Permalink
Browse files

[giow] (0) Drop text/html-sandboxed

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390

git-svn-id: http://svn.whatwg.org/webapps@6657 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent 2978abc commit cef842d0ebb31f73695247daf0cf01ae71e99e3d @Hixie Hixie committed Oct 11, 2011
Showing with 154 additions and 524 deletions.
  1. +59 −176 complete.html
  2. +59 −176 index
  3. +36 −172 source
View
View
View
@@ -1993,9 +1993,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
type and subtype, with no MIME Type parameters. <a
href="#refsHTTP">[HTTP]</a></p>
- <p>The term <dfn>HTML MIME type</dfn> is used to refer to the <span
- title="MIME type">MIME types</span> <code>text/html</code> and
- <code>text/html-sandboxed</code>.</p>
+ <p>The term <dfn>HTML MIME type</dfn> is used to refer to the
+ <span>MIME type</span> <code>text/html</code>.</p>
<p>A resource's <dfn>critical subresources</dfn> are those that the
resource needs to have available to be correctly processed. Which
@@ -9451,8 +9450,7 @@ interface <dfn>HTMLDocument</dfn> {
<p>If the contents are <span title="sandboxed origin browsing
context flag">sandboxed into a unique origin</span> (in an
<code>iframe</code> with the <code
- title="attr-iframe-sandbox">sandbox</code> attribute) or the
- resource was labeled as <code>text/html-sandboxed</code>, a
+ title="attr-iframe-sandbox">sandbox</code> attribute), a
<code>SecurityError</code> exception will be thrown on getting and
setting.</p>
</dd>
@@ -25812,7 +25810,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
an attacker can convince the user to just visit the hostile content
directly, rather than in the <code>iframe</code>. To limit the
damage that can be caused by hostile HTML content, it should be
- served using the <code>text/html-sandboxed</code> MIME type.</p>
+ served from a separate dedicated domain.</p>
<div class="impl">
@@ -26027,29 +26025,19 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<p>In this example, some completely-unknown, potentially hostile,
user-provided HTML content is embedded in a page. Because it is
- sandboxed, it is treated by the user agent as being from a unique
- origin, despite the content being served from the same site. Thus
- it is affected by all the normal cross-site restrictions. In
- addition, the embedded page has scripting disabled, plugins
- disabled, forms disabled, and it cannot navigate any frames or
- windows other than itself (or any frames or windows it itself
- embeds).</p>
+ served from a separate domain, it is affected by all the normal
+ cross-site restrictions. In addition, the embedded page has
+ scripting disabled, plugins disabled, forms disabled, and it cannot
+ navigate any frames or windows other than itself (or any frames or
+ windows it itself embeds).</p>
<pre>&lt;p>We're not scared of you! Here is your content, unedited:&lt;/p>
-&lt;iframe sandbox src="getusercontent.cgi?id=12193">&lt;/iframe></pre>
+&lt;iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193">&lt;/iframe></pre>
- <p>Note that cookies are still sent to the server in the <code
- title="">getusercontent.cgi</code> request, though they are not
- visible in the <code
- title="dom-document-cookie">document.cookie</code> IDL
- attribute.</p>
-
- <p class="warning">It is important that the server serve the
- user-provided HTML using the <code>text/html-sandboxed</code> MIME
- type so that if the attacker convinces the user to visit that page
- directly, the page doesn't run in the context of the site's origin,
- which would make the user vulnerable to any attack found in the
- page.</p>
+ <p class="warning">It is important to use a separate domain so that
+ if the attacker convinces the user to visit that page directly, the
+ page doesn't run in the context of the site's origin, which would
+ make the user vulnerable to any attack found in the page.</p>
</div>
@@ -26113,13 +26101,11 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
</div>
- <p class="note">Potentially hostile files can be served from the
- same server as the file containing the <code>iframe</code> element
- by labeling them as <code>text/html-sandboxed</code> instead of
- <code>text/html</code>. This ensures that scripts in the files are
- unable to attack the site (as if they were actually served from
- another server), even if the user is tricked into visiting those
- pages directly, without the protection of the <code
+ <p class="note">Potentially hostile files should not be served from
+ the same server as the file containing the <code>iframe</code>
+ element. Using a different domain ensures that scripts in the files
+ are unable to attack the site, even if the user is tricked into
+ visiting those pages directly, without the protection of the <code
title="attr-iframe-sandbox">sandbox</code> attribute.</p>
<p class="warning">If the <code
@@ -26444,7 +26430,6 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<li>The element's <code>Document</code> is <span>fully active</span>.</li>
<li>The element has either a <code title="attr-embed-src">src</code> attribute set or a <code title="attr-embed-type">type</code> attribute set (or both).</li>
<li>The element's <code title="attr-embed-src">src</code> attribute is either absent or its value is the empty string.</li>
- <li>The element's <code>Document</code> was not parsed from a resource whose <span title="Content-Type sniffing">sniffed type</span> as determined during <span title="navigate">navigation</span> is <code>text/html-sandboxed</code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <span>media element</span>.</li>
<li>The element is not a descendant of an <code>object</code> element that is not showing its <span>fallback content</span>.</li>
</ul>
@@ -26516,31 +26501,18 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
instantiated but it cannot be <span
- title="concept-plugin-secure">secured</span> and either:
-
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <span>browsing context</span> for which the
- <code>embed</code> element's <code>Document</code> is the
- <span>active document</span> when that <code>Document</code> was
- created, or</li>
-
- <li>the <code>embed</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
-
- <p>...then the user agent must not instantiate the
- <span>plugin</span>, and must instead render the <code>embed</code>
- element in a manner that conveys that the <span>plugin</span> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <span>plugin</span> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
+ title="concept-plugin-secure">secured</span> and the <span>sandboxed
+ plugins browsing context flag</span> was set on the <span>browsing
+ context</span> for which the <code>embed</code> element's
+ <code>Document</code> is the <span>active document</span> when that
+ <code>Document</code> was created, then the user agent must not
+ instantiate the <span>plugin</span>, and must instead render the
+ <code>embed</code> element in a manner that conveys that the
+ <span>plugin</span> was disabled. The user agent may offer the user
+ the option to override the sandbox and instantiate the
+ <span>plugin</span> anyway; if the user invokes such an option, the
+ user agent must act as if the conditions above did not apply for the
+ purposes of this element.</p>
<p class="warning">Plugins that cannot be <span
title="concept-plugin-secure">secured</span> are disabled in
@@ -27419,22 +27391,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
context</span>.</p>
<p id="sandboxPluginObject">Plugins are considered sandboxed for the
- purpose of an <code>object</code> element if either:</p>
-
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <code>object</code> element's <code>Document</code>'s
- <span>browsing context</span> when the <code>Document</code> was
- created, or</li>
-
- <li>the <code>object</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
+ purpose of an <code>object</code> element if the <span>sandboxed
+ plugins browsing context flag</span> was set on the
+ <code>object</code> element's <code>Document</code>'s <span>browsing
+ context</span> when the <code>Document</code> was created.</p>
<p class="note">The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
@@ -71871,9 +71831,6 @@ x === this; // true</pre>
browsing context flag</span> was set when the
<code>Document</code> was created</dt>
- <dt>If a <code>Document</code> was generated from a resource
- labeled as <code>text/html-sandboxed</code></dt>
-
<dd>The <span>origin</span> is a globally unique identifier
assigned when the <code>Document</code> is created.</dd>
@@ -73678,7 +73635,6 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
<!-- an <span>HTML MIME type</span> -->
<dt>"<code>text/html</code>"</dt>
- <dt>"<code>text/html-sandboxed</code>"</dt>
<dd>Follow the steps given in the <span
title="navigate-html">HTML document</span> section, and abort
these steps.</dd>
@@ -80646,7 +80602,6 @@ interface <dfn>NavigatorContentUtils</dfn> {
<li><code>text/cache-manifest</code></li>
<li><code>text/css</code></li>
- <li><code>text/html-sandboxed</code></li>
<li><code>text/html</code></li>
<li><code>text/ping</code></li>
<li><code>text/plain</code></li>
@@ -109150,11 +109105,7 @@ if (s = prompt('What is your name?')) {
<span>fully active</span>, and when the element's
<code>Document</code>'s <span>browsing context</span> had its
<span>sandboxed plugins browsing context flag</span> when that
- <code>Document</code> was created, and when the element's
- <code>Document</code> was parsed from a resource whose <span
- title="Content-Type sniffing">sniffed type</span> as determined
- during <span title="navigate">navigation</span> is
- <code>text/html-sandboxed</code>, and when the element has an
+ <code>Document</code> was created, and when the element has an
ancestor <span>media element</span>, and when the element has an
ancestor <code>object</code> element that is <em>not</em> showing
its <span>fallback content</span>, and when no Java Language runtime
@@ -110693,93 +110644,6 @@ if (s = prompt('What is your name?')) {
provide state information for in-page scripts.</p>
- <h3><dfn><code>text/html-sandboxed</code></dfn></h3>
-
- <p>This registration is for community review and will be submitted
- to the IESG for review, approval, and registration with IANA.</p>
-
- <!--
- To: ietf-types@iana.org
- Subject: Registration of media type text/html-sandboxed
- -->
-
- <dl>
- <dt>Type name:</dt>
- <dd>text</dd>
- <dt>Subtype name:</dt>
- <dd>html-sandboxed</dd>
- <dt>Required parameters:</dt>
- <dd>No required parameters</dd>
- <dt>Optional parameters:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Encoding considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Security considerations:</dt>
- <dd>
- <p>The purpose of the <code>text/html-sandboxed</code> MIME type
- is to provide a way for content providers to indicate that they
- want the file to be interpreted in a manner that does not give the
- file's contents access to the rest of the site. This is achieved
- by assigning the <code>Document</code> objects generated from
- resources labeled as <code>text/html-sandboxed</code> unique
- origins.</p>
- <p>To avoid having legacy user agents treating resources labeled
- as <code>text/html-sandboxed</code> as regular
- <code>text/html</code> files, authors should avoid using the <code
- title="">.html</code> or <code title="">.htm</code> extensions for
- resources labeled as <code>text/html-sandboxed</code>.</p>
- <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
- type impacts the origin security model, authors should be careful
- to prevent tampering with the MIME type labeling mechanism itself
- when documents are labeled as <code>text/html-sandboxed</code>. If
- an attacker can cause a file to be served as
- <code>text/html</code> instead of
- <code>text/html-sandboxed</code>, then the sandboxing will not
- take effect and a cross-site scripting attack will become
- possible.</p>
- <p>Beyond this, the type is identical to <code>text/html</code>,
- and the same considerations apply.</p>
- </dd>
- <dt>Interoperability considerations:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Published specification:</dt>
- <dd>
- This document is the relevant specification. Labeling a resource
- with the <code>text/html-sandboxed</code> type asserts that the
- resource is an <span title="HTML documents">HTML document</span>
- using <span>the HTML syntax</span>.
- </dd>
- <dt>Applications that use this media type:</dt>
- <dd>Same as for <code>text/html</code></dd>
- <dt>Additional information:</dt>
- <dd>
- <dl>
- <dt>Magic number(s):</dt>
- <dd>Documents labeled as <code>text/html-sandboxed</code> are
- heuristically indistinguishable from those labeled as
- <code>text/html</code>.</dd>
- <dt>File extension(s):</dt>
- <dd>"<code title="">sandboxed</code>"</dd>
- <dt>Macintosh file type code(s):</dt>
- <dd><code title="">TEXT</code></dd>
- </dl>
- </dd>
- <dt>Person &amp; email address to contact for further information:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch></dd>
- <dt>Intended usage:</dt>
- <dd>Common</dd>
- <dt>Restrictions on usage:</dt>
- <dd>No restrictions apply.</dd>
- <dt>Author:</dt>
- <dd>Ian Hickson &lt;ian@hixie.ch></dd>
- <dt>Change controller:</dt>
- <dd>W3C</dd>
- </dl>
-
- <p>Fragment identifiers used with <code>text/html-sandboxed</code>
- resources either refer to <span>the indicated part of the
- document</span> or provide state information for in-page
- scripts.</p>
<h3><dfn><code>multipart/x-mixed-replace</code></dfn></h3>

0 comments on commit cef842d

Please sign in to comment.