[rfc-i] draft-iab-html-rfc-03.txt

jhildebr at cisco.com (Joe Hildebrand (jhildebr)) Tue, 05 July 2016 20:04 UTC

From: jhildebr at cisco.com (Joe Hildebrand (jhildebr))
Date: Tue, 5 Jul 2016 20:04:04 +0000
Subject: [rfc-i] draft-iab-html-rfc-03.txt
In-Reply-To: <AB0EAE56-95EF-451D-ADB9-9621352A1A45@vigilsec.com>
References: <20160630212722.29518.45020.idtracker@ietfa.amsl.com> <AB0EAE56-95EF-451D-ADB9-9621352A1A45@vigilsec.com>
Message-ID: <2201349A-0C49-4A7A-9E38-E145DBFE27DE@cisco.com>

> On Jul 1, 2016, at 9:06 AM, Russ Housley <housley at vigilsec.com> wrote:
> 
> The security considerations say:
> 
>   Since RFCs are sometimes exchanged outside the normal Web sandboxing
>   mechanism (such as using the "rsync" program to a mirror site) then
>   loaded from a local file, more care must be taken with the HTML than
>   is ordinary on the web.
> 
> Is that care already factored into the specification?  If so, please say that.  If not, what additional care is needed?

Yes, it is already factored in.  In particular:

- no javascript
- CSS embedded in the document in <script> tags, rather than being loaded externally (except for the rfc-local.css overrides, which you use at your own risk)
- SVG embedded in the document rather than loaded externally

There are a probably a few other places.  We can certainly make this more explicit in the as-built docs we publish after implementation experience.

-- 
Joe Hildebrand

[rfc-i] draft-iab-html-rfc-03.txt Russ Housley
[rfc-i] draft-iab-html-rfc-03.txt Paul Hoffman
[rfc-i] draft-iab-html-rfc-03.txt Russ Housley
[rfc-i] draft-iab-html-rfc-03.txt Paul Hoffman
[rfc-i] draft-iab-html-rfc-03.txt Brian E Carpenter
[rfc-i] draft-iab-html-rfc-03.txt Dave Crocker
[rfc-i] draft-iab-html-rfc-03.txt Joe Hildebrand jhildebr