This is revision 1.2852.
Status: First draft
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
text/html
charset
The charset
parameter may be provided
to definitively specify the document's character
encoding, overriding any character encoding declarations in the
document. The parameter's value must be the name of the
character encoding used to serialize the file, must be a valid
character encoding name, and must be the preferred name for that
encoding. [IANACHARSET]
Entire novels have been written about the security considerations that apply to HTML documents. Many are listed in this document, to which the reader is referred for more details. Some general concerns bear mentioning here, however:
HTML is scripted language, and has a large number of APIs (some of which are described in this document). Script can expose the user to potential risks of information leakage, credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of other problems. While the designs in this specification are intended to be safe if implemented correctly, a full implementation is a massive undertaking and, as with any software, user agents are likely to have security bugs.
Even without scripting, there are specific features in HTML
which, for historical reasons, are required for broad
compatibility with legacy content but that expose the user to
unfortunate security problems. In particular, the img
element can be used in conjunction with some other features as a
way to effect a port scan from the user's location on the
Internet. This can expose local network topologies that the
attacker would otherwise not be able to determine.
text/html
type asserts that the resource is
an HTML document using
the HTML syntax.
html
" and "htm
"
are commonly, but certainly not exclusively, used as the
extension for HTML documents.TEXT
Fragment identifiers used with text/html
resources
refer to the indicated part of the document.
application/xhtml+xml
application/xml
[RFC3023]application/xml
[RFC3023]application/xml
[RFC3023]application/xml
[RFC3023]application/xml
[RFC3023]application/xhtml+xml
type asserts that the resource is an XML document that likely has
a root element from the HTML namespace. As such, the
relevant specifications are the XML specification, the Namespaces
in XML specification, and this specification. [XML] [XMLNS]
application/xml
[RFC3023]application/xml
[RFC3023]xhtml
" and "xht
"
are sometimes used as extensions for XML resources that have a
root element from the HTML namespace.TEXT
Fragment identifiers used with application/xhtml+xml
resources have the same semantics as with any XML MIME
type. [RFC3023]
text/cache-manifest
Cache manifests themselves pose no immediate risk unless sensitive information is included within the manifest. Implementations, however, are required to follow specific rules when populating a cache based on a cache manifest, to ensure that certain origin-based restrictions are honored. Failure to correctly implement these rules can result in information leakage, cross-site scripting attacks, and the like.
CACHE
MANIFEST
", followed by either a U+0020 SPACE character, a
U+0009 CHARACTER TABULATION (tab) character, a U+000A LINE FEED
(LF) character, or a U+000D CARRIAGE RETURN (CR) character.manifest
"Fragment identifiers have no meaning with
text/cache-manifest
resources.
text/ping
If used exclusively in the fashion described in the context of hyperlink auditing, this type introduces no new security concerns.
text/ping
resources always consist of the four
bytes 0x50 0x49 0x4E 0x47 (ASCII "PING").ping
attribute.Fragment identifiers have no meaning with
text/ping
resources.
application/microdata+json
application/json
[JSON]application/json
[JSON]application/json
[JSON]application/json
[JSON]application/microdata+json
type asserts that the
resource is a JSON text that consists of an object with a single
entry called "items
" consisting of an array
of entries, each of which consists of an object with two entries,
one called "type
" whose value is an array of
strings, and one called "properties
" whose
value is an object whose entries each have a value consisting of
an array of either objects or strings, the objects being of the
same form as the objects in the aforementioned "items
" entry. As such, the relevant specifications
are the JSON specification and this specification. [JSON]
application/json
[JSON]application/json
[JSON]application/json
[JSON]application/json
[JSON]Fragment identifiers used with
application/microdata+json
resources have the same
semantics as when used with application/json
. [JSON]