text/htmlmultipart/x-mixed-replaceapplication/xhtml+xmltext/cache-manifesttext/pingapplication/microdata+jsontext/event-streamCross-Origin-Embedder-Policy`Cross-Origin-Embedder-Policy-Report-Only`Cross-Origin-Opener-Policy`Origin-Isolation`Ping-From`Ping-To`Refresh`Last-Event-ID`X-Frame-Options`web+ scheme prefixtext/htmlThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided to specify the
document's character encoding, overriding any character encoding declarations in the document other than a Byte Order Mark (BOM). The parameter's value
must be one of the labels of the character encoding used to serialize the file. [ENCODING]
Entire novels have been written about the security considerations that apply to HTML documents. Many are listed in this document, to which the reader is referred for more details. Some general concerns bear mentioning here, however:
HTML is scripted language, and has a large number of APIs (some of which are described in this document). Script can expose the user to potential risks of information leakage, credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of other problems. While the designs in this specification are intended to be safe if implemented correctly, a full implementation is a massive undertaking and, as with any software, user agents are likely to have security bugs.
Even without scripting, there are specific features in HTML which, for historical reasons,
are required for broad compatibility with legacy content but that expose the user to unfortunate
security problems. In particular, the img element can be used in conjunction with
some other features as a way to effect a port scan from the user's location on the Internet.
This can expose local network topologies that the attacker would otherwise not be able to
determine.
HTML relies on a compartmentalization scheme sometimes known as the same-origin policy. An origin in most cases consists of all the pages served from the same host, on the same port, using the same protocol.
It is critical, therefore, to ensure that any untrusted content that forms part of a site be hosted on a different origin than any sensitive content on that site. Untrusted content can easily spoof any other page on the same origin, read data from that origin, cause scripts in that origin to execute, submit forms to and from that origin even if they are protected from cross-site request forgery attacks by unique tokens, and make use of any third-party resources exposed to or rights granted to that origin.
html" and "htm"
are commonly, but certainly not exclusively, used as the
extension for HTML documents.TEXTFragments used with text/html resources
either refer to the indicated part of the document or provide state information for
in-page scripts.
multipart/x-mixed-replace这个注册用于社区评审,之后会提交给 IESG 评审通过,通过 IANA 注册。
boundary (定义在 RFC2046) [RFC2046]
multipart/x-mixed-replace 的子资源可能是任意类型,包括
有明显的安全性问题的资源,比如 text/html。
multipart/mixed。 [RFC2046]
multipart/x-mixed-replace 资源的字节序列。与 multipart/x-mixed-replace 资源一起使用的
Fragments 的语义:
每个 body 部分适用那个 body 部分使用的类型的定义。
application/xhtml+xml这个注册用于社区评审,之后会提交给 IESG 评审通过,通过 IANA 注册。
application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xhtml+xml 类型断言了
该资源是一个 XML 文档,且可能有一个 HTML 命名空间 的
文档元素。
因此,相关标准是 XML 规范,XML 规范中的 Namespaces,以及本规范。 [XML] [XMLNS]application/xml [RFC7303]application/xml [RFC7303]xhtml" 和 "xht" 扩展名。TEXT与 application/xhtml+xml 资源一起使用的
Fragments 的语义同
XML MIME type。 [RFC7303]
text/cache-manifest这个注册用于社区评审,之后会提交给 IESG 评审通过,通过 IANA 注册。
charset可以提供 charset 参数。
该参数的值必须是 "utf-8"。
该参数没有意义;只是为了与遗留服务器兼容。
Cache 清单自己不会直接引起风险,除非其中包含了敏感信息。 但是要求实现方基于缓存清单填充缓存时遵循特定的规则, 来确保遵守了那些基于域的限制。 没有正确地实现这些规则可能导致信息泄露,跨站脚本攻击,以及类似的事情。
CACHE MANIFEST" 开始,
紧接着一个 U+0020 SPACE 字符,一个 U+0009 CHARACTER TABULATION (tab) 字符,
一个 U+000A LINE FEED (LF) 字符,或一个 U+000D CARRIAGE RETURN (CR) 字符。appcache"Fragments 对
text/cache-manifest 资源没有语义。
text/pingThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided. The parameter's value must be
"utf-8". This parameter serves no purpose; it is only allowed for
compatibility with legacy servers.
If used exclusively in the fashion described in the context of hyperlink auditing, this type introduces no new security concerns.
text/ping resources always consist of the four
bytes 0x50 0x49 0x4E 0x47 (`PING`).ping attribute.Fragments have no meaning with
text/ping resources.
application/microdata+json这个注册用于社区评审,之后会提交给 IESG 评审通过,通过 IANA 注册。
application/json [JSON]application/json [JSON]application/json [JSON]application/json [JSON]application/microdata+json 类型断言了
该资源是一个 JSON 文本,包含一个只有一个
"items" 属性的对象,这个属性由一个数组组成,每个都是一个对象。
该对象有一个 "id" 属性,其值为字符串;
有一个 "type" 属性,其值为字符串;
有一个 "properties" 属性,其属性值为对象或字符串构成的数组,
其中的对象与上述 "items" 属性的格式一致。
因此,相关规范是 JSON 规范和本规范。 [JSON]
传输用于 HTML 的元数据特性的数据的那些应用。尤其是用于拖放操作的那类应用。
application/json [JSON]application/json [JSON]application/json [JSON]与 application/microdata+json 资源一起使用的
Fragments 的语义同
application/json(也就是说写这篇文档时还没有额外的语义)。
[JSON]
text/event-streamThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided. The parameter's value must be
"utf-8". This parameter serves no purpose; it is only allowed for
compatibility with legacy servers.
An event stream from an origin distinct from the origin of the content consuming the event stream can result in information leakage. To avoid this, user agents are required to apply CORS semantics. [FETCH]
Event streams can overwhelm a user agent; a user agent is expected to apply suitable restrictions to avoid depleting local resources because of an overabundance of information from an event stream.
Servers can be overwhelmed if a situation develops in which the server is causing clients to reconnect rapidly. Servers should use a 5xx status code to indicate capacity problems, as this will prevent conforming clients from reconnecting automatically.
Fragments have no meaning with
text/event-stream resources.
Cross-Origin-Embedder-Policy`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Cross-Origin-Embedder-Policy-Report-Only`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Cross-Origin-Opener-Policy`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Origin-Isolation`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Ping-From`本小节描述了 Permanent Message Header Field Registry 中的一个头部注册项。 [RFC3864]
Ping-To`本小节描述了 Permanent Message Header Field Registry 中的一个头部注册项。 [RFC3864]
Refresh`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Last-Event-ID`本小节描述了 Permanent Message Header Field Registry 中的一个头部注册项。 [RFC3864]
X-Frame-Options`This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
web+ scheme prefixThis section describes a convention for use with the IANA URI scheme registry. It does not itself register a specific scheme. [RFC7595]
web+" followed by one or more letters in the range
a-z.
web+" schemes should use UTF-8 encodings where relevant.web+" schemes. As
such, these schemes must not be used for features intended to be core platform features (e.g.
network transfer protocols like HTTP or FTP). Similarly, such schemes must not store
confidential information in their URLs, such as usernames, passwords, personal information, or
confidential project names.