Browse files

[giow] (0) Drop text/html-sandboxed

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390

git-svn-id: http://svn.whatwg.org/webapps@6657 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent 2978abc commit cef842d0ebb31f73695247daf0cf01ae71e99e3d @Hixie Hixie committed Oct 11, 2011
Showing with 154 additions and 524 deletions.
  1. +59 −176 complete.html
  2. +59 −176 index
  3. +36 −172 source
View
235 complete.html
@@ -1341,18 +1341,17 @@ <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 10 October 2011</
<li><a href=#iana><span class=secno>17 </span>IANA considerations</a>
<ol>
<li><a href=#text/html><span class=secno>17.1 </span><code>text/html</code></a></li>
- <li><a href=#text/html-sandboxed><span class=secno>17.2 </span><code>text/html-sandboxed</code></a></li>
- <li><a href=#multipart/x-mixed-replace><span class=secno>17.3 </span><code>multipart/x-mixed-replace</code></a></li>
- <li><a href=#application/xhtml+xml><span class=secno>17.4 </span><code>application/xhtml+xml</code></a></li>
- <li><a href=#application/x-www-form-urlencoded><span class=secno>17.5 </span><code>application/x-www-form-urlencoded</code></a></li>
- <li><a href=#text/cache-manifest><span class=secno>17.6 </span><code>text/cache-manifest</code></a></li>
- <li><a href=#text/ping><span class=secno>17.7 </span><code>text/ping</code></a></li>
- <li><a href=#text/vtt><span class=secno>17.8 </span><code>text/vtt</code></a></li>
- <li><a href=#application/microdata+json><span class=secno>17.9 </span><code>application/microdata+json</code></a></li>
- <li><a href=#application/html-peer-connection-data><span class=secno>17.10 </span><code>application/html-peer-connection-data</code></a></li>
- <li><a href=#ping-from><span class=secno>17.11 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>17.12 </span><code>Ping-To</code></a></li>
- <li><a href=#web+-scheme-prefix><span class=secno>17.13 </span><code>web+</code> scheme prefix</a></ol></li>
+ <li><a href=#multipart/x-mixed-replace><span class=secno>17.2 </span><code>multipart/x-mixed-replace</code></a></li>
+ <li><a href=#application/xhtml+xml><span class=secno>17.3 </span><code>application/xhtml+xml</code></a></li>
+ <li><a href=#application/x-www-form-urlencoded><span class=secno>17.4 </span><code>application/x-www-form-urlencoded</code></a></li>
+ <li><a href=#text/cache-manifest><span class=secno>17.5 </span><code>text/cache-manifest</code></a></li>
+ <li><a href=#text/ping><span class=secno>17.6 </span><code>text/ping</code></a></li>
+ <li><a href=#text/vtt><span class=secno>17.7 </span><code>text/vtt</code></a></li>
+ <li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
+ <li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
+ <li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
+ <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -3136,8 +3135,8 @@ <h4 id=resources><span class=secno>2.1.1 </span>Resources</h4>
SEMICOLON characters (;). In other words, if it consists only of a
type and subtype, with no MIME Type parameters. <a href=#refsHTTP>[HTTP]</a></p>
- <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the <a href=#mime-type title="MIME type">MIME types</a> <code><a href=#text/html>text/html</a></code> and
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the
+ <a href=#mime-type>MIME type</a> <code><a href=#text/html>text/html</a></code>.</p>
<p>A resource's <dfn id=critical-subresources>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9413,8 +9412,7 @@ <h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
context flag">sandboxed into a unique origin</a> (in an
- <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute) or the
- resource was labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, a
+ <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -24102,7 +24100,7 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class=impl>
@@ -24289,27 +24287,19 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre>&lt;p&gt;We're not scared of you! Here is your content, unedited:&lt;/p&gt;
-&lt;iframe sandbox src="getusercontent.cgi?id=12193"&gt;&lt;/iframe&gt;</pre>
+&lt;iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"&gt;&lt;/iframe&gt;</pre>
- <p>Note that cookies are still sent to the server in the <code title="">getusercontent.cgi</code> request, though they are not
- visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
- attribute.</p>
-
- <p class=warning>It is important that the server serve the
- user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
+ <p class=warning>It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
</div>
@@ -24367,13 +24357,11 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
</div>
- <p class=note>Potentially hostile files can be served from the
- same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
- by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of
- <code><a href=#text/html>text/html</a></code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from
+ the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
@@ -24663,7 +24651,6 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
</ul><p>Whenever an <code><a href=#the-embed-element>embed</a></code> element that was not <a href=#concept-embed-active title=concept-embed-active>potentially active</a> becomes <a href=#concept-embed-active title=concept-embed-active>potentially active</a>, and whenever
@@ -24719,26 +24706,18 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
be unloaded.</p>
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
- instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must not instantiate the
- <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
- element in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
+ context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
+ <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
+ <code><a href=#document>Document</a></code> was created, then the user agent must not
+ instantiate the <a href=#plugin>plugin</a>, and must instead render the
+ <code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
+ <a href=#plugin>plugin</a> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <a href=#plugin>plugin</a> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
<p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
sandboxed browsing contexts because they might not honor the
@@ -25525,19 +25504,12 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
context</a>.</p>
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
- purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> when the <code><a href=#document>Document</a></code> was
- created, or</li>
+ purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> when the <code><a href=#document>Document</a></code> was created.</p>
- <li>the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p class=note>The above algorithm is independent of CSS properties
+ <p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -63290,9 +63262,6 @@ <h3 id=origin-0><span class=secno>6.3 </span>Origin</h3>
browsing context flag</a> was set when the
<code><a href=#document>Document</a></code> was created</dt>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a resource
- labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></dt>
-
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -64891,7 +64860,6 @@ <h4 id=navigating-across-documents><span class=secno>6.5.1 </span>Navigating acr
following list, and process the resource as described there:</p>
<dl class=switch><!-- an <span>HTML MIME type</span> --><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
- <dt>"<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>"</dt>
<dd>Follow the steps given in the <a href=#read-html title=navigate-html>HTML document</a> section, and abort
these steps.</dd>
@@ -70859,7 +70827,6 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
<ul class=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
<li><code>text/css</code></li>
- <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
<li><code><a href=#text/html>text/html</a></code></li>
<li><code><a href=#text/ping>text/ping</a></code></li>
<li><code>text/plain</code></li>
@@ -96280,10 +96247,7 @@ <h4 id=the-applet-element><span class=secno>16.3.1 </span>The <dfn><code>applet<
<a href=#fully-active>fully active</a>, and when the element's
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
<a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element's
- <code><a href=#document>Document</a></code> was parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined
- during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, and when the element has an
+ <code><a href=#document>Document</a></code> was created, and when the element has an
ancestor <a href=#media-element>media element</a>, and when the element has an
ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
@@ -97528,90 +97492,9 @@ <h3 id=text/html><span class=secno>17.1 </span><dfn><code>text/html</code></dfn>
provide state information for in-page scripts.</p>
- <h3 id=text/html-sandboxed><span class=secno>17.2 </span><dfn><code>text/html-sandboxed</code></dfn></h3>
-
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
-
- <!--
- To: ietf-types@iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
-
- <dl><dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code><a href=#document>Document</a></code> objects generated from
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
- <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
- <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
- an attacker can cause a file to be served as
- <code><a href=#text/html>text/html</a></code> instead of
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> type asserts that the
- resource is an <a href=#html-documents title="HTML documents">HTML document</a>
- using <a href=#syntax>the HTML syntax</a>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl><dt>Magic number(s):</dt>
- <dd>Documents labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> are
- heuristically indistinguishable from those labeled as
- <code><a href=#text/html>text/html</a></code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl></dd>
- <dt>Person &amp; email address to contact for further information:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl><p>Fragment identifiers used with <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>
- resources either refer to <a href=#the-indicated-part-of-the-document>the indicated part of the
- document</a> or provide state information for in-page
- scripts.</p>
- <h3 id=multipart/x-mixed-replace><span class=secno>17.3 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
+ <h3 id=multipart/x-mixed-replace><span class=secno>17.2 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97676,7 +97559,7 @@ <h3 id=multipart/x-mixed-replace><span class=secno>17.3 </span><dfn><code>multip
part as defined by the type used by that body part.</p>
- <h3 id=application/xhtml+xml><span class=secno>17.4 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
+ <h3 id=application/xhtml+xml><span class=secno>17.3 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97741,7 +97624,7 @@ <h3 id=application/xhtml+xml><span class=secno>17.4 </span><dfn><code>applicatio
type</a>. <a href=#refsRFC3023>[RFC3023]</a></p>
- <h3 id=application/x-www-form-urlencoded><span class=secno>17.5 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
+ <h3 id=application/x-www-form-urlencoded><span class=secno>17.4 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97808,7 +97691,7 @@ <h3 id=application/x-www-form-urlencoded><span class=secno>17.5 </span><dfn><cod
identifiers.</p>
- <h3 id=text/cache-manifest><span class=secno>17.6 </span><dfn><code>text/cache-manifest</code></dfn></h3>
+ <h3 id=text/cache-manifest><span class=secno>17.5 </span><dfn><code>text/cache-manifest</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97879,7 +97762,7 @@ <h3 id=text/cache-manifest><span class=secno>17.6 </span><dfn><code>text/cache-m
<!--PING-->
- <h3 id=text/ping><span class=secno>17.7 </span><dfn><code>text/ping</code></dfn></h3>
+ <h3 id=text/ping><span class=secno>17.6 </span><dfn><code>text/ping</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97944,7 +97827,7 @@ <h3 id=text/ping><span class=secno>17.7 </span><dfn><code>text/ping</code></dfn>
<!--TTVTT-->
<div data-component="other Hixie drafts (editor: Ian Hickson)">
- <h3 id=text/vtt><span class=secno>17.8 </span><dfn><code>text/vtt</code></dfn></h3>
+ <h3 id=text/vtt><span class=secno>17.7 </span><dfn><code>text/vtt</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98025,7 +97908,7 @@ <h3 id=text/vtt><span class=secno>17.8 </span><dfn><code>text/vtt</code></dfn></
<!--MD-->
- <h3 id=application/microdata+json><span class=secno>17.9 </span><dfn><code>application/microdata+json</code></dfn></h3>
+ <h3 id=application/microdata+json><span class=secno>17.8 </span><dfn><code>application/microdata+json</code></dfn></h3>
<p>This registration is for community review and will be submitted
@@ -98097,7 +97980,7 @@ <h3 id=application/microdata+json><span class=secno>17.9 </span><dfn><code>appli
<!--PEERCONNECTION-->
- <h3 id=application/html-peer-connection-data><span class=secno>17.10 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
+ <h3 id=application/html-peer-connection-data><span class=secno>17.9 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98178,7 +98061,7 @@ <h3 id=application/html-peer-connection-data><span class=secno>17.10 </span><dfn
<!--PING-->
- <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
+ <h3 id=ping-from><span class=secno>17.10 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98197,7 +98080,7 @@ <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><h3 id=ping-to><span class=secno>17.12 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
+ </dl><h3 id=ping-to><span class=secno>17.11 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98216,7 +98099,7 @@ <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.13 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
View
235 index
@@ -1341,18 +1341,17 @@
<li><a href=#iana><span class=secno>17 </span>IANA considerations</a>
<ol>
<li><a href=#text/html><span class=secno>17.1 </span><code>text/html</code></a></li>
- <li><a href=#text/html-sandboxed><span class=secno>17.2 </span><code>text/html-sandboxed</code></a></li>
- <li><a href=#multipart/x-mixed-replace><span class=secno>17.3 </span><code>multipart/x-mixed-replace</code></a></li>
- <li><a href=#application/xhtml+xml><span class=secno>17.4 </span><code>application/xhtml+xml</code></a></li>
- <li><a href=#application/x-www-form-urlencoded><span class=secno>17.5 </span><code>application/x-www-form-urlencoded</code></a></li>
- <li><a href=#text/cache-manifest><span class=secno>17.6 </span><code>text/cache-manifest</code></a></li>
- <li><a href=#text/ping><span class=secno>17.7 </span><code>text/ping</code></a></li>
- <li><a href=#text/vtt><span class=secno>17.8 </span><code>text/vtt</code></a></li>
- <li><a href=#application/microdata+json><span class=secno>17.9 </span><code>application/microdata+json</code></a></li>
- <li><a href=#application/html-peer-connection-data><span class=secno>17.10 </span><code>application/html-peer-connection-data</code></a></li>
- <li><a href=#ping-from><span class=secno>17.11 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>17.12 </span><code>Ping-To</code></a></li>
- <li><a href=#web+-scheme-prefix><span class=secno>17.13 </span><code>web+</code> scheme prefix</a></ol></li>
+ <li><a href=#multipart/x-mixed-replace><span class=secno>17.2 </span><code>multipart/x-mixed-replace</code></a></li>
+ <li><a href=#application/xhtml+xml><span class=secno>17.3 </span><code>application/xhtml+xml</code></a></li>
+ <li><a href=#application/x-www-form-urlencoded><span class=secno>17.4 </span><code>application/x-www-form-urlencoded</code></a></li>
+ <li><a href=#text/cache-manifest><span class=secno>17.5 </span><code>text/cache-manifest</code></a></li>
+ <li><a href=#text/ping><span class=secno>17.6 </span><code>text/ping</code></a></li>
+ <li><a href=#text/vtt><span class=secno>17.7 </span><code>text/vtt</code></a></li>
+ <li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
+ <li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
+ <li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
+ <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -3136,8 +3135,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
SEMICOLON characters (;). In other words, if it consists only of a
type and subtype, with no MIME Type parameters. <a href=#refsHTTP>[HTTP]</a></p>
- <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the <a href=#mime-type title="MIME type">MIME types</a> <code><a href=#text/html>text/html</a></code> and
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
+ <p>The term <dfn id=html-mime-type>HTML MIME type</dfn> is used to refer to the
+ <a href=#mime-type>MIME type</a> <code><a href=#text/html>text/html</a></code>.</p>
<p>A resource's <dfn id=critical-subresources>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9413,8 +9412,7 @@ interface <dfn id=htmldocument>HTMLDocument</dfn> {
cookies.</p>
<p>If the contents are <a href=#sandboxed-origin-browsing-context-flag title="sandboxed origin browsing
context flag">sandboxed into a unique origin</a> (in an
- <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute) or the
- resource was labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, a
+ <code><a href=#the-iframe-element>iframe</a></code> with the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute), a
<code><a href=#securityerror>SecurityError</a></code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -24102,7 +24100,7 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code><a href=#the-iframe-element>iframe</a></code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class=impl>
@@ -24289,27 +24287,19 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre>&lt;p&gt;We're not scared of you! Here is your content, unedited:&lt;/p&gt;
-&lt;iframe sandbox src="getusercontent.cgi?id=12193"&gt;&lt;/iframe&gt;</pre>
+&lt;iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"&gt;&lt;/iframe&gt;</pre>
- <p>Note that cookies are still sent to the server in the <code title="">getusercontent.cgi</code> request, though they are not
- visible in the <code title=dom-document-cookie><a href=#dom-document-cookie>document.cookie</a></code> IDL
- attribute.</p>
-
- <p class=warning>It is important that the server serve the
- user-provided HTML using the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
+ <p class=warning>It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
</div>
@@ -24367,13 +24357,11 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
</div>
- <p class=note>Potentially hostile files can be served from the
- same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code> element
- by labeling them as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> instead of
- <code><a href=#text/html>text/html</a></code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+ <p class=note>Potentially hostile files should not be served from
+ the same server as the file containing the <code><a href=#the-iframe-element>iframe</a></code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
<p class=warning>If the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
keyword is set along with <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
@@ -24663,7 +24651,6 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
</ul><p>Whenever an <code><a href=#the-embed-element>embed</a></code> element that was not <a href=#concept-embed-active title=concept-embed-active>potentially active</a> becomes <a href=#concept-embed-active title=concept-embed-active>potentially active</a>, and whenever
@@ -24719,26 +24706,18 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
be unloaded.</p>
<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
- instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must not instantiate the
- <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
- element in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
+ context</a> for which the <code><a href=#the-embed-element>embed</a></code> element's
+ <code><a href=#document>Document</a></code> is the <a href=#active-document>active document</a> when that
+ <code><a href=#document>Document</a></code> was created, then the user agent must not
+ instantiate the <a href=#plugin>plugin</a>, and must instead render the
+ <code><a href=#the-embed-element>embed</a></code> element in a manner that conveys that the
+ <a href=#plugin>plugin</a> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <a href=#plugin>plugin</a> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
<p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
sandboxed browsing contexts because they might not honor the
@@ -25525,19 +25504,12 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
context</a>.</p>
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
- purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
- <a href=#browsing-context>browsing context</a> when the <code><a href=#document>Document</a></code> was
- created, or</li>
+ purpose of an <code><a href=#the-object-element>object</a></code> element if the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
+ plugins browsing context flag</a> was set on the
+ <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing
+ context</a> when the <code><a href=#document>Document</a></code> was created.</p>
- <li>the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p class=note>The above algorithm is independent of CSS properties
+ <p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -63290,9 +63262,6 @@ x === this; // true</pre>
browsing context flag</a> was set when the
<code><a href=#document>Document</a></code> was created</dt>
- <dt>If a <code><a href=#document>Document</a></code> was generated from a resource
- labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></dt>
-
<dd>The <a href=#origin>origin</a> is a globally unique identifier
assigned when the <code><a href=#document>Document</a></code> is created.</dd>
@@ -64891,7 +64860,6 @@ State: &lt;OUTPUT NAME=I&gt;1&lt;/OUTPUT&gt; &lt;INPUT VALUE="Increment" TYPE=BU
following list, and process the resource as described there:</p>
<dl class=switch><!-- an <span>HTML MIME type</span> --><dt>"<code><a href=#text/html>text/html</a></code>"</dt>
- <dt>"<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>"</dt>
<dd>Follow the steps given in the <a href=#read-html title=navigate-html>HTML document</a> section, and abort
these steps.</dd>
@@ -70859,7 +70827,6 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
<ul class=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
<li><code>text/css</code></li>
- <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
<li><code><a href=#text/html>text/html</a></code></li>
<li><code><a href=#text/ping>text/ping</a></code></li>
<li><code>text/plain</code></li>
@@ -96280,10 +96247,7 @@ if (s = prompt('What is your name?')) {
<a href=#fully-active>fully active</a>, and when the element's
<code><a href=#document>Document</a></code>'s <a href=#browsing-context>browsing context</a> had its
<a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> when that
- <code><a href=#document>Document</a></code> was created, and when the element's
- <code><a href=#document>Document</a></code> was parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined
- during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, and when the element has an
+ <code><a href=#document>Document</a></code> was created, and when the element has an
ancestor <a href=#media-element>media element</a>, and when the element has an
ancestor <code><a href=#the-object-element>object</a></code> element that is <em>not</em> showing
its <a href=#fallback-content>fallback content</a>, and when no Java Language runtime
@@ -97528,90 +97492,9 @@ if (s = prompt('What is your name?')) {
provide state information for in-page scripts.</p>
- <h3 id=text/html-sandboxed><span class=secno>17.2 </span><dfn><code>text/html-sandboxed</code></dfn></h3>
-
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
-
- <!--
- To: ietf-types@iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
-
- <dl><dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code><a href=#document>Document</a></code> objects generated from
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> as regular
- <code><a href=#text/html>text/html</a></code> files, authors should avoid using the <code title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>.</p>
- <p>Furthermore, since the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>. If
- an attacker can cause a file to be served as
- <code><a href=#text/html>text/html</a></code> instead of
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code><a href=#text/html>text/html</a></code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> type asserts that the
- resource is an <a href=#html-documents title="HTML documents">HTML document</a>
- using <a href=#syntax>the HTML syntax</a>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code><a href=#text/html>text/html</a></code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl><dt>Magic number(s):</dt>
- <dd>Documents labeled as <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> are
- heuristically indistinguishable from those labeled as
- <code><a href=#text/html>text/html</a></code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl></dd>
- <dt>Person &amp; email address to contact for further information:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl><p>Fragment identifiers used with <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code>
- resources either refer to <a href=#the-indicated-part-of-the-document>the indicated part of the
- document</a> or provide state information for in-page
- scripts.</p>
- <h3 id=multipart/x-mixed-replace><span class=secno>17.3 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
+ <h3 id=multipart/x-mixed-replace><span class=secno>17.2 </span><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97676,7 +97559,7 @@ if (s = prompt('What is your name?')) {
part as defined by the type used by that body part.</p>
- <h3 id=application/xhtml+xml><span class=secno>17.4 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
+ <h3 id=application/xhtml+xml><span class=secno>17.3 </span><dfn><code>application/xhtml+xml</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97741,7 +97624,7 @@ if (s = prompt('What is your name?')) {
type</a>. <a href=#refsRFC3023>[RFC3023]</a></p>
- <h3 id=application/x-www-form-urlencoded><span class=secno>17.5 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
+ <h3 id=application/x-www-form-urlencoded><span class=secno>17.4 </span><dfn><code>application/x-www-form-urlencoded</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97808,7 +97691,7 @@ if (s = prompt('What is your name?')) {
identifiers.</p>
- <h3 id=text/cache-manifest><span class=secno>17.6 </span><dfn><code>text/cache-manifest</code></dfn></h3>
+ <h3 id=text/cache-manifest><span class=secno>17.5 </span><dfn><code>text/cache-manifest</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97879,7 +97762,7 @@ if (s = prompt('What is your name?')) {
<!--PING-->
- <h3 id=text/ping><span class=secno>17.7 </span><dfn><code>text/ping</code></dfn></h3>
+ <h3 id=text/ping><span class=secno>17.6 </span><dfn><code>text/ping</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -97944,7 +97827,7 @@ if (s = prompt('What is your name?')) {
<!--TTVTT-->
<div data-component="other Hixie drafts (editor: Ian Hickson)">
- <h3 id=text/vtt><span class=secno>17.8 </span><dfn><code>text/vtt</code></dfn></h3>
+ <h3 id=text/vtt><span class=secno>17.7 </span><dfn><code>text/vtt</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98025,7 +97908,7 @@ if (s = prompt('What is your name?')) {
<!--MD-->
- <h3 id=application/microdata+json><span class=secno>17.9 </span><dfn><code>application/microdata+json</code></dfn></h3>
+ <h3 id=application/microdata+json><span class=secno>17.8 </span><dfn><code>application/microdata+json</code></dfn></h3>
<p>This registration is for community review and will be submitted
@@ -98097,7 +97980,7 @@ if (s = prompt('What is your name?')) {
<!--PEERCONNECTION-->
- <h3 id=application/html-peer-connection-data><span class=secno>17.10 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
+ <h3 id=application/html-peer-connection-data><span class=secno>17.9 </span><dfn><code>application/html-peer-connection-data</code></dfn></h3>
<p>This registration is for community review and will be submitted
to the IESG for review, approval, and registration with IANA.</p>
@@ -98178,7 +98061,7 @@ if (s = prompt('What is your name?')) {
<!--PING-->
- <h3 id=ping-from><span class=secno>17.11 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
+ <h3 id=ping-from><span class=secno>17.10 </span><dfn title=http-ping-from><code>Ping-From</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98197,7 +98080,7 @@ if (s = prompt('What is your name?')) {
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><h3 id=ping-to><span class=secno>17.12 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
+ </dl><h3 id=ping-to><span class=secno>17.11 </span><dfn title=http-ping-to><code>Ping-To</code></dfn></h3>
<p>This section describes a header field for registration in the
Permanent Message Header Field Registry. <a href=#refsRFC3864>[RFC3864]</a></p>
@@ -98216,7 +98099,7 @@ if (s = prompt('What is your name?')) {
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.13 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
View
208 source
@@ -1993,9 +1993,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
type and subtype, with no MIME Type parameters. <a
href="#refsHTTP">[HTTP]</a></p>
- <p>The term <dfn>HTML MIME type</dfn> is used to refer to the <span
- title="MIME type">MIME types</span> <code>text/html</code> and
- <code>text/html-sandboxed</code>.</p>
+ <p>The term <dfn>HTML MIME type</dfn> is used to refer to the
+ <span>MIME type</span> <code>text/html</code>.</p>
<p>A resource's <dfn>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9451,8 +9450,7 @@ interface <dfn>HTMLDocument</dfn> {
<p>If the contents are <span title="sandboxed origin browsing
context flag">sandboxed into a unique origin</span> (in an
<code>iframe</code> with the <code
- title="attr-iframe-sandbox">sandbox</code> attribute) or the
- resource was labeled as <code>text/html-sandboxed</code>, a
+ title="attr-iframe-sandbox">sandbox</code> attribute), a
<code>SecurityError</code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -25812,7 +25810,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code>iframe</code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code>text/html-sandboxed</code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class="impl">
@@ -26027,29 +26025,19 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre>&lt;p>We're not scared of you! Here is your content, unedited:&lt;/p>
-&lt;iframe sandbox src="getusercontent.cgi?id=12193">&lt;/iframe></pre>
+&lt;iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193">&lt;/iframe></pre>
- <p>Note that cookies are still sent to the server in the <code
- title="">getusercontent.cgi</code> request, though they are not
- visible in the <code
- title="dom-document-cookie">document.cookie</code> IDL
- attribute.</p>
-
- <p class="warning">It is important that the server serve the
- user-provided HTML using the <code>text/html-sandboxed</code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
+ <p class="warning">It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
</div>
@@ -26113,13 +26101,11 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
</div>
- <p class="note">Potentially hostile files can be served from the
- same server as the file containing the <code>iframe</code> element
- by labeling them as <code>text/html-sandboxed</code> instead of
- <code>text/html</code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code
+ <p class="note">Potentially hostile files should not be served from
+ the same server as the file containing the <code>iframe</code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code
title="attr-iframe-sandbox">sandbox</code> attribute.</p>
<p class="warning">If the <code
@@ -26444,7 +26430,6 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<li>The element's <code>Document</code> is <span>fully active</span>.</li>
<li>The element has either a <code title="attr-embed-src">src</code> attribute set or a <code title="attr-embed-type">type</code> attribute set (or both).</li>
<li>The element's <code title="attr-embed-src">src</code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code>Document</code> was not parsed from a resource whose <span title="Content-Type sniffing">sniffed type</span> as determined during <span title="navigate">navigation</span> is <code>text/html-sandboxed</code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <span>media element</span>.</li>
<li>The element is not a descendant of an <code>object</code> element that is not showing its <span>fallback content</span>.</li>
</ul>
@@ -26516,31 +26501,18 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
instantiated but it cannot be <span
- title="concept-plugin-secure">secured</span> and either:
-
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <span>browsing context</span> for which the
- <code>embed</code> element's <code>Document</code> is the
- <span>active document</span> when that <code>Document</code> was
- created, or</li>
-
- <li>the <code>embed</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
-
- <p>...then the user agent must not instantiate the
- <span>plugin</span>, and must instead render the <code>embed</code>
- element in a manner that conveys that the <span>plugin</span> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <span>plugin</span> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
+ title="concept-plugin-secure">secured</span> and the <span>sandboxed
+ plugins browsing context flag</span> was set on the <span>browsing
+ context</span> for which the <code>embed</code> element's
+ <code>Document</code> is the <span>active document</span> when that
+ <code>Document</code> was created, then the user agent must not
+ instantiate the <span>plugin</span>, and must instead render the
+ <code>embed</code> element in a manner that conveys that the
+ <span>plugin</span> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <span>plugin</span> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
<p class="warning">Plugins that cannot be <span
title="concept-plugin-secure">secured</span> are disabled in
@@ -27419,22 +27391,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
context</span>.</p>
<p id="sandboxPluginObject">Plugins are considered sandboxed for the
- purpose of an <code>object</code> element if either:</p>
-
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <code>object</code> element's <code>Document</code>'s
- <span>browsing context</span> when the <code>Document</code> was
- created, or</li>
-
- <li>the <code>object</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
+ purpose of an <code>object</code> element if the <span>sandboxed
+ plugins browsing context flag</span> was set on the
+ <code>object</code> element's <code>Document</code>'s <span>browsing
+ context</span> when the <code>Document</code> was created.</p>
<p class="note">The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
@@ -71871,9 +71831,6 @@ x === this; // true</pre>
browsing context flag</span> was set when the
<code>Document</code> was created</dt>
- <dt>If a <code>Document</code> was generated from a resource
- labeled as <code>text/html-sandboxed</code></dt>
-
<dd>The <span>origin</span> is a globally unique identifier
assigned when the <code>Document</code> is created.</dd>
@@ -73678,7 +73635,6 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
<!-- an <span>HTML MIME type</span> -->
<dt>"<code>text/html</code>"</dt>
- <dt>"<code>text/html-sandboxed</code>"</dt>
<dd>Follow the steps given in the <span
title="navigate-html">HTML document</span> section, and abort
these steps.</dd>
@@ -80646,7 +80602,6 @@ interface <dfn>NavigatorContentUtils</dfn> {
<li><code>text/cache-manifest</code></li>
<li><code>text/css</code></li>
- <li><code>text/html-sandboxed</code></li>
<li><code>text/html</code></li>
<li><code>text/ping</code></li>
<li><code>text/plain</code></li>
@@ -109150,11 +109105,7 @@ if (s = prompt('What is your name?')) {
<span>fully active</span>, and when the element's
<code>Document</code>'s <span>browsing context</span> had its
<span>sandboxed plugins browsing context flag</span> when that
- <code>Document</code> was created, and when the element's
- <code>Document</code> was parsed from a resource whose <span
- title="Content-Type sniffing">sniffed type</span> as determined
- during <span title="navigate">navigation</span> is
- <code>text/html-sandboxed</code>, and when the element has an
+ <code>Document</code> was created, and when the element has an
ancestor <span>media element</span>, and when the element has an
ancestor <code>object</code> element that is <em>not</em> showing
its <span>fallback content</span>, and when no Java Language runtime
@@ -110693,93 +110644,6 @@ if (s = prompt('What is your name?')) {
provide state information for in-page scripts.</p>
- <h3><dfn><code>text/html-sandboxed</code></dfn></h3>
-
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
-
- <!--
- To: ietf-types@iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
-
- <dl>
- <dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code>text/html-sandboxed</code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code>Document</code> objects generated from
- resources labeled as <code>text/html-sandboxed</code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code>text/html-sandboxed</code> as regular
- <code>text/html</code> files, authors should avoid using the <code
- title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code>text/html-sandboxed</code>.</p>
- <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code>text/html-sandboxed</code>. If
- an attacker can cause a file to be served as
- <code>text/html</code> instead of
- <code>text/html-sandboxed</code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code>text/html</code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code>text/html-sandboxed</code> type asserts that the
- resource is an <span title="HTML documents">HTML document</span>
- using <span>the HTML syntax</span>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl>
- <dt>Magic number(s):</dt>
- <dd>Documents labeled as <code>text/html-sandboxed</code> are
- heuristically indistinguishable from those labeled as
- <code>text/html</code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl>
- </dd>
- <dt>Person &amp; email address to contact for further information:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch></dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch></dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl>
-
- <p>Fragment identifiers used with <code>text/html-sandboxed</code>
- resources either refer to <span>the indicated part of the
- document</span> or provide state information for in-page
- scripts.</p>
<h3><dfn><code>multipart/x-mixed-replace</code></dfn></h3>

0 comments on commit cef842d

Please sign in to comment.