HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
6222[Conformance Checkers] [Gecko] [Internet Explorer] [Opera] [Webkit] Introduce <object type='' data='' typemustmatch> to help when referencing resources from a remote host.2011-06-14 02:08
@@ -26886,26 +26886,26 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   title="dom-embed-src"><code>src</code></dfn> and <dfn
   title="dom-embed-type"><code>type</code></dfn> each must
   <span>reflect</span> the respective content attributes of the same
   name.</p>
 
   </div>
 
   <div class="example">
 
    <p>Here's a way to embed a resource that requires a proprietary
-   plug-in, like Flash:</p>
+   plugin, like Flash:</p>
 
    <pre>&lt;embed src="catgame.swf"></pre>
 
-   <p>If the user does not have the plug-in (for example if the
-   plug-in vendor doesn't support the user's platform), then the user
+   <p>If the user does not have the plugin (for example if the
+   plugin vendor doesn't support the user's platform), then the user
    will be unable to use the resource.</p>
 
    <p>To pass the plugin a parameter "quality" with the value "high",
    an attribute can be specified:</p>
 
    <pre>&lt;embed src="catgame.swf" quality="high"></pre>
 
    <p>This would be equivalent to the following, when using an
    <code>object</code> element instead:</p>
 
@@ -26928,30 +26928,32 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
    <dd>If the element has a <code title="attr-hyperlink-usemap">usemap</code> attribute: <span>Interactive content</span>.</dd> <!-- also when showing a plugin or a nested browsing context, but checking that statically is hard...) -->
    <dd><span title="category-listed">Listed</span>,  <span title="category-submit">submittable</span>, <span>form-associated element</span>.</dd>
    <dt>Contexts in which this element can be used:</dt>
    <dd>Where <span>embedded content</span> is expected.</dd>
    <dt>Content model:</dt>
    <dd>Zero or more <code>param</code> elements, then, <span>transparent</span>.</dd>
    <dt>Content attributes:</dt>
    <dd><span>Global attributes</span></dd>
    <dd><code title="attr-object-data">data</code></dd>
    <dd><code title="attr-object-type">type</code></dd>
+   <dd><code title="attr-object-typemustmatch">typemustmatch</code></dd>
    <dd><code title="attr-object-name">name</code></dd>
    <dd><code title="attr-hyperlink-usemap">usemap</code></dd>
    <dd><code title="attr-fae-form">form</code></dd>
    <dd><code title="attr-dim-width">width</code></dd>
    <dd><code title="attr-dim-height">height</code></dd>
    <dt>DOM interface:</dt>
    <dd>
 <pre class="idl">interface <dfn>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
            attribute DOMString <span title="dom-object-data">data</span>;
            attribute DOMString <span title="dom-object-type">type</span>;
+           attribute boolean <span title="dom-object-typeMustMatch">typeMustMatch</span>;
            attribute DOMString <span title="dom-object-name">name</span>;
            attribute DOMString <span title="dom-object-useMap">useMap</span>;
   readonly attribute <span>HTMLFormElement</span>? <span title="dom-fae-form">form</span>;
            attribute DOMString <span title="dom-dim-width">width</span>;
            attribute DOMString <span title="dom-dim-height">height</span>;
   readonly attribute Document? <span title="dom-object-contentDocument">contentDocument</span>;
   readonly attribute <span>WindowProxy</span>? <span title="dom-object-contentWindow">contentWindow</span>;
 
   readonly attribute boolean <span title="dom-cva-willValidate">willValidate</span>;
   readonly attribute <span>ValidityState</span> <span title="dom-cva-validity">validity</span>;
@@ -26971,28 +26973,54 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   resource, which, depending on the type of the resource, will either
   be treated as an image, as a <span>nested browsing context</span>,
   or as an external resource to be processed by a
   <span>plugin</span>.</p>
 
   <p>The <dfn title="attr-object-data"><code>data</code></dfn>
   attribute, if present, specifies the address of the resource. If
   present, the attribute must be a <span>valid non-empty
   URL potentially surrounded by spaces</span>.</p>
 
+  <p class="warning">Authors who reference resources from other <span
+  title="origin">origins</span> that they do not trust are urged to
+  use the <code title="attr-object-typemustmatch">typemustmatch</code>
+  attribute defined below. Without that attribute, it is possible in
+  certain cases for an attacker on the remote host to use the plugin
+  mechanism to run arbitrary scripts, even if the author has used
+  features such as the Flash "allowScriptAccess" parameter.</p> <!--
+  for example, if the user doesn't have flash installed but does have
+  java installed, and the remote site unexpectedly returns java
+  instead of flash, then java will run, and it will ignore the
+  allowScriptAccess thing -->
+
   <p>The <dfn title="attr-object-type"><code>type</code></dfn>
   attribute, if present, specifies the type of the resource. If
   present, the attribute must be a <span>valid MIME type</span>.</p>
 
   <p>At least one of either the <code
   title="attr-object-data">data</code> attribute or the <code
   title="attr-object-type">type</code> attribute must be present.</p>
 
+  <p>The <dfn
+  title="attr-object-typemustmatch"><code>typemustmatch</code></dfn>
+  attribute is a <span>boolean attribute</span> whose precense
+  indicates that the resource specified by the <code
+  title="attr-object-data">data</code> attribute is only to be used if
+  the value of the <code title="attr-object-type">type</code>
+  attribute and the <span>Content-Type</span> of the aforementioned
+  resource match.</p>
+
+  <p>The <code title="attr-object-typemustmatch">typemustmatch</code>
+  attribute must not be specified unless both the <code
+  title="attr-object-data">data</code> attribute and the <code
+  title="attr-object-type">type</code> attribute are present.</p>
+
   <p>The <dfn title="attr-object-name"><code>name</code></dfn>
   attribute, if present, must be a <span>valid browsing context
   name</span>. The given value is used to name the <span>nested
   browsing context</span>, if applicable.</p>
 
   <div class="impl">
 
   <p>When the element is created, when it is popped off the
   <span>stack of open elements</span> of an <span>HTML parser</span>
   or <span>XML parser</span>, and subsequently whenever the element is
@@ -27211,31 +27239,66 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
       <ol>
 
        <li>
 
         <p>Let the <var title="">resource type</var> be unknown.</p>
 
        </li>
 
        <li>
 
+        <p>If the <code>object</code> element has a <code
+        title="attr-object-type">type</code> attribute and a <code
+        title="attr-object-typemustmatch">typemustmatch</code>
+        attribute, and the resource has <span
+        title="Content-Type">associated Content-Type metadata</span>,
+        and the type specified in <span title="Content-Type">the
+        resource's Content-Type metadata</span> is an <span>ASCII
+        case-insensitive</span> match for the value of the element's
+        <code title="attr-object-type">type</code> attribute, then let
+        <var title="">resource type</var> be that type and jump to the
+        step below labeled <i>handler</i>.</p>
+
+        <!-- do we need to <span>strip leading and trailing whitespace</span> from anything here? collapse sequences of spaces? drop parameters? -->
+
+       </li>
+
+       <li>
+
+        <p>If the <code>object</code> element has a <code
+        title="attr-object-typemustmatch">typemustmatch</code>
+        attribute, jump to the step below labeled <i>handler</i>.</p>
+
+       </li>
+
+       <li>
+
         <!-- by request: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8479 -->
 
         <p>If the user agent is configured to strictly obey
         Content-Type headers for this resource, and the resource has
         <span title="Content-Type">associated Content-Type
         metadata</span>, then let the <var title="">resource
         type</var> be the type specified in <span
         title="Content-Type">the resource's Content-Type
         metadata</span>, and jump to the step below labeled
         <i>handler</i>.</p>
 
+        <p class="warning">This can introduce a vulnerability, wherein
+        a site is trying to embed a resource that uses a particular
+        plugin, but the remote site overrides that and instead
+        furnishes the user agent with a resource that triggers a
+        different plugin with different security characteristics. <!--
+        e.g. the example given above, where the site is expecting
+        Flash with allowScriptAccess=never, and instead gets back Java
+        with its unrestricted DOM access --></p>
+
        </li>
 
        <li>
 
         <p>If there is a <code title="attr-object-type">type</code>
         attribute present on the <code>object</code> element, and that
         attribute's value is not a type that the user agent supports,
         but it <em>is</em> a type that a <span>plugin</span> supports,
         then let the <var title="">resource type</var> be the type
         specified in that <code title="attr-object-type">type</code>
@@ -27385,24 +27448,24 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
         title="url-path">&lt;path&gt;</span> components that end with
         the four character string "<code title="">.swf</code>".</p>
 
         <!-- it's sad that we have to do extension sniffing. sigh. -->
         <!-- see also <embed> which has a similar step -->
 
        </li>
 
       </ol>
 
-      <p class="note">It is possible for this step to finish with <var
-      title="">resource type</var> still being unknown, or for one of
-      the substeps above to jump straight to the next step. In both
-      cases, the next step will trigger fallback.</p>
+      <p class="note">It is possible for this step to finish, or for
+      one of the substeps above to jump straight to the next step,
+      with <var title="">resource type</var> still being unknown. In
+      both cases, the next step will trigger fallback.</p>
 
      </li>
 
      <li><p><i>Handler</i>: Handle the content as given by the first
      of the following cases that matches:</p>
 
       <dl class="switch">
 
        <dt>If the <var title="">resource type</var> is not a type that
        the user agent supports, but it <em>is</em> a type that a
@@ -27647,20 +27710,26 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
 
   <p>The IDL attributes <dfn
   title="dom-object-data"><code>data</code></dfn>, <dfn
   title="dom-object-type"><code>type</code></dfn>, <dfn
   title="dom-object-name"><code>name</code></dfn>, and <dfn
   title="dom-object-useMap"><code>useMap</code></dfn> each must
   <span>reflect</span> the respective content attributes of the same
   name.</p>
 
   <p>The <dfn
+  title="dom-object-typeMustMatch"><code>typeMustMatch</code></dfn> IDL
+  attribute must <span>reflect</span> the <code
+  title="attr-object-typemustmatch">typemustmatch</code> content
+  attribute.</p>
+
+  <p>The <dfn
   title="dom-object-contentDocument"><code>contentDocument</code></dfn>
   IDL attribute must return the <code>Document</code> object of the
   <span>active document</span> of the <code>object</code> element's
   <span>nested browsing context</span>, if it has one; otherwise, it
   must return null.</p>
 
   <p>The <dfn
   title="dom-object-contentWindow"><code>contentWindow</code></dfn>
   IDL attribute must return the <code>WindowProxy</code> object of the
   <code>object</code> element's <span>nested browsing context</span>,
@@ -29188,21 +29257,21 @@ interface <dfn>HTMLAudioElement</dfn> : <span>HTMLMediaElement</span> {};</pre>
    (fictional) new format to dynamically decide whether to use a
    <code>video</code> element or a plugin:</p>
 
    <pre>&lt;section id="video">
  &lt;p>&lt;a href="playing-cats.nfv">Download video&lt;/a>&lt;/p>
 &lt;/section>
 &lt;script>
  var videoSection = document.getElementById('video');
  var videoElement = document.createElement('video');
  var support = videoElement.canPlayType('video/x-new-fictional-format;codecs="kittens,bunnies"');
- if (support != "probably" &amp;&amp; "New Fictional Video Plug-in" in navigator.plugins) {
+ if (support != "probably" &amp;&amp; "New Fictional Video Plugin" in navigator.plugins) {
    // not confident of browser support
    // but we have a plugin
    // so use plugin instead
    videoElement = document.createElement("embed");
  } else if (support == "") {
    // no support from browser and no plugin
    // do nothing
    videoElement = null;
  }
  if (videoElement) {
@@ -110506,20 +110575,21 @@ interface <span>HTMLDocument</span> {
          <span title="Interactive content">interactive</span>*;
          <span title="category-listed">listed</span>;
          <span title="category-submit">submittable</span>;
          <span title="Form-associated element">form-associated</span></td>
      <td><span title="Phrasing content">phrasing</span></td>
      <td><code>param</code>*;
          <span>transparent</span></td>
      <td><span title="global attributes">globals</span>;
          <code title="attr-object-data">data</code>;
          <code title="attr-object-type">type</code>;
+         <code title="attr-object-typemustmatch">typemustmatch</code>;
          <code title="attr-object-name">name</code>;
          <code title="attr-hyperlink-usemap">usemap</code>;
          <code title="attr-fae-form">form</code>;
          <code title="attr-dim-width">width</code>;
          <code title="attr-dim-height">height</code></td>
      <td><code>HTMLObjectElement</code></td>
     </tr>
 
     <tr>
      <th><code>ol</code></th>
@@ -112206,20 +112276,25 @@ interface <span>HTMLDocument</span> {
           <code title="attr-source-type">source</code>;
           <code title="attr-style-type">style</code>
      <td> Type of embedded resource
      <td> <span>Valid MIME type</span>
     <tr>
      <th> <code title="">type</code>
      <td> <code title="attr-menu-type">menu</code>
      <td> Type of menu
      <td> "<code title="context menu state">context</code>"; "<code title="toolbar state">toolbar</code>"
     <tr>
+     <th> <code title="">typemustmatch</code>
+     <td> <code title="attr-object-typemustmatch">object</code>
+     <td> Whether the <code title="attr-object-type">type</code> attribute and the <span>Content-Type</span> value need to match for the resource to be used
+     <td> <span>Boolean attribute</span>
+    <tr>
      <th> <code title="">usemap</code>
      <td> <code title="attr-hyperlink-usemap">img</code>;
           <code title="attr-hyperlink-usemap">object</code>
      <td> Name of <span>image map</span> to use
      <td> <span>Valid hash-name reference</span>*
     <tr>
      <th> <code title="">value</code>
      <td> <code title="attr-button-value">button</code>;
           <code title="attr-option-value">option</code>
      <td> Value to be used for <span>form submission</span>

|