Remove <object typemustmatch> #4590

annevk · 2019-05-03T08:41:49Z

It did not get wide enough adoption and causes a minor cross-origin leak.

See https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Jun/0144.html for its introduction and https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#object-typemustmatch for the leak.

At least two implementers are interested (and none opposed):
- Neither Chrome nor Safari has shipped this in the past 8 years and Firefox is willing to remove.
Tests are written and can be reviewed and commented upon at:
- HTML: mark typemustmatch historical web-platform-tests/wpt#16656
Implementation bugs are filed:
- Chrome: NA
- Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1548773
- Safari: NA

(See WHATWG Working Mode: Changes for more details.)

/iframe-embed-object.html ( diff )
/indices.html ( diff )
/obsolete.html ( diff )

It did not get wide enough adoption and causes a minor cross-origin leak. See https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Jun/0144.html for its introduction and https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#object-typemustmatch for the leak.

zcorpan · 2019-05-03T09:32:58Z

How does the leak of the content-type compare to the risk the attribute is supposed to help with? Can we still address the original attack somehow?

  <p class="warning">Authors who reference resources from other <span data-x="origin">origins</span>
  that they do not trust are urged to use the <code
  data-x="attr-object-typemustmatch">typemustmatch</code> attribute defined below. Without that
  attribute, it is possible in certain cases for an attacker on the remote host to use the plugin
  mechanism to run arbitrary scripts, even if the author has used features such as the Flash
  "allowScriptAccess" parameter.</p> <!-- for example, if the user doesn't have flash installed but
  does have java installed, and the remote site unexpectedly returns java instead of flash, then
  java will run, and it will ignore the allowScriptAccess thing -->

Java is not available anymore, but the attack could be to load HTML instead of Flash, or Flash instead of an image or PDF.

This functionality can be used to determine whether the response has the Content-type: text/html because if the embedded object was loaded successfully the number of frames will increase.

So this allows for stricter checking if something is of a particular content-type compared to other features.

Worth to mention, typemustmatch also ensures that the server responded with a 200 OK header or the resource won't be loaded otherwise. Hence, it is possible to detect error pages as well.

I think this is possible regardless of typemustmatch (per spec).

annevk · 2019-05-03T09:37:31Z

Basically, do not use object or embed to load untrusted resources, as I wrote in the obsolete section. Plugins are slowly going away and there's not much motivation from anyone to further invest in these elements I think.

(I agree that 2xx is exposed either way, not sure why that was mentioned as part of this attribute.)

zcorpan · 2019-05-03T09:50:23Z

I think we should still have a warning for embed and object about the risk of loading an untrusted resource, and trying to use type-specific sandboxing techniques (like "allowScriptAccess" for Flash).

Also we should probably more directly recommend to use iframe for HTML (and PDF?) and img for images, instead of embed/object. (This can be separate though.)

Apart from Firefox nobody adopted this and it creates a smallish cross-origin leak. whatwg/html#4590 changes the HTML standard.

sideshowbarker · 2019-09-02T05:57:07Z

heads-up @whatwg/documentation

This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well a expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the Non-conforming features section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.

This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well a expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.

This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well as expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.

This change deletes “typeMustMatch” from api/HTMLObjectElement.json and deletes “typemustmatch” from html/elements/object.json. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue tracking support data for it in BCD. Related MDN content change: mdn/content#3655

This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well as expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.

This change deletes “typeMustMatch” from api/HTMLObjectElement.json and deletes “typemustmatch” from html/elements/object.json. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue tracking support data for it in BCD. Related MDN content change: mdn/content#3655

This just removes one commented out line. There are no functional changes. typeMustMatch was removed from the HTML spec here: whatwg/html#4590 I don't believe any other browser implemented this. Bug: 897442 Change-Id: I543a8c84273bfbfef6d9ff2225a49fa1d1105965 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3413353 Commit-Queue: Joey Arhar <jarhar@chromium.org> Reviewed-by: Mason Freed <masonf@chromium.org> Cr-Commit-Position: refs/heads/main@{#962645}

This just removes one commented out line. There are no functional changes. typeMustMatch was removed from the HTML spec here: whatwg/html#4590 I don't believe any other browser implemented this. Bug: 897442 Change-Id: I543a8c84273bfbfef6d9ff2225a49fa1d1105965 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3413353 Commit-Queue: Joey Arhar <jarhar@chromium.org> Reviewed-by: Mason Freed <masonf@chromium.org> Cr-Commit-Position: refs/heads/main@{#962645} NOKEYCHECK=True GitOrigin-RevId: a4364091c2967d843d1f49df1146f23d1db1577f

annevk added the removal/deprecation Removing or deprecating a feature label May 3, 2019

add warnings back

0cc2fc4

zcorpan approved these changes May 3, 2019

View reviewed changes

zcorpan mentioned this pull request May 3, 2019

Recommend iframe/img over embed/object for some content types #4592

Open

annevk added the topic: embed and object label May 3, 2019

annevk merged commit 2606f90 into master May 3, 2019

annevk deleted the annevk/rm-typemustmatch branch May 3, 2019 12:18

annevk added a commit to web-platform-tests/wpt that referenced this pull request May 3, 2019

HTML: mark typemustmatch historical

631acf0

Apart from Firefox nobody adopted this and it creates a smallish cross-origin leak. whatwg/html#4590 changes the HTML standard.

marcoscaceres pushed a commit to web-platform-tests/wpt that referenced this pull request Jul 23, 2019

HTML: mark typemustmatch historical

38af51b

Apart from Firefox nobody adopted this and it creates a smallish cross-origin leak. whatwg/html#4590 changes the HTML standard.

sideshowbarker added the impacts documentation Used by documentation communities, such as MDN, to track changes that impact documentation label Sep 2, 2019

zcorpan mentioned this pull request Sep 2, 2019

<object typemustmatch> should be invalid validator/validator#862

Closed

hober mentioned this pull request Dec 10, 2019

HTML horizontal review: Subresources and Navigation w3ctag/design-reviews#448

Closed

6 tasks

sideshowbarker mentioned this pull request Mar 30, 2021

Expunge “HTMLObjectElement: typeMustMatch” mdn/content#3655

Merged

sideshowbarker mentioned this pull request Mar 30, 2021

Drop object[typemustmatch] and typeMustMatch IDL attribute mdn/browser-compat-data#9671

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove <object typemustmatch> #4590

Remove <object typemustmatch> #4590

annevk commented May 3, 2019 •

edited by pr-preview bot

zcorpan commented May 3, 2019

annevk commented May 3, 2019

zcorpan commented May 3, 2019

sideshowbarker commented Sep 2, 2019

Remove <object typemustmatch> #4590

Remove <object typemustmatch> #4590

Conversation

annevk commented May 3, 2019 • edited by pr-preview bot

zcorpan commented May 3, 2019

annevk commented May 3, 2019

zcorpan commented May 3, 2019

sideshowbarker commented Sep 2, 2019

annevk commented May 3, 2019 •

edited by pr-preview bot