Living Standard — Last Updated 22 July 2025
text/htmlThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided to specify the
      document's character encoding, overriding any character encoding declarations in the document other than a Byte Order
      Mark (BOM). The parameter's value must be an ASCII case-insensitive match for the
      string "utf-8". [ENCODING]
Entire novels have been written about the security considerations that apply to HTML documents. Many are listed in this document, to which the reader is referred for more details. Some general concerns bear mentioning here, however:
HTML is scripted language, and has a large number of APIs (some of which are described in this document). Script can expose the user to potential risks of information leakage, credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of other problems. While the designs in this specification are intended to be safe if implemented correctly, a full implementation is a massive undertaking and, as with any software, user agents are likely to have security bugs.
Even without scripting, there are specific features in HTML which, for historical reasons,
    are required for broad compatibility with legacy content but that expose the user to unfortunate
    security problems. In particular, the img element can be used in conjunction with
    some other features as a way to effect a port scan from the user's location on the Internet.
    This can expose local network topologies that the attacker would otherwise not be able to
    determine.
HTML relies on a compartmentalization scheme sometimes known as the same-origin policy. An origin in most cases consists of all the pages served from the same host, on the same port, using the same protocol.
It is critical, therefore, to ensure that any untrusted content that forms part of a site be hosted on a different origin than any sensitive content on that site. Untrusted content can easily spoof any other page on the same origin, read data from that origin, cause scripts in that origin to execute, submit forms to and from that origin even if they are protected from cross-site request forgery attacks by unique tokens, and make use of any third-party resources exposed to or rights granted to that origin.
html" and "htm"
     are commonly, but certainly not exclusively, used as the
     extension for HTML documents.TEXTFragments used with text/html resources
  either refer to the indicated part of the corresponding Document, or
  provide state information for in-page scripts.
multipart/x-mixed-replaceThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
boundary (defined in RFC2046) [RFC2046]
    multipart/x-mixed-replace
    resource can be of any type, including types with non-trivial
    security implications such as text/html.
   multipart/mixed. [RFC2046]
   multipart/x-mixed-replace resource.Fragments used with
  multipart/x-mixed-replace resources apply to each body part as defined by the type
  used by that body part.
application/xhtml+xmlThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xml [RFC7303]application/xhtml+xml type asserts that the
   resource is an XML document that likely has a document element from the HTML
   namespace. Thus, the relevant specifications are XML, Namespaces in
   XML, and this specification. [XML] [XMLNS]application/xml [RFC7303]application/xml [RFC7303]xhtml" and "xht" are sometimes used as
     extensions for XML resources that have a document element from the HTML
     namespace.TEXTFragments used with
  application/xhtml+xml resources have the same semantics as with any
  XML MIME type. [RFC7303]
text/pingThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided. The parameter's value must be
      "utf-8". This parameter serves no purpose; it is only allowed for
      compatibility with legacy servers.
If used exclusively in the fashion described in the context of hyperlink auditing, this type introduces no new security concerns.
text/ping resources always consist of the four
     bytes 0x50 0x49 0x4E 0x47 (`PING`).ping attribute.Fragments have no meaning with
  text/ping resources.
application/microdata+jsonThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
application/json [JSON]application/json [JSON]application/json [JSON]application/json [JSON]application/microdata+json type asserts that the
    resource is a JSON text that consists of an object with a single entry called "items" consisting of an array of entries, each of which consists of an object
    with an entry called "id" whose value is a string, an entry called "type" whose value is another string, and an entry called "properties" whose value is an object whose entries each have a value consisting
    of an array of either objects or strings, the objects being of the same form as the objects in
    the aforementioned "items" entry. Thus, the relevant specifications are
    JSON and this specification. [JSON]
   Applications that transfer data intended for use with HTML's microdata feature, especially in the context of drag-and-drop, are the primary application class for this type.
application/json [JSON]application/json [JSON]application/json [JSON]Fragments used with
  application/microdata+json resources have the same semantics as when used with
  application/json (namely, at the time of writing, no semantics at all).
  [JSON]
text/event-streamThis registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetThe charset parameter may be provided. The parameter's value must be
      "utf-8". This parameter serves no purpose; it is only allowed for
      compatibility with legacy servers.
An event stream from an origin distinct from the origin of the content consuming the event stream can result in information leakage. To avoid this, user agents are required to apply CORS semantics. [FETCH]
Event streams can overwhelm a user agent; a user agent is expected to apply suitable restrictions to avoid depleting local resources because of an overabundance of information from an event stream.
Servers can be overwhelmed if a situation develops in which the server is causing clients to reconnect rapidly. Servers should use a 5xx status code to indicate capacity problems, as this will prevent conforming clients from reconnecting automatically.
Fragments have no meaning with
  text/event-stream resources.
web+ scheme prefixThis section describes a convention for use with the IANA URI scheme registry. It does not itself register a specific scheme. [RFC7595]
web+" followed by one or more letters in the range
    a-z.
   web+" schemes should use UTF-8 encodings where relevant.web+" schemes. As
    such, these schemes must not be used for features intended to be core platform features (e.g.,
    HTTP). Similarly, such schemes must not store confidential information in their URLs, such as
    usernames, passwords, personal information, or confidential project names.