HTML Standard Tracker

Diff (omit for latest revision)

Short URL:

File a bug

SVNBugCommentTime (UTC)
6222[Conformance Checkers] [Gecko] [Internet Explorer] [Opera] [Webkit] Introduce <object type='' data='' typemustmatch> to help when referencing resources from a remote host.2011-06-14 02:08
Index: source
--- source	(revision 6221)
+++ source	(revision 6222)
@@ -26893,12 +26893,12 @@
   <div class="example">
    <p>Here's a way to embed a resource that requires a proprietary
-   plug-in, like Flash:</p>
+   plugin, like Flash:</p>
    <pre>&lt;embed src="catgame.swf"></pre>
-   <p>If the user does not have the plug-in (for example if the
-   plug-in vendor doesn't support the user's platform), then the user
+   <p>If the user does not have the plugin (for example if the
+   plugin vendor doesn't support the user's platform), then the user
    will be unable to use the resource.</p>
    <p>To pass the plugin a parameter "quality" with the value "high",
@@ -26935,6 +26935,7 @@
    <dd><span>Global attributes</span></dd>
    <dd><code title="attr-object-data">data</code></dd>
    <dd><code title="attr-object-type">type</code></dd>
+   <dd><code title="attr-object-typemustmatch">typemustmatch</code></dd>
    <dd><code title="attr-object-name">name</code></dd>
    <dd><code title="attr-hyperlink-usemap">usemap</code></dd>
    <dd><code title="attr-fae-form">form</code></dd>
@@ -26945,6 +26946,7 @@
 <pre class="idl">interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
            attribute DOMString <span title="dom-object-data">data</span>;
            attribute DOMString <span title="dom-object-type">type</span>;
+           attribute boolean <span title="dom-object-typeMustMatch">typeMustMatch</span>;
            attribute DOMString <span title="dom-object-name">name</span>;
            attribute DOMString <span title="dom-object-useMap">useMap</span>;
   readonly attribute <span>HTMLFormElement</span>? <span title="dom-fae-form">form</span>;
@@ -26978,6 +26980,18 @@
   present, the attribute must be a <span>valid non-empty
   URL potentially surrounded by spaces</span>.</p>
+  <p class="warning">Authors who reference resources from other <span
+  title="origin">origins</span> that they do not trust are urged to
+  use the <code title="attr-object-typemustmatch">typemustmatch</code>
+  attribute defined below. Without that attribute, it is possible in
+  certain cases for an attacker on the remote host to use the plugin
+  mechanism to run arbitrary scripts, even if the author has used
+  features such as the Flash "allowScriptAccess" parameter.</p> <!--
+  for example, if the user doesn't have flash installed but does have
+  java installed, and the remote site unexpectedly returns java
+  instead of flash, then java will run, and it will ignore the
+  allowScriptAccess thing -->
   <p>The <dfn title="attr-object-type"><code>type</code></dfn>
   attribute, if present, specifies the type of the resource. If
   present, the attribute must be a <span>valid MIME type</span>.</p>
@@ -26986,6 +27000,20 @@
   title="attr-object-data">data</code> attribute or the <code
   title="attr-object-type">type</code> attribute must be present.</p>
+  <p>The <dfn
+  title="attr-object-typemustmatch"><code>typemustmatch</code></dfn>
+  attribute is a <span>boolean attribute</span> whose precense
+  indicates that the resource specified by the <code
+  title="attr-object-data">data</code> attribute is only to be used if
+  the value of the <code title="attr-object-type">type</code>
+  attribute and the <span>Content-Type</span> of the aforementioned
+  resource match.</p>
+  <p>The <code title="attr-object-typemustmatch">typemustmatch</code>
+  attribute must not be specified unless both the <code
+  title="attr-object-data">data</code> attribute and the <code
+  title="attr-object-type">type</code> attribute are present.</p>
   <p>The <dfn title="attr-object-name"><code>name</code></dfn>
   attribute, if present, must be a <span>valid browsing context
   name</span>. The given value is used to name the <span>nested
@@ -27218,6 +27246,32 @@
+        <p>If the <code>object</code> element has a <code
+        title="attr-object-type">type</code> attribute and a <code
+        title="attr-object-typemustmatch">typemustmatch</code>
+        attribute, and the resource has <span
+        title="Content-Type">associated Content-Type metadata</span>,
+        and the type specified in <span title="Content-Type">the
+        resource's Content-Type metadata</span> is an <span>ASCII
+        case-insensitive</span> match for the value of the element's
+        <code title="attr-object-type">type</code> attribute, then let
+        <var title="">resource type</var> be that type and jump to the
+        step below labeled <i>handler</i>.</p>
+        <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+       </li>
+       <li>
+        <p>If the <code>object</code> element has a <code
+        title="attr-object-typemustmatch">typemustmatch</code>
+        attribute, jump to the step below labeled <i>handler</i>.</p>
+       </li>
+       <li>
         <!-- by request: -->
         <p>If the user agent is configured to strictly obey
@@ -27229,6 +27283,15 @@
         metadata</span>, and jump to the step below labeled
+        <p class="warning">This can introduce a vulnerability, wherein
+        a site is trying to embed a resource that uses a particular
+        plugin, but the remote site overrides that and instead
+        furnishes the user agent with a resource that triggers a
+        different plugin with different security characteristics. <!--
+        e.g. the example given above, where the site is expecting
+        Flash with allowScriptAccess=never, and instead gets back Java
+        with its unrestricted DOM access --></p>
@@ -27392,10 +27455,10 @@
-      <p class="note">It is possible for this step to finish with <var
-      title="">resource type</var> still being unknown, or for one of
-      the substeps above to jump straight to the next step. In both
-      cases, the next step will trigger fallback.</p>
+      <p class="note">It is possible for this step to finish, or for
+      one of the substeps above to jump straight to the next step,
+      with <var title="">resource type</var> still being unknown. In
+      both cases, the next step will trigger fallback.</p>
@@ -27654,6 +27717,12 @@
   <p>The <dfn
+  title="dom-object-typeMustMatch"><code>typeMustMatch</code></dfn> IDL
+  attribute must <span>reflect</span> the <code
+  title="attr-object-typemustmatch">typemustmatch</code> content
+  attribute.</p>
+  <p>The <dfn
   IDL attribute must return the <code>Document</code> object of the
   <span>active document</span> of the <code>object</code> element's
@@ -29195,7 +29264,7 @@
  var videoSection = document.getElementById('video');
  var videoElement = document.createElement('video');
  var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
    // not confident of browser support
    // but we have a plugin
    // so use plugin instead
@@ -110513,6 +110582,7 @@
      <td><span title="global attributes">globals</span>;
          <code title="attr-object-data">data</code>;
          <code title="attr-object-type">type</code>;
+         <code title="attr-object-typemustmatch">typemustmatch</code>;
          <code title="attr-object-name">name</code>;
          <code title="attr-hyperlink-usemap">usemap</code>;
          <code title="attr-fae-form">form</code>;
@@ -112213,6 +112283,11 @@
      <td> Type of menu
      <td> "<code title="context menu state">context</code>"; "<code title="toolbar state">toolbar</code>"
+     <th> <code title="">typemustmatch</code>
+     <td> <code title="attr-object-typemustmatch">object</code>
+     <td> Whether the <code title="attr-object-type">type</code> attribute and the <span>Content-Type</span> value need to match for the resource to be used
+     <td> <span>Boolean attribute</span>
+    <tr>
      <th> <code title="">usemap</code>
      <td> <code title="attr-hyperlink-usemap">img</code>;
           <code title="attr-hyperlink-usemap">object</code>