Remove <object typemustmatch> #4590
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It did not get wide enough adoption and causes a minor cross-origin leak. See https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Jun/0144.html for its introduction and https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#object-typemustmatch for the leak.
|
How does the leak of the content-type compare to the risk the attribute is supposed to help with? Can we still address the original attack somehow? Java is not available anymore, but the attack could be to load HTML instead of Flash, or Flash instead of an image or PDF.
So this allows for stricter checking if something is of a particular content-type compared to other features.
I think this is possible regardless of |
|
Basically, do not use (I agree that 2xx is exposed either way, not sure why that was mentioned as part of this attribute.) |
|
I think we should still have a warning for Also we should probably more directly recommend to use |
zcorpan
approved these changes
May 3, 2019
annevk
added a commit
to web-platform-tests/wpt
that referenced
this pull request
May 3, 2019
Apart from Firefox nobody adopted this and it creates a smallish cross-origin leak. whatwg/html#4590 changes the HTML standard.
marcoscaceres
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jul 23, 2019
Apart from Firefox nobody adopted this and it creates a smallish cross-origin leak. whatwg/html#4590 changes the HTML standard.
sideshowbarker
added
the
impacts documentation
|
heads-up @whatwg/documentation |
6 tasks
sideshowbarker
added a commit
to mdn/content
that referenced
this pull request
Mar 30, 2021
This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well a expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the Non-conforming features section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.
sideshowbarker
added a commit
to mdn/content
that referenced
this pull request
Mar 30, 2021
This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well a expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.
sideshowbarker
added a commit
to mdn/content
that referenced
this pull request
Mar 30, 2021
This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well as expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.
sideshowbarker
added a commit
to w3c/browser-compat-data
that referenced
this pull request
Mar 30, 2021
This change deletes “typeMustMatch” from api/HTMLObjectElement.json and deletes “typemustmatch” from html/elements/object.json. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue tracking support data for it in BCD. Related MDN content change: mdn/content#3655
chrisdavidmills
pushed a commit
to mdn/content
that referenced
this pull request
Mar 30, 2021
This change deletes the Web/API/HTMLObjectElement/typeMustMatch article, as well as expunging all references to it from other articles. The change also drops all mentions of the corresponding “typemustmatch” markup attribute for “object” elements. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue documenting it in MDN.
foolip
pushed a commit
to mdn/browser-compat-data
that referenced
this pull request
Mar 30, 2021
This change deletes “typeMustMatch” from api/HTMLObjectElement.json and deletes “typemustmatch” from html/elements/object.json. The history of typeMustMatch/typemustmatch is that it was added to the spec in 2011 in whatwg/html@4030e71 but never got implemented across browsers and never got adopted by web developers. So whatwg/html#4590 dropped it from the spec in 2019, and it's now just a footnote in the “Non-conforming features” section at https://html.spec.whatwg.org/obsolete.html#attr-object-typemustmatch So there's statistically near-zero content on the web that’s using typeMustMatch/typemustmatch, and there’s no value to continue tracking support data for it in BCD. Related MDN content change: mdn/content#3655
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jan 24, 2022
This just removes one commented out line. There are no functional changes. typeMustMatch was removed from the HTML spec here: whatwg/html#4590 I don't believe any other browser implemented this. Bug: 897442 Change-Id: I543a8c84273bfbfef6d9ff2225a49fa1d1105965 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3413353 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: Mason Freed <[email protected]> Cr-Commit-Position: refs/heads/main@{#962645}
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
This just removes one commented out line. There are no functional changes. typeMustMatch was removed from the HTML spec here: whatwg/html#4590 I don't believe any other browser implemented this. Bug: 897442 Change-Id: I543a8c84273bfbfef6d9ff2225a49fa1d1105965 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3413353 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: Mason Freed <[email protected]> Cr-Commit-Position: refs/heads/main@{#962645} NOKEYCHECK=True GitOrigin-RevId: a4364091c2967d843d1f49df1146f23d1db1577f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It did not get wide enough adoption and causes a minor cross-origin leak.
See https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Jun/0144.html for its introduction and https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#object-typemustmatch for the leak.
(See WHATWG Working Mode: Changes for more details.)
/iframe-embed-object.html ( diff )
/indices.html ( diff )
/obsolete.html ( diff )