Some implementations don't process the HEAD element correctly
Thomas Hühn
gmane-71612 at thomas-huehn.de
Wed Aug 26 14:06:00 UTC 2009
SitG Admin <sysadmin at ...> writes:
> >Maybe the spec should carry an informative note to implementors to point out
> >that the HEAD element does not necessarily have any textual representation in
> >the HTML source?
> >
> >Comments?
>
> See the general archives for a thread between the 9th and 10th of
> this month about outsourcing headers: restricting the scan for OpenID
I didn't see it on gmane, the "general" list there seems to be another one.
But I've read it now.
> headers to this "HEAD" area (*before* the "BODY" starts") is actually
> *desirable* behavior, since it would prevent Identity theft from
Of course, but the HEAD element is well-defined even without HEAD tags.
> injecting HTML in embedded comments, guestbooks, basically anything
> that is dynamically generated server-side rather than linked to
> within the page (like CSS).
And those things are all outside the HEAD element.
The implementation might become a bit harder, because you cannot just grep for
"<HEAD>" (assumed that you don't use a real parser library but parse it ad-hoc),
but I don't see any real difference between tagged and tagless HEAD elements
security-wise.
Thomas
More information about the specs
mailing list