typesmustmatch xhtml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

typesmustmatch xhtml

Alice Wonder
When the object tag has the typesemustmatch attribute, the W3C validator
states that it is not allowed in xhtml at this point.

Everything else will validate as html5

Why is that attribute listed in the html5 specification w/o a special
note if it is not allowed when sending the content as
application/xml+xhtml ?? How am I suppose to know what really is allowed
when serving as XML if the spec does not tell me?

http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-typemustmatch

That says nothing about the tag not being allowed when an html5 document
is sent as xml.

This is why that attribute is important to me, and why I would like it
to be part of html5 even when sent as XML :

When the webapp I am writing scans content before serving, object nodes
that are not in a whitelist of type attributes are removed, to help
prevent XSS.

Object nodes within the whitelist, I want to add that attribute because
if the browser is not implementing CSP then I don't want an
intentionally mis-identified type attribute in an injection attack to
allow a payload to be delivered to users.

I'm hoping typesmustmatch will help prevent that scenario.

I have to allow the object tag, it is useful for several things, but it
is also dangerous.

Historically some browsers *cough*IE*cough* would sometimes think they
were being helpful in scenarios where mime type didn't match what IE
thought it was, resulting in attack vectors. I want to be able to
specify that they MUST match for pages served from my app.

So I really want that attribute to be legal in html5 - even when I send
as XML which is what I prefer to do.

Thank you,

Alice


Reply | Threaded
Open this post in threaded view
|

Re: typesmustmatch xhtml

Jukka K. Korpela
2014-11-11 0:45, Alice Wonder wrote:

> When the object tag has the typesemustmatch attribute, the W3C validator
> states that it is not allowed in xhtml at this point.

This is a longstanding bug (first reported in 2011): the typemustmatch
attribute (this is the correct spelling) has not been added to the
allowed attributes for <object>:
http://bugzilla.validator.nu/show_bug.cgi?id=843
(The HTML5 side of the W3C Validator is based on the validator.nu code,
and this bug in the W3C Validator simply reflects a bug in the base code.)

> This is why that attribute is important to me, and why I would like it
> to be part of html5 even when sent as XML

It is. The real problem with this attribute is browser support. According to
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object
only Firefox 27+ is known to support it. However, since the attribute is
in the HTML5 specification that was recently approved as a W3C
Recommendation, there is apparently at least one other implementation.
But apparently the attribute is not widely supported yet; as it is
expected to just provide some security, it can be used, but cannot be
relied on.

> So I really want that attribute to be legal in html5 - even when I send
> as XML which is what I prefer to do.

It is. The validator just has an issue. And it has it even when sending
as text/html; the error message is then “Attribute typemustmatch not
allowed on element object at this point.” (The part “at this point” was
once meant to be helpful in some contexts, and I might have been the
person who suggested it, but I’m afraid it is misleading more often than
helpful. Here it seems to be saying that the placement or context is
wrong; but the issue is really that the validator does not recognize
this attribute at all.)

Yucca



Reply | Threaded
Open this post in threaded view
|

Re: typesmustmatch xhtml

Michael[tm] Smith
"Jukka K. Korpela" <[hidden email]>, 2014-11-11 07:56 +0200:

> Date: Tue, 11 Nov 2014 07:56:10 +0200
> From: "Jukka K. Korpela" <[hidden email]>
> Archived-At: <http://www.w3.org/mid/5461A4FA.8080605@...>
> ...
> It is. The validator just has an issue. And it has it even when
> sending as text/html; the error message is then “Attribute
> typemustmatch not allowed on element object at this point.” (The part
> “at this point” was once meant to be helpful in some contexts, and I
> might have been the person who suggested it, but I’m afraid it is
> misleading more often than helpful. Here it seems to be saying that
> the placement or context is wrong; but the issue is really that the
> validator does not recognize this attribute at all.)
IIRC, the "at this point" language comes straight from the third-party Jing
RelaxNG schema-checking tool that's at the core of the validator. The error
messages that Jing emits are notoriously lacking in helpfulness but more
generally the problem is that any general grammar-based schema-checking
tool is necessarily going to be limited to emitting some fairly generic
boilerplate-ish types of error messages. That's one of the reasons why
these days I've moved more and more of the error-emitting logic out of the
RelaxNG schema and into custom Java code in another part of the sources.

  --Mike

--
Michael[tm] Smith https://people.w3.org/mike

signature.asc (853 bytes) Download Attachment