text/htmlcharset
:: The charset parameter may be provided to specify the
document's character encoding, overriding any
[=character encoding declarations=] in the document other than a Byte Order Mark (BOM).
For newly created documents, the parameter's value must be an ASCII case-insensitive match for the string
"utf-8".
For legacy documents, the character encoding name given must be an
ASCII case-insensitive match for one of the labels
of the character encoding used to serialize the file. [[!ENCODING]]
: Encoding considerations:
:: 8bit (see the section on [=character encoding declarations=])
: Security considerations:
:: Entire novels have been written about the security considerations that apply to HTML documents.
Many are listed in this document, to which the reader is referred for more details. Some
general concerns bear mentioning here, however:
HTML is scripted language, and has a large number of APIs (some of which are described in
this document). Script can expose the user to potential risks of information leakage,
credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of
other problems. While the designs in this specification are intended to be safe if implemented
correctly, a full implementation is a massive undertaking and, as with any software, user
agents are likely to have security bugs.
Even without scripting, there are specific features in HTML which, for historical reasons,
are required for broad compatibility with legacy content but that expose the user to
unfortunate security problems. In particular, the <{img}> element can be used in
conjunction with some other features as a way to effect a port scan from the user's location
on the Internet. This can expose local network topologies that the attacker would otherwise
not be able to determine.
HTML relies on a compartmentalization scheme sometimes known as the same-origin policy.
An [=concept/origin=] in most cases consists of all the pages served from the same
host, on the same port, using the same protocol.
It is critical, therefore, to ensure that any untrusted content that forms part of a site be
hosted on a different [=concept/origin=] than any sensitive content on that site.
Untrusted content can easily spoof any other page on the same origin, read data from that
origin, cause scripts in that origin to execute, submit forms to and from that origin even if
they are protected from cross-site request forgery attacks by unique tokens, and make use of
any third-party resources exposed to or rights granted to that origin.
: Interoperability considerations:
:: Rules for processing both conforming and non-conforming content are defined in this
specification.
: Published specification:
:: This document is the relevant specification. Labeling a resource with the
[[#text-html|text/html]] type asserts that the resource is an HTML document using
the HTML syntax.
: Applications that use this media type:
:: Web browsers, tools for processing Web content, HTML authoring tools, search engines,
validators.
: Additional information:
::
: Magic number(s):
:: No sequence of bytes can uniquely identify an HTML document. More information on detecting
HTML documents is available in the MIME Sniffing specification. [[!MIMESNIFF]]
: File extension(s):
:: "html" and "htm" are commonly, but certainly not exclusively,
used as the extension for HTML documents.
: Macintosh file type code(s):
:: TEXT
: Macintosh Uniform Type Identifier:
:: public.html
: Windows Clipboard Format:
:: CF_HTML
: Person & email address to contact for further information:
:: World Wide Web Consortium <web-human@w3.org>
: Intended usage:
:: Common
: Restrictions on usage:
:: No restrictions apply.
: Authors:
:: Alex Danilo <adanilo@google.com>
:: Arron Eicholz <arronei@microsoft.com>>
:: Sangwhan Moon <sangwhan@iki.fi>
:: Steve Faulkner <sfaulkner@paciellogroup.com>
:: Travis Leithead <travil@microsoft.com>
: Change controller:
:: W3C
Fragments used with [[#text-html|text/html]] resources either refer to
the indicated part of the document or provide state information for in-page scripts.
multipart/x-mixed-replaceboundary (defined in RFC2046) [[!RFC2046]]
: Optional parameters:
:: No optional parameters.
: Encoding considerations:
:: binary
: Security considerations:
:: Subresources of a multipart/x-mixed-replace resource can be of any type, including
types with non-trivial security implications such as [[#text-html|text/html]].
: Interoperability considerations:
:: None.
: Published specification:
:: This specification describes processing rules for Web browsers. Conformance requirements for
generating resources with this type are the same as for multipart/mixed.
[[!RFC2046]]
: Applications that use this media type:
:: This type is intended to be used in resources generated by Web servers, for consumption by Web
browsers.
: Additional information:
::
: Magic number(s):
:: No sequence of bytes can uniquely identify a multipart/x-mixed-replace
resource.
: File extension(s):
:: No specific file extensions are recommended for this type.
: Macintosh file type code(s):
:: No specific Macintosh file type codes are recommended for this type.
: Person & email address to contact for further information:
:: Ian Hickson <ian@hixie.ch>
: Intended usage:
:: Common
: Restrictions on usage:
:: No restrictions apply.
: Author:
:: Ian Hickson <ian@hixie.ch>
: Change controller:
:: W3C
Fragments used with multipart/x-mixed-replace resources apply to each
body part as defined by the type used by that body part.
application/xhtml+xmlapplication/xml [[!RFC7303]]
: Optional parameters:
:: Same as for application/xml [[!RFC7303]]
: Encoding considerations:
:: Same as for application/xml [[!RFC7303]]
: Security considerations:
:: Same as for application/xml [[!RFC7303]]
: Interoperability considerations:
:: Same as for application/xml [[!RFC7303]]
: Published specification:
:: Labeling a resource with the application/xhtml+xml type asserts that the resource
is an XML document that likely has a document element from the HTML namespace.
Thus, the relevant specifications are the XML specification, the Namespaces in XML
specification, and this specification. [[!XML]] [[!XPTR-XMLNS]]
: Applications that use this media type:
:: Same as for application/xml [[!RFC7303]]
: Additional information:
::
: Magic number(s):
:: Same as for application/xml [[!RFC7303]]
: File extension(s):
:: "xhtml" and "xht" are sometimes used as extensions for XML
resources that have a document element from the HTML namespace.
: Macintosh file type code(s):
:: TEXT
: Person & email address to contact for further information:
:: Ian Hickson <ian@hixie.ch>
: Intended usage:
:: Common
: Restrictions on usage:
:: No restrictions apply.
: Author:
:: Ian Hickson <ian@hixie.ch>
: Change controller:
:: W3C
Fragments used with application/xhtml+xml resources have the same
semantics as with any XML MIME type. [[!RFC7303]]
web+ scheme prefixweb+" followed by one or more letters
in the range a-z.
: Status:
:: Permanent
: Scheme syntax:
:: Scheme-specific.
: Scheme semantics:
:: Scheme-specific.
: Encoding considerations:
:: All "web+" schemes should use UTF-8 encodings where relevant.
: Applications/protocols that use this scheme name:
:: Scheme-specific.
: Interoperability considerations:
:: The scheme is expected to be used in the context of Web applications.
: Security considerations:
:: Any Web page is able to register a handler for all "web+" schemes. As
such, these schemes must not be used for features intended to be core platform features (e.g.,
network transfer protocols like HTTP or FTP). Similarly, such schemes must not store
confidential information in their URLs, such as usernames, passwords, personal information, or
confidential project names.
: Contact:
:: Ian Hickson <ian@hixie.ch>
: Change controller:
:: Ian Hickson <ian@hixie.ch>
: References:
:: Custom scheme handlers, HTML Living Standard:
https://html.spec.whatwg.org/#custom-handlers
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
charsetutf-8".
This parameter exists only for compatibility with legacy servers.
text/ping resources always consist of the four bytes 0x50 0x49 0x4E 0x47 (PING).