This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 12390 - A sandboxed MIME type attribute would be better than a fully qualified MIME type
Summary: A sandboxed MIME type attribute would be better than a fully qualified MIME type
Status: RESOLVED FIXED
Alias: None
Product: HTML WG
Classification: Unclassified
Component: LC1 HTML5 spec (show other bugs)
Version: unspecified
Hardware: All All
: P1 critical
Target Milestone: LC
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL: http://dev.w3.org/html5/spec/Overview...
Whiteboard: K
Keywords: WGDecision
Depends on:
Blocks:
 
Reported: 2011-03-29 06:19 UTC by Jacob Rossi [MSFT]
Modified: 2011-10-11 00:30 UTC (History)
10 users (show)

See Also:


Attachments

Description Jacob Rossi [MSFT] 2011-03-29 06:19:45 UTC
I don't believe any browsers implement this yet. But a new MIME type specifically for sandboxed HTML content seems like the wrong way to go.

As it stands currently, only text/html has a sandboxed equivelant. What about image/svg+xml, or application/xhtml+xml? Do we really want to make a new fully qualified sandboxed MIME type for every existing type? They wouldn't really be new "types." Rather, they look/feel/smell like existing types with the caveat of setting a single flag.

Instead, a MIME type attribute would be better (ex:  text/html;sandboxed  or application/xhtml+xml;sandboxed). This would allow any existing (or future) MIME types to be sandboxed with the unique origin flag.
Comment 1 Adam Barth 2011-05-09 18:45:58 UTC
The reason to use the MIME type is to get fail-closed behavior in legacy user agents.  My understanding is that having a MIME parameter defeats that goal.  If we want fail-open, then we can use something like Content-Security-Policy to deliver a sandbox directive.

Note: Using the MIME type does not fail-closed in 100% of situations.  There are a couple ways you can trick IE6 into failing open, even with a sandboxed MIME type, due to the lax content sniffing behavior in IE6.  As IE6 become less relevant, however, this issue probably matters less.
Comment 2 Ian 'Hixie' Hickson 2011-06-15 06:01:24 UTC
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: see comment 1
Comment 3 Sam Ruby 2011-06-20 19:26:56 UTC
From the EDITOR'S RESPONSE "please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so"

Does anybody want to propose title and text for the tracker issue?  Or to create the tracker issue themselves?
Comment 4 Maciej Stachowiak 2011-06-22 02:02:01 UTC
(In reply to comment #3)
> From the EDITOR'S RESPONSE "please add the TrackerRequest keyword to this bug,
> and suggest title and text for the tracker issue; or you may create a tracker
> issue yourself, if you are able to do so"
> 
> Does anybody want to propose title and text for the tracker issue?  Or to
> create the tracker issue themselves?

Please provide a title and text for the tracker issue (including at least a brief technical description of the issue) by midnight Eastern time on Friday, June 25th, 2011, or the Chairs will remove the TrackerRequest keyword.

Anyone adding it back after that point should provide the information required.
Comment 5 Adrian Bateman [MSFT] 2011-06-23 16:24:03 UTC
Created ISSUE 166.
http://www.w3.org/html/wg/tracker/issues/166
Comment 6 Michael[tm] Smith 2011-08-04 05:35:49 UTC
mass-move component to LC1
Comment 8 contributor 2011-10-11 00:29:40 UTC
Checked in as WHATWG revision r6657.
Check-in comment: Drop text/html-sandboxed
http://html5.org/tools/web-apps-tracker?from=6656&to=6657
Comment 9 Ian 'Hixie' Hickson 2011-10-11 00:30:08 UTC
Instead of removing the security warnings entirely, I replaced them with warnings that suggest alternative mitigations for the security risks that removing text/html-sandboxed introduces. I hope that's ok.