text/html
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charset
The
charset
parameter
may
be
provided
to
specify
the
document's
character
encoding
,
overriding
any
character
encoding
declarations
in
the
document
other
than
a
Byte
Order
Mark
(BOM).
The
parameter's
value
must
be
an
ASCII
case-insensitive
match
for
the
string
"
utf-8
".
[ENCODING]
Entire novels have been written about the security considerations that apply to HTML documents. Many are listed in this document, to which the reader is referred for more details. Some general concerns bear mentioning here, however:
HTML is scripted language, and has a large number of APIs (some of which are described in this document). Script can expose the user to potential risks of information leakage, credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of other problems. While the designs in this specification are intended to be safe if implemented correctly, a full implementation is a massive undertaking and, as with any software, user agents are likely to have security bugs.
Even
without
scripting,
there
are
specific
features
in
HTML
which,
for
historical
reasons,
are
required
for
broad
compatibility
with
legacy
content
but
that
expose
the
user
to
unfortunate
security
problems.
In
particular,
the
img
element
can
be
used
in
conjunction
with
some
other
features
as
a
way
to
effect
a
port
scan
from
the
user's
location
on
the
Internet.
This
can
expose
local
network
topologies
that
the
attacker
would
otherwise
not
be
able
to
determine.
HTML relies on a compartmentalization scheme sometimes known as the same-origin policy . An origin in most cases consists of all the pages served from the same host, on the same port, using the same protocol.
It is critical, therefore, to ensure that any untrusted content that forms part of a site be hosted on a different origin than any sensitive content on that site. Untrusted content can easily spoof any other page on the same origin, read data from that origin, cause scripts in that origin to execute, submit forms to and from that origin even if they are protected from cross-site request forgery attacks by unique tokens, and make use of any third-party resources exposed to or rights granted to that origin.
html
"
and
"
htm
"
are
commonly,
but
certainly
not
exclusively,
used
as
the
extension
for
HTML
documents.
TEXT
Fragments
used
with
text/html
resources
either
refer
to
the
indicated
part
of
the
document
or
provide
state
information
for
in-page
scripts.
multipart/x-mixed-replace
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
boundary
(defined
in
RFC2046)
[RFC2046]
multipart/x-mixed-replace
resource
can
be
of
any
type,
including
types
with
non-trivial
security
implications
such
as
text/html
.
multipart/mixed
.
[RFC2046]
multipart/x-mixed-replace
resource.
Fragments
used
with
multipart/x-mixed-replace
resources
apply
to
each
body
part
as
defined
by
the
type
used
by
that
body
part.
application/xhtml+xml
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
application/xml
[RFC7303]
application/xml
[RFC7303]
application/xml
[RFC7303]
application/xml
[RFC7303]
application/xml
[RFC7303]
application/xhtml+xml
type
asserts
that
the
resource
is
an
XML
document
that
likely
has
a
document
element
from
the
HTML
namespace
.
Thus,
the
relevant
specifications
are
the
XML
specification,
the
Namespaces
in
XML
specification,
and
this
specification.
[XML]
[XMLNS]
application/xml
[RFC7303]
application/xml
[RFC7303]
xhtml
"
and
"
xht
"
are
sometimes
used
as
extensions
for
XML
resources
that
have
a
document
element
from
the
HTML
namespace
.
TEXT
Fragments
used
with
application/xhtml+xml
resources
have
the
same
semantics
as
with
any
XML
MIME
type
.
[RFC7303]
text/cache-manifest
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charset
The
charset
parameter
may
be
provided.
The
parameter's
value
must
be
"
utf-8
".
This
parameter
serves
no
purpose;
it
is
only
allowed
for
compatibility
with
legacy
servers.
Cache manifests themselves pose no immediate risk unless sensitive information is included within the manifest. Implementations, however, are required to follow specific rules when populating a cache based on a cache manifest, to ensure that certain origin-based restrictions are honored. Failure to correctly implement these rules can result in information leakage, cross-site scripting attacks, and the like.
CACHE
MANIFEST
",
followed
by
either
a
U+0020
SPACE
character,
a
U+0009
CHARACTER
TABULATION
(tab)
character,
a
U+000A
LINE
FEED
(LF)
character,
or
a
U+000D
CARRIAGE
RETURN
(CR)
character.
appcache
"
Fragments
have
no
meaning
with
text/cache-manifest
resources.
text/ping
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charset
The
charset
parameter
may
be
provided.
The
parameter's
value
must
be
"
utf-8
".
This
parameter
serves
no
purpose;
it
is
only
allowed
for
compatibility
with
legacy
servers.
If used exclusively in the fashion described in the context of hyperlink auditing , this type introduces no new security concerns.
text/ping
resources
always
consist
of
the
four
bytes
0x50
0x49
0x4E
0x47
(`
PING
`).
ping
attribute.
Fragments
have
no
meaning
with
text/ping
resources.
application/microdata+json
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
application/json
[JSON]
application/json
[JSON]
application/json
[JSON]
application/json
[JSON]
application/microdata+json
type
asserts
that
the
resource
is
a
JSON
text
that
consists
of
an
object
with
a
single
entry
called
"
items
"
consisting
of
an
array
of
entries,
each
of
which
consists
of
an
object
with
an
entry
called
"
id
"
whose
value
is
a
string,
an
entry
called
"
type
"
whose
value
is
another
string,
and
an
entry
called
"
properties
"
whose
value
is
an
object
whose
entries
each
have
a
value
consisting
of
an
array
of
either
objects
or
strings,
the
objects
being
of
the
same
form
as
the
objects
in
the
aforementioned
"
items
"
entry.
Thus,
the
relevant
specifications
are
the
JSON
specification
and
this
specification.
[JSON]
Applications that transfer data intended for use with HTML's microdata feature, especially in the context of drag-and-drop, are the primary application class for this type.
application/json
[JSON]
application/json
[JSON]
application/json
[JSON]
Fragments
used
with
application/microdata+json
resources
have
the
same
semantics
as
when
used
with
application/json
(namely,
at
the
time
of
writing,
no
semantics
at
all).
[JSON]
text/event-stream
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charset
The
charset
parameter
may
be
provided.
The
parameter's
value
must
be
"
utf-8
".
This
parameter
serves
no
purpose;
it
is
only
allowed
for
compatibility
with
legacy
servers.
An event stream from an origin distinct from the origin of the content consuming the event stream can result in information leakage. To avoid this, user agents are required to apply CORS semantics. [FETCH]
Event streams can overwhelm a user agent; a user agent is expected to apply suitable restrictions to avoid depleting local resources because of an overabundance of information from an event stream.
Servers can be overwhelmed if a situation develops in which the server is causing clients to reconnect rapidly. Servers should use a 5xx status code to indicate capacity problems, as this will prevent conforming clients from reconnecting automatically.
Fragments
have
no
meaning
with
text/event-stream
resources.
Ping-From
`
This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Ping-To
`
This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Refresh
`
This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
Last-Event-ID
`
This section describes a header for registration in the Permanent Message Header Field Registry. [RFC3864]
web+
scheme
prefix
This section describes a convention for use with the IANA URI scheme registry. It does not itself register a specific scheme. [RFC7595]
web+
"
followed
by
one
or
more
letters
in
the
range
a
-
z
.
web+
"
schemes
should
use
UTF-8
encodings
where
relevant.
web+
"
schemes.
As
such,
these
schemes
must
not
be
used
for
features
intended
to
be
core
platform
features
(e.g.
network
transfer
protocols
like
HTTP
or
FTP).
Similarly,
such
schemes
must
not
store
confidential
information
in
their
URLs,
such
as
usernames,
passwords,
personal
information,
or
confidential
project
names.