class=secno>15.3 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
 
   <p>This registration is for community review and will be submitted
   to the IESG for review, approval, and registration with IANA.</p>
@@ -83708,7 +83802,7 @@ <h3 id=application/xhtml+xml><span class=secno>15.2 </span><dfn><code>applicatio
   type</a>. <a href=#refsRFC3023>[RFC3023]</a></p>
 
 
-  <h3 id=text/cache-manifest><span class=secno>15.3 </span><dfn><code>text/cache-manifest</code></dfn></h3>
+  <h3 id=text/cache-manifest><span class=secno>15.4 </span><dfn><code>text/cache-manifest</code></dfn></h3>
 
   <p>This registration is for community review and will be submitted
   to the IESG for review, approval, and registration with IANA.</p>
@@ -83778,7 +83872,7 @@ <h3 id=text/cache-manifest><span class=secno>15.3 </span><dfn><code>text/cache-m
   <code><a href=#text/cache-manifest>text/cache-manifest</a></code> resources.</p>
 
 
-  <h3 id=text/ping><span class=secno>15.4 </span><dfn><code>text/ping</code></dfn></h3>
+  <h3 id=text/ping><span class=secno>15.5 </span><dfn><code>text/ping</code></dfn></h3>
 
   <p>This registration is for community review and will be submitted
   to the IESG for review, approval, and registration with IANA.</p>
@@ -83842,7 +83936,7 @@ <h3 id=text/ping><span class=secno>15.4 </span><dfn><code>text/ping</code></dfn>
 
 
 
-  <h3 id=application/microdata+json><span class=secno>15.5 </span><dfn><code>application/microdata+json</code></dfn></h3>
+  <h3 id=application/microdata+json><span class=secno>15.6 </span><dfn><code>application/microdata+json</code></dfn></h3>
 
 
   <p>This registration is for community review and will be submitted
@@ -83910,7 +84004,7 @@ <h3 id=application/microdata+json><span class=secno>15.5 </span><dfn><code>appli
 
 
 
-  <h3 id=ping-from><span class=secno>15.6 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
+  <h3 id=ping-from><span class=secno>15.7 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
 
   <p>This section describes a header field for registration in the
   Permanent Message Header Field Registry.  <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -83929,7 +84023,7 @@ <h3 id=ping-from><span class=secno>15.6 </span><dfn title=http-ping-from><code>P
    </dd>
    <dt>Related information</dt>
    <dd>None.</dd>   
-  </dl><h3 id=ping-to><span class=secno>15.7 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
+  </dl><h3 id=ping-to><span class=secno>15.8 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
 
   <p>This section describes a header field for registration in the
   Permanent Message Header Field Registry.  <a href=#refsRFC3864>[RFC3864]</a></p>