Short URL: http://html5.org/r/5713
| SVN | Bug | Comment | Time (UTC) |
|---|---|---|---|
| 5713 | note advice from an anonymous IANA reviewer | 2010-12-08 00:51 |
Index: source
===================================================================
--- source (revision 5712)
+++ source (revision 5713)
@@ -102111,6 +102111,15 @@
<code>text/html</code> files, authors should avoid using the <code
title="">.html</code> or <code title="">.htm</code> extensions for
resources labeled as <code>text/html-sandboxed</code>.</p>
+ <p>Furthermore, since the <code>text/html-sandboxed</code> MIME
+ type impacts the origin security model, authors should be careful
+ to prevent tampering with the MIME type labeling mechanism itself
+ when documents are labeled as <code>text/html-sandboxed</code>. If
+ an attacker can cause a file to be served as
+ <code>text/html</code> instead of
+ <code>text/html-sandboxed</code>, then the sandboxing will not
+ take effect and a cross-site scripting attack will become
+ possible.</p>
<p>Beyond this, the type is identical to <code>text/html</code>,
and the same considerations apply.</p>
</dd>