Alice Wonder <alice <at> domblogger.net>
2014-11-10 22:45:06 GMT
When the object tag has the typesemustmatch attribute, the W3C validator
states that it is not allowed in xhtml at this point.
Everything else will validate as html5
Why is that attribute listed in the html5 specification w/o a special
note if it is not allowed when sending the content as
application/xml+xhtml ?? How am I suppose to know what really is allowed
when serving as XML if the spec does not tell me?
That says nothing about the tag not being allowed when an html5 document
is sent as xml.
This is why that attribute is important to me, and why I would like it
to be part of html5 even when sent as XML :
When the webapp I am writing scans content before serving, object nodes
that are not in a whitelist of type attributes are removed, to help
Object nodes within the whitelist, I want to add that attribute because
if the browser is not implementing CSP then I don't want an
intentionally mis-identified type attribute in an injection attack to
allow a payload to be delivered to users.
I'm hoping typesmustmatch will help prevent that scenario.
I have to allow the object tag, it is useful for several things, but it
is also dangerous.
Historically some browsers *cough*IE*cough* would sometimes think they
were being helpful in scenarios where mime type didn't match what IE
thought it was, resulting in attack vectors. I want to be able to
specify that they MUST match for pages served from my app.
So I really want that attribute to be legal in html5 - even when I send
as XML which is what I prefer to do.