Short URL: http://html5.org/r/6222
| SVN | Bug | Comment | Time (UTC) |
|---|---|---|---|
| 6222 | 2011-06-14 02:08 |
Index: source
===================================================================
--- source (revision 6221)
+++ source (revision 6222)
@@ -26893,12 +26893,12 @@
<div class="example">
<p>Here's a way to embed a resource that requires a proprietary
- plug-in, like Flash:</p>
+ plugin, like Flash:</p>
<pre><embed src="catgame.swf"></pre>
- <p>If the user does not have the plug-in (for example if the
- plug-in vendor doesn't support the user's platform), then the user
+ <p>If the user does not have the plugin (for example if the
+ plugin vendor doesn't support the user's platform), then the user
will be unable to use the resource.</p>
<p>To pass the plugin a parameter "quality" with the value "high",
@@ -26935,6 +26935,7 @@
<dd><span>Global attributes</span></dd>
<dd><code title="attr-object-data">data</code></dd>
<dd><code title="attr-object-type">type</code></dd>
+ <dd><code title="attr-object-typemustmatch">typemustmatch</code></dd>
<dd><code title="attr-object-name">name</code></dd>
<dd><code title="attr-hyperlink-usemap">usemap</code></dd>
<dd><code title="attr-fae-form">form</code></dd>
@@ -26945,6 +26946,7 @@
<pre class="idl">interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
attribute DOMString <span title="dom-object-data">data</span>;
attribute DOMString <span title="dom-object-type">type</span>;
+ attribute boolean <span title="dom-object-typeMustMatch">typeMustMatch</span>;
attribute DOMString <span title="dom-object-name">name</span>;
attribute DOMString <span title="dom-object-useMap">useMap</span>;
readonly attribute <span>HTMLFormElement</span>? <span title="dom-fae-form">form</span>;
@@ -26978,6 +26980,18 @@
present, the attribute must be a <span>valid non-empty
URL potentially surrounded by spaces</span>.</p>
+ <p class="warning">Authors who reference resources from other <span
+ title="origin">origins</span> that they do not trust are urged to
+ use the <code title="attr-object-typemustmatch">typemustmatch</code>
+ attribute defined below. Without that attribute, it is possible in
+ certain cases for an attacker on the remote host to use the plugin
+ mechanism to run arbitrary scripts, even if the author has used
+ features such as the Flash "allowScriptAccess" parameter.</p> <!--
+ for example, if the user doesn't have flash installed but does have
+ java installed, and the remote site unexpectedly returns java
+ instead of flash, then java will run, and it will ignore the
+ allowScriptAccess thing -->
+
<p>The <dfn title="attr-object-type"><code>type</code></dfn>
attribute, if present, specifies the type of the resource. If
present, the attribute must be a <span>valid MIME type</span>.</p>
@@ -26986,6 +27000,20 @@
title="attr-object-data">data</code> attribute or the <code
title="attr-object-type">type</code> attribute must be present.</p>
+ <p>The <dfn
+ title="attr-object-typemustmatch"><code>typemustmatch</code></dfn>
+ attribute is a <span>boolean attribute</span> whose precense
+ indicates that the resource specified by the <code
+ title="attr-object-data">data</code> attribute is only to be used if
+ the value of the <code title="attr-object-type">type</code>
+ attribute and the <span>Content-Type</span> of the aforementioned
+ resource match.</p>
+
+ <p>The <code title="attr-object-typemustmatch">typemustmatch</code>
+ attribute must not be specified unless both the <code
+ title="attr-object-data">data</code> attribute and the <code
+ title="attr-object-type">type</code> attribute are present.</p>
+
<p>The <dfn title="attr-object-name"><code>name</code></dfn>
attribute, if present, must be a <span>valid browsing context
name</span>. The given value is used to name the <span>nested
@@ -27218,6 +27246,32 @@
<li>
+ <p>If the <code>object</code> element has a <code
+ title="attr-object-type">type</code> attribute and a <code
+ title="attr-object-typemustmatch">typemustmatch</code>
+ attribute, and the resource has <span
+ title="Content-Type">associated Content-Type metadata</span>,
+ and the type specified in <span title="Content-Type">the
+ resource's Content-Type metadata</span> is an <span>ASCII
+ case-insensitive</span> match for the value of the element's
+ <code title="attr-object-type">type</code> attribute, then let
+ <var title="">resource type</var> be that type and jump to the
+ step below labeled <i>handler</i>.</p>
+
+ <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+ </li>
+
+ <li>
+
+ <p>If the <code>object</code> element has a <code
+ title="attr-object-typemustmatch">typemustmatch</code>
+ attribute, jump to the step below labeled <i>handler</i>.</p>
+
+ </li>
+
+ <li>
+
<!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
<p>If the user agent is configured to strictly obey
@@ -27229,6 +27283,15 @@
metadata</span>, and jump to the step below labeled
<i>handler</i>.</p>
+ <p class="warning">This can introduce a vulnerability, wherein
+ a site is trying to embed a resource that uses a particular
+ plugin, but the remote site overrides that and instead
+ furnishes the user agent with a resource that triggers a
+ different plugin with different security characteristics. <!--
+ e.g. the example given above, where the site is expecting
+ Flash with allowScriptAccess=never, and instead gets back Java
+ with its unrestricted DOM access --></p>
+
</li>
<li>
@@ -27392,10 +27455,10 @@
</ol>
- <p class="note">It is possible for this step to finish with <var
- title="">resource type</var> still being unknown, or for one of
- the substeps above to jump straight to the next step. In both
- cases, the next step will trigger fallback.</p>
+ <p class="note">It is possible for this step to finish, or for
+ one of the substeps above to jump straight to the next step,
+ with <var title="">resource type</var> still being unknown. In
+ both cases, the next step will trigger fallback.</p>
</li>
@@ -27654,6 +27717,12 @@
name.</p>
<p>The <dfn
+ title="dom-object-typeMustMatch"><code>typeMustMatch</code></dfn> IDL
+ attribute must <span>reflect</span> the <code
+ title="attr-object-typemustmatch">typemustmatch</code> content
+ attribute.</p>
+
+ <p>The <dfn
title="dom-object-contentDocument"><code>contentDocument</code></dfn>
IDL attribute must return the <code>Document</code> object of the
<span>active document</span> of the <code>object</code> element's
@@ -29195,7 +29264,7 @@
var videoSection = document.getElementById('video');
var videoElement = document.createElement('video');
var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" && "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" && "New Fictional Video Plugin" in navigator.plugins) {
// not confident of browser support
// but we have a plugin
// so use plugin instead
@@ -110513,6 +110582,7 @@
<td><span title="global attributes">globals</span>;
<code title="attr-object-data">data</code>;
<code title="attr-object-type">type</code>;
+ <code title="attr-object-typemustmatch">typemustmatch</code>;
<code title="attr-object-name">name</code>;
<code title="attr-hyperlink-usemap">usemap</code>;
<code title="attr-fae-form">form</code>;
@@ -112213,6 +112283,11 @@
<td> Type of menu
<td> "<code title="context menu state">context</code>"; "<code title="toolbar state">toolbar</code>"
<tr>
+ <th> <code title="">typemustmatch</code>
+ <td> <code title="attr-object-typemustmatch">object</code>
+ <td> Whether the <code title="attr-object-type">type</code> attribute and the <span>Content-Type</span> value need to match for the resource to be used
+ <td> <span>Boolean attribute</span>
+ <tr>
<th> <code title="">usemap</code>
<td> <code title="attr-hyperlink-usemap">img</code>;
<code title="attr-hyperlink-usemap">object</code>