HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
665712390[Gecko] [Internet Explorer] [Opera] [Webkit] Drop text/html-sandboxed2011-10-11 00:26
@@ -1986,23 +1986,22 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
   of RFC 2616. In particular, a <span>valid MIME type</span> may
   include MIME type parameters. <a href="#refsHTTP">[HTTP]</a></p>
 
   <p>A string is a <dfn>valid MIME type with no parameters</dfn> if it
   matches the <code title="">media-type</code> rule defined in section
   3.7 "Media Types" of RFC 2616, but does not contain any U+003B
   SEMICOLON characters (;). In other words, if it consists only of a
   type and subtype, with no MIME Type parameters. <a
   href="#refsHTTP">[HTTP]</a></p>
 
-  <p>The term <dfn>HTML MIME type</dfn> is used to refer to the <span
-  title="MIME type">MIME types</span> <code>text/html</code> and
-  <code>text/html-sandboxed</code>.</p>
+  <p>The term <dfn>HTML MIME type</dfn> is used to refer to the
+  <span>MIME type</span> <code>text/html</code>.</p>
 
   <p>A resource's <dfn>critical subresources</dfn> are those that the
   resource needs to have available to be correctly processed. Which
   resources are considered critical or not is defined by the
   specification that defines the resource's format. For CSS resources,
   only <code title="">@import</code> rules introduce <span>critical
   subresources</span>; other resources, e.g. fonts or backgrounds, are
   not.</p>
 
   <p>The term <dfn title="data protocol"><code title="">data:</code>
@@ -9444,22 +9443,21 @@ interface <dfn>HTMLDocument</dfn> {
    <dt><var title="">document</var> . <code title="dom-document-cookie">cookie</code> [ = <var title="">value</var> ]</dt>
    <dd>
     <p>Returns the HTTP cookies that apply to the
     <code>Document</code>. If there are no cookies or cookies can't be
     applied to this resource, the empty string will be returned.</p>
     <p>Can be set, to add a new cookie to the element's set of HTTP
     cookies.</p>
     <p>If the contents are <span title="sandboxed origin browsing
     context flag">sandboxed into a unique origin</span> (in an
     <code>iframe</code> with the <code
-    title="attr-iframe-sandbox">sandbox</code> attribute) or the
-    resource was labeled as <code>text/html-sandboxed</code>, a
+    title="attr-iframe-sandbox">sandbox</code> attribute), a
     <code>SecurityError</code> exception will be thrown on getting and
     setting.</p>
    </dd>
 
   </dl>
 
   <div class="impl">
 
   <p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
   attribute represents the cookies of the resource from which the
@@ -25805,21 +25803,21 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   <code title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
   keywords together when the embedded page has the <span>same
   origin</span> as the page containing the <code>iframe</code> allows
   the embedded page to simply remove the <code
   title="attr-iframe-sandbox">sandbox</code> attribute.</p>
 
   <p class="warning">Sandboxing hostile content is of minimal help if
   an attacker can convince the user to just visit the hostile content
   directly, rather than in the <code>iframe</code>. To limit the
   damage that can be caused by hostile HTML content, it should be
-  served using the <code>text/html-sandboxed</code> MIME type.</p>
+  served from a separate dedicated domain.</p>
 
   <div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
        - disallow cross-origin loads of any kind (networking
          override that only allows same-origin URLs or about:,
          javascript:, data:)
        - block access to 'parent.frames' from sandbox
   -->
 
@@ -26020,43 +26018,33 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   <span title="navigate">navigated</span>. Removing them, or removing
   the entire <code title="attr-iframe-sandbox">sandbox</code>
   attribute, has no effect on an already-loaded page.</p>
 
   </div>
 
   <div class="example">
 
    <p>In this example, some completely-unknown, potentially hostile,
    user-provided HTML content is embedded in a page. Because it is
-   sandboxed, it is treated by the user agent as being from a unique
-   origin, despite the content being served from the same site. Thus
-   it is affected by all the normal cross-site restrictions. In
-   addition, the embedded page has scripting disabled, plugins
-   disabled, forms disabled, and it cannot navigate any frames or
-   windows other than itself (or any frames or windows it itself
-   embeds).</p>
+   served from a separate domain, it is affected by all the normal
+   cross-site restrictions. In addition, the embedded page has
+   scripting disabled, plugins disabled, forms disabled, and it cannot
+   navigate any frames or windows other than itself (or any frames or
+   windows it itself embeds).</p>
 
    <pre>&lt;p>We're not scared of you! Here is your content, unedited:&lt;/p>
-&lt;iframe sandbox src="getusercontent.cgi?id=12193">&lt;/iframe></pre>
+&lt;iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193">&lt;/iframe></pre>
 
-   <p>Note that cookies are still sent to the server in the <code
-   title="">getusercontent.cgi</code> request, though they are not
-   visible in the <code
-   title="dom-document-cookie">document.cookie</code> IDL
-   attribute.</p>
-
-   <p class="warning">It is important that the server serve the
-   user-provided HTML using the <code>text/html-sandboxed</code> MIME
-   type so that if the attacker convinces the user to visit that page
-   directly, the page doesn't run in the context of the site's origin,
-   which would make the user vulnerable to any attack found in the
-   page.</p>
+   <p class="warning">It is important to use a separate domain so that
+   if the attacker convinces the user to visit that page directly, the
+   page doesn't run in the context of the site's origin, which would
+   make the user vulnerable to any attack found in the page.</p>
 
   </div>
 
   <div class="example">
 
    <p>In this example, a gadget from another site is embedded. The
    gadget has scripting and forms enabled, and the origin sandbox
    restrictions are lifted, allowing the gadget to communicate with
    its originating server. The sandbox is still useful, however, as it
    disables plugins and popups, thus reducing the risk of the user
@@ -26106,27 +26094,25 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
    context</span> in the <code>iframe</code> in A when page B was
    loaded.</p>
 
    <p>Generally speaking, dynamically removing or changing the <code
    title="attr-iframe-sandbox">sandbox</code> attribute is
    ill-advised, because it can make it quite hard to reason about what
    will be allowed and what will not.</p>
 
   </div>
 
-  <p class="note">Potentially hostile files can be served from the
-  same server as the file containing the <code>iframe</code> element
-  by labeling them as <code>text/html-sandboxed</code> instead of
-  <code>text/html</code>. This ensures that scripts in the files are
-  unable to attack the site (as if they were actually served from
-  another server), even if the user is tricked into visiting those
-  pages directly, without the protection of the <code
+  <p class="note">Potentially hostile files should not be served from
+  the same server as the file containing the <code>iframe</code>
+  element. Using a different domain ensures that scripts in the files
+  are unable to attack the site, even if the user is tricked into
+  visiting those pages directly, without the protection of the <code
   title="attr-iframe-sandbox">sandbox</code> attribute.</p>
 
   <p class="warning">If the <code
   title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
   keyword is set along with <code
   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
   keyword, and the file is from the <span>same origin</span> as the
   <code>iframe</code>'s <code>Document</code>, then a script in the
   "sandboxed" iframe could just reach out, remove the <code
   title="attr-iframe-sandbox">sandbox</code> attribute, and then
@@ -26437,21 +26423,20 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
 
   <p>An <code>embed</code> element is said to be <dfn
   title="concept-embed-active">potentially active</dfn> when the
   following conditions are all met simultaneously:</p>
 
   <ul class="brief">
    <li>The element is <span title="in a document">in a <code>Document</code></span>.</li>
    <li>The element's <code>Document</code> is <span>fully active</span>.</li>
    <li>The element has either a <code title="attr-embed-src">src</code> attribute set or a <code title="attr-embed-type">type</code> attribute set (or both).</li>
    <li>The element's <code title="attr-embed-src">src</code> attribute is either absent or its value is the empty string.</li>
-   <li>The element's <code>Document</code> was not parsed from a resource whose <span title="Content-Type sniffing">sniffed type</span> as determined during <span title="navigate">navigation</span> is <code>text/html-sandboxed</code> (unless this has been overridden as described above).</li>
    <li>The element is not a descendant of a <span>media element</span>.</li>
    <li>The element is not a descendant of an <code>object</code> element that is not showing its <span>fallback content</span>.</li>
   </ul>
 
   <p>Whenever an <code>embed</code> element that was not <span
   title="concept-embed-active">potentially active</span> becomes <span
   title="concept-embed-active">potentially active</span>, and whenever
   a <span title="concept-embed-active">potentially active</span>
   <code>embed</code> element's <code
   title="attr-embed-type">src</code> attribute is set, changed, or
@@ -26509,45 +26494,32 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   </dl>
 
   <p>Whenever an <code>embed</code> element that was <span
   title="concept-embed-active">potentially active</span> stops being
   <span title="concept-embed-active">potentially active</span>, any
   <span>plugin</span> that had been instantiated for that element must
   be unloaded.</p>
 
   <p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
   instantiated but it cannot be <span
-  title="concept-plugin-secure">secured</span> and either:
-
-  <ul>
-
-   <li>the <span>sandboxed plugins browsing context flag</span> was
-   set on the <span>browsing context</span> for which the
-   <code>embed</code> element's <code>Document</code> is the
-   <span>active document</span> when that <code>Document</code> was
-   created, or</li>
-
-   <li>the <code>embed</code> element's <code>Document</code> was
-   parsed from a resource whose <span title="Content-Type
-   sniffing">sniffed type</span> as determined during <span
-   title="navigate">navigation</span> is
-   <code>text/html-sandboxed</code></li>
-
-  </ul>
-
-  <p>...then the user agent must not instantiate the
-  <span>plugin</span>, and must instead render the <code>embed</code>
-  element in a manner that conveys that the <span>plugin</span> was
-  disabled. The user agent may offer the user the option to override
-  the sandbox and instantiate the <span>plugin</span> anyway; if the
-  user invokes such an option, the user agent must act as if the
-  conditions above did not apply for the purposes of this element.</p>
+  title="concept-plugin-secure">secured</span> and the <span>sandboxed
+  plugins browsing context flag</span> was set on the <span>browsing
+  context</span> for which the <code>embed</code> element's
+  <code>Document</code> is the <span>active document</span> when that
+  <code>Document</code> was created, then the user agent must not
+  instantiate the <span>plugin</span>, and must instead render the
+  <code>embed</code> element in a manner that conveys that the
+  <span>plugin</span> was disabled. The user agent may offer the user
+  the option to override the sandbox and instantiate the
+  <span>plugin</span> anyway; if the user invokes such an option, the
+  user agent must act as if the conditions above did not apply for the
+  purposes of this element.</p>
 
   <p class="warning">Plugins that cannot be <span
   title="concept-plugin-secure">secured</span> are disabled in
   sandboxed browsing contexts because they might not honor the
   restrictions imposed by the sandbox (e.g. they might allow scripting
   even when scripting in the sandbox is disabled). User agents should
   convey the danger of overriding the sandbox to the user if an option
   to do so is provided.</p>
 
   <p class="note">The <code>embed</code> element is unaffected by the
@@ -27412,36 +27384,24 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   <code>param</code> elements that are children of the
   <code>object</code> element, in <span>tree order</span>. If the
   <span>plugin</span> supports a scriptable interface, the
   <code>HTMLObjectElement</code> object representing the element
   should expose that interface. The <code>object</code> element
   <span>represents</span> the <span>plugin</span>. The
   <span>plugin</span> is not a nested <span>browsing
   context</span>.</p>
 
   <p id="sandboxPluginObject">Plugins are considered sandboxed for the
-  purpose of an <code>object</code> element if either:</p>
-
-  <ul>
-
-   <li>the <span>sandboxed plugins browsing context flag</span> was
-   set on the <code>object</code> element's <code>Document</code>'s
-   <span>browsing context</span> when the <code>Document</code> was
-   created, or</li>
-
-   <li>the <code>object</code> element's <code>Document</code> was
-   parsed from a resource whose <span title="Content-Type
-   sniffing">sniffed type</span> as determined during <span
-   title="navigate">navigation</span> is
-   <code>text/html-sandboxed</code></li>
-
-  </ul>
+  purpose of an <code>object</code> element if the <span>sandboxed
+  plugins browsing context flag</span> was set on the
+  <code>object</code> element's <code>Document</code>'s <span>browsing
+  context</span> when the <code>Document</code> was created.</p>
 
   <p class="note">The above algorithm is independent of CSS properties
   (including 'display', 'overflow', and 'visibility'). For example, it
   runs even if the element is hidden with a 'display:none' CSS style,
   and does not run <em>again</em> if the element's visibility
   changes.</p>
 
   <p>Due to the algorithm above, the contents of <code>object</code>
   elements act as <span>fallback content</span>, used only when
   referenced resources can't be shown (e.g. because it returned a 404
@@ -71864,23 +71824,20 @@ x === this; // true</pre>
 
    <dd>
 
     <dl class="switch">
 
      <dt id="sandboxOrigin">If a <code>Document</code> is in a
      <span>browsing context</span> whose <span>sandboxed origin
      browsing context flag</span> was set when the
      <code>Document</code> was created</dt>
 
-     <dt>If a <code>Document</code> was generated from a resource
-     labeled as <code>text/html-sandboxed</code></dt>
-
      <dd>The <span>origin</span> is a globally unique identifier
      assigned when the <code>Document</code> is created.</dd>
 
 
      <dt>If a <code>Document</code> was generated from a <span
      title="javascript protocol"><code>javascript:</code>
      URL</span></dt>
 
      <dd>The <span>origin</span> is equal to the <span>origin</span>
      of the script of that <span title="javascript
@@ -73671,21 +73628,20 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    of the given <var title="">type</var> using some mechanism other
    than rendering the content in a <span>browsing context</span>, then
    skip this step. Otherwise, if the <var title="">type</var> is one
    of the following types, jump to the appropriate entry in the
    following list, and process the resource as described there:</p>
 
     <dl class="switch">
 
      <!-- an <span>HTML MIME type</span> -->
      <dt>"<code>text/html</code>"</dt>
-     <dt>"<code>text/html-sandboxed</code>"</dt>
      <dd>Follow the steps given in the <span
      title="navigate-html">HTML document</span> section, and abort
      these steps.</dd>
 
      <!-- an <span>XML MIME type</span> -->
      <dt>Any type ending in "<code title="">+xml</code>"</dt> <!-- no need to say that the _subtype_ ends in "+xml" so long as the "sniffed type" algorithm continues to drop parameters -->
      <dt>"<code>application/xml</code>"</dt>
      <dt>"<code>text/xml</code>"</dt>
      <dd>Follow the steps given in the <span title="navigate-xml">XML
      document</span> section. If that section determines that the
@@ -80639,21 +80595,20 @@ interface <dfn>NavigatorContentUtils</dfn> {
     privileged type, the user agent must throw a
     <code>SecurityError</code> exception.</p>
 
     <p>The following <span title="MIME type">MIME types</span> are in
     the <dfn>type blacklist</dfn>:</p>
 
     <ul class="brief">
 
      <li><code>text/cache-manifest</code></li>
      <li><code>text/css</code></li>
-     <li><code>text/html-sandboxed</code></li>
      <li><code>text/html</code></li>
      <li><code>text/ping</code></li>
      <li><code>text/plain</code></li>
      <li><code>application/x-www-form-urlencoded</code></li>
      <li><code>image/gif</code></li>
      <li><code>image/jpeg</code></li>
      <li><code>image/png</code></li>
      <li><code>multipart/x-mixed-replace</code></li>
      <li>All <span title="XML MIME type">XML MIME types</span></li>
      <li>All types that the user agent supports displaying natively in a <span>browsing context</span> during <span title="navigate">navigation</span></li>
@@ -109143,25 +109098,21 @@ if (s = prompt('What is your name?')) {
   obsoleted so that all extension frameworks (Java, .NET, Flash, etc)
   are handled in a consistent manner.</p>
 
   <p id="sandboxPluginApplet">When the element is still in the
   <span>stack of open elements</span> of an <span>HTML parser</span>
   or <span>XML parser</span>, and when the element is not <span>in a
   <code>Document</code></span>, and when the element's document is not
   <span>fully active</span>, and when the element's
   <code>Document</code>'s <span>browsing context</span> had its
   <span>sandboxed plugins browsing context flag</span> when that
-  <code>Document</code> was created, and when the element's
-  <code>Document</code> was parsed from a resource whose <span
-  title="Content-Type sniffing">sniffed type</span> as determined
-  during <span title="navigate">navigation</span> is
-  <code>text/html-sandboxed</code>, and when the element has an
+  <code>Document</code> was created, and when the element has an
   ancestor <span>media element</span>, and when the element has an
   ancestor <code>object</code> element that is <em>not</em> showing
   its <span>fallback content</span>, and when no Java Language runtime
   <span>plugin</span> is available, and when one <em>is</em> available
   but it is disabled, the element <span>represents</span> its
   contents.</p>
 
   <!-- we assume here that the Java plugin can't be <span
   title="concept-plugin-secure">secured</span>; if anyone does end up
   securing one we can always change this -->
@@ -110686,107 +110637,20 @@ if (s = prompt('What is your name?')) {
    <dd>Ian Hickson &lt;ian@hixie.ch></dd>
    <dt>Change controller:</dt>
    <dd>W3C</dd>
   </dl>
 
   <p>Fragment identifiers used with <code>text/html</code> resources
   either refer to <span>the indicated part of the document</span> or
   provide state information for in-page scripts.</p>
 
 
-  <h3><dfn><code>text/html-sandboxed</code></dfn></h3>
-
-  <p>This registration is for community review and will be submitted
-  to the IESG for review, approval, and registration with IANA.</p>
-
-  <!--
-   To: ietf-types@iana.org
-   Subject: Registration of media type text/html-sandboxed
-  -->
-
-  <dl>
-   <dt>Type name:</dt>
-   <dd>text</dd>
-   <dt>Subtype name:</dt>
-   <dd>html-sandboxed</dd>
-   <dt>Required parameters:</dt>
-   <dd>No required parameters</dd>
-   <dt>Optional parameters:</dt>
-   <dd>Same as for <code>text/html</code></dd>
-   <dt>Encoding considerations:</dt>
-   <dd>Same as for <code>text/html</code></dd>
-   <dt>Security considerations:</dt>
-   <dd>
-    <p>The purpose of the <code>text/html-sandboxed</code> MIME type
-    is to provide a way for content providers to indicate that they
-    want the file to be interpreted in a manner that does not give the
-    file's contents access to the rest of the site. This is achieved
-    by assigning the <code>Document</code> objects generated from
-    resources labeled as <code>text/html-sandboxed</code> unique
-    origins.</p>
-    <p>To avoid having legacy user agents treating resources labeled
-    as <code>text/html-sandboxed</code> as regular
-    <code>text/html</code> files, authors should avoid using the <code
-    title="">.html</code> or <code title="">.htm</code> extensions for
-    resources labeled as <code>text/html-sandboxed</code>.</p>
-    <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
-    type impacts the origin security model, authors should be careful
-    to prevent tampering with the MIME type labeling mechanism itself
-    when documents are labeled as <code>text/html-sandboxed</code>. If
-    an attacker can cause a file to be served as
-    <code>text/html</code> instead of
-    <code>text/html-sandboxed</code>, then the sandboxing will not
-    take effect and a cross-site scripting attack will become
-    possible.</p>
-    <p>Beyond this, the type is identical to <code>text/html</code>,
-    and the same considerations apply.</p>
-   </dd>
-   <dt>Interoperability considerations:</dt>
-   <dd>Same as for <code>text/html</code></dd>
-   <dt>Published specification:</dt>
-   <dd>
-    This document is the relevant specification. Labeling a resource
-    with the <code>text/html-sandboxed</code> type asserts that the
-    resource is an <span title="HTML documents">HTML document</span>
-    using <span>the HTML syntax</span>.
-   </dd>
-   <dt>Applications that use this media type:</dt>
-   <dd>Same as for <code>text/html</code></dd>
-   <dt>Additional information:</dt>
-   <dd>
-    <dl>
-     <dt>Magic number(s):</dt>
-     <dd>Documents labeled as <code>text/html-sandboxed</code> are
-     heuristically indistinguishable from those labeled as
-     <code>text/html</code>.</dd>
-     <dt>File extension(s):</dt>
-     <dd>"<code title="">sandboxed</code>"</dd>
-     <dt>Macintosh file type code(s):</dt>
-     <dd><code title="">TEXT</code></dd>
-    </dl>
-   </dd>
-   <dt>Person &amp; email address to contact for further information:</dt>
-   <dd>Ian Hickson &lt;ian@hixie.ch></dd>
-   <dt>Intended usage:</dt>
-   <dd>Common</dd>
-   <dt>Restrictions on usage:</dt>
-   <dd>No restrictions apply.</dd>
-   <dt>Author:</dt>
-   <dd>Ian Hickson &lt;ian@hixie.ch></dd>
-   <dt>Change controller:</dt>
-   <dd>W3C</dd>
-  </dl>
-
-  <p>Fragment identifiers used with <code>text/html-sandboxed</code>
-  resources either refer to <span>the indicated part of the
-  document</span> or provide state information for in-page
-  scripts.</p>
 
 
   <h3><dfn><code>multipart/x-mixed-replace</code></dfn></h3>
 
   <p>This registration is for community review and will be submitted
   to the IESG for review, approval, and registration with IANA.</p>
 
   <!--
    To: ietf-types@iana.org
    Subject: Registration of media type multipart/x-mixed-replace

|