HTML

Living Standard — Last Updated15 October 2024

1. 1. 1. 4.8.5The iframeelement
      2. 4.8.6Theembedelement
      3. 4.8.7Theobjectelement

4.8.5The iframeelement

Categories:

Flow content.

Phrasing content.

Embedded content.

Interactive content.

Palpable content.

Contexts in which this element can be used:

Whereembedded contentis expected.

Content model:

Nothing.

Tag omission in text/html:

Neither tag is omissible.

Content attributes:

Global attributes

src— Address of the resource

srcdoc— A document to render in theiframe

name— Name ofcontent navigable

sandbox— Security rules for nested content

allow—Permissions policyto be applied to theiframe's contents

allowfullscreen— Whether to allow theiframe's contents to userequestFullscreen()

width— Horizontal dimension

height— Vertical dimension

referrerpolicy—Referrer policyforfetchesinitiated by the element

loading— Used when determining loading deferral

Accessibility considerations:

For authors.

For implementers.

DOM interface:

[Exposed=Window]
interfaceHTMLIFrameElement:HTMLElement{
[HTMLConstructor]constructor();

[CEReactions]attributeUSVStringsrc;
[CEReactions]attribute(TrustedHTMLorDOMString)srcdoc;
[CEReactions]attributeDOMStringname;
[SameObject,PutForwards=value]readonlyattributeDOMTokenListsandbox;
[CEReactions]attributeDOMStringallow;
[CEReactions]attributebooleanallowFullscreen;
[CEReactions]attributeDOMStringwidth;
[CEReactions]attributeDOMStringheight;
[CEReactions]attributeDOMStringreferrerPolicy;
[CEReactions]attributeDOMStringloading;
readonlyattributeDocument?contentDocument;
readonlyattributeWindowProxy?contentWindow;
Document?getSVGDocument();

//also has obsolete members
};

Theiframeelementrepresentsitscontent navigable.

Thesrcattribute gives theURLof a page that the element'scontent navigableis to contain. The attribute, if present, must be avalid non-empty URL potentially surrounded by spaces.If theitempropattribute is specified on an iframeelement, then thesrcattribute must also be specified.

Thesrcdoc attribute gives the content of the page that the element'scontent navigableis to contain. The value of the attribute is used toconstructaniframesrcdocdocument,which is aDocumentwhose URLmatchesabout:srcdoc.

Thesrcdocattribute, if present, must have a value usingthe HTML syntaxthat consists of the following syntactic components, in the given order:

1. Any number ofcommentsandASCII whitespace.
2. Optionally, aDOCTYPE.
3. Any number ofcommentsandASCII whitespace.
4. Thedocument element,in the form of anhtmlelement.
5. Any number ofcommentsandASCII whitespace.

The above requirements apply inXML documentsas well.

<article>
<h1>I got my own magazine!</h1>
<p>After much effort, I've finally found a publisher, and so now I
have my own magazine! Isn't that awesome?! The first issue will come
out in September, and we have articles about getting food, and about
getting in boxes, it's going to be great!</p>
<footer>
<p>Written by<ahref="/users/cap">cap</a>,1 hour ago.
</footer>
<article>
<footer>Thirteen minutes ago,<ahref="/users/ch">ch</a>wrote:</footer>
<iframesandboxsrcdoc="<p>did you get a cover picture yet?"></iframe>
</article>
<article>
<footer>Nine minutes ago,<ahref="/users/cap">cap</a>wrote:</footer>
<iframesandboxsrcdoc="<p>Yeah, you can see it <a href=&quot;/gallery?mode=cover&amp;amp;page=1&quot;>in my gallery</a>."></iframe>
</article>
<article>
<footer>Five minutes ago,<ahref="/users/ch">ch</a>wrote:</footer>
<iframesandboxsrcdoc="<p>hey that's earl's table.
<p>you should get earl&amp;amp;me on the next cover. "></iframe>
</article>

Inthe HTML syntax,authors need only remember to use U+0022 QUOTATION MARK characters ( ") to wrap the attribute contents and then to escape all U+0026 AMPERSAND (&) and U+0022 QUOTATION MARK (" ) characters, and to specify thesandboxattribute, to ensure safe embedding of content. (And remember to escape ampersands before quotation marks, to ensure quotation marks become " and not ".)

In XML the U+003C LESS-THAN SIGN character (<) needs to be escaped as well. In order to preventattribute-value normalization,some of XML's whitespace characters — specifically U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED (LF), and U+000D CARRIAGE RETURN (CR) — also need to be escaped.[XML]

If thesrcattribute and thesrcdocattribute are both specified together, thesrcdocattribute takes priority. This allows authors to provide a fallbackURLfor legacy user agents that do not support thesrcdocattribute.

TheiframeHTML element insertion steps,given insertedNode,are:

1. IfinsertedNode'sshadow-including root'sbrowsing contextis null, then return.

2. Create a new child navigableforinsertedNode.

3. IfinsertedNodehas asandbox attribute, thenparse the sandboxing directivegiven the attribute's value andinsertedNode's iframesandboxing flag set.

4. Process theiframeattributesforinsertedNode,with initialInsertionset to true.

TheiframeHTML element removing steps,given removedNode,are todestroy a child navigablegiven removedNode.

This happens without anyunloadevents firing (the element'scontent documentisdestroyed,notunloaded).

Althoughiframes are processed while in ashadow tree, per the above, several other aspects of their behavior are not well-defined with regards to shadow trees. Seeissue #763for more detail.

Whenever aniframeelement with a non-nullcontent navigablehas its srcdocattribute set, changed, or removed, the user agent mustprocess theiframeattributes.

Similarly, whenever aniframeelement with a non-nullcontent navigablebut with nosrcdocattribute specified has itssrcattribute set, changed, or removed, the user agent mustprocess theiframeattributes.

Toprocess theiframeattributesfor an elementelement, with an optional booleaninitialInsertion(default false):

1. Ifelement'ssrcdocattribute is specified, then:

   1. Setelement'scurrent navigation was lazy loadedboolean to false.

   2. If thewill lazy load element stepsgivenelementreturn true, then:

      1. Setelement'slazy load resumption stepsto the rest of this algorithm starting with the step labelednavigate to the srcdoc resource.

      2. Setelement'scurrent navigation was lazy loadedboolean to true.

      3. Start intersection-observing a lazy loading elementfor element.

      4. Return.

   3. Navigate to the srcdoc resource:Navigate aniframeor framegivenelement,about:srcdoc,the empty string, and the value ofelement'ssrcdoc attribute.

      The resultingDocumentmust be consideredaniframesrcdocdocument.

2. Otherwise:

   1. Leturlbe the result of running theshared attribute processing steps foriframeandframeelementsgivenelementand initialInsertion.

   2. Ifurlis null, then return.

   3. Ifurlmatchesabout:blankand initialInsertionis true, then:

      1. Run theiframe load event stepsgivenelement.

      2. Return.

   4. LetreferrerPolicybe the current state ofelement'sreferrerpolicycontent attribute.

   5. Setelement'scurrent navigation was lazy loadedboolean to false.

   6. If thewill lazy load element stepsgivenelementreturn true, then:

      1. Setelement'slazy load resumption stepsto the rest of this algorithm starting with the step labelednavigate.

      2. Setelement'scurrent navigation was lazy loadedboolean to true.

      3. Start intersection-observing a lazy loading elementfor element.

      4. Return.

   7. Navigate:Navigate aniframeorframe givenelement,url,andreferrerPolicy.

Theshared attribute processing steps foriframeandframeelements,given an element elementand a booleaninitialInsertion,are:

1. Leturlbe theURL recordabout:blank.

2. Ifelementhas asrcattribute specified, and its value is not the empty string, then:

   1. LetmaybeURLbe the result ofencoding-parsing a URLgiven that attribute's value, relative toelement'snode document.

   2. IfmaybeURLis not failure, then seturlto maybeURL.

3. If theinclusive ancestor navigablesofelement'snode navigablecontains anavigablewhoseactive document'sURLequalsurlwithexclude fragmentsset to true, then return null.

4. Ifurlmatchesabout:blankand initialInsertionis true, then perform theURL and history update steps givenelement'scontent navigable'sactive documentandurl.

   This is necessary in caseurlis something likeabout:blank?foo.Ifurlis just plainabout:blank,this will do nothing.

5. Returnurl.

Tonavigate aniframeorframegiven an element element,aURLurl,areferrer policy referrerPolicy,and an optional string-or-nullsrcdocString(default null):

1. LethistoryHandlingbe "auto".

2. Ifelement'scontent navigable'sactive documentis notcompletely loaded,then set historyHandlingto "replace".

3. Ifelementis aniframe,then setelement'spending resource-timing start timeto thecurrent high resolution timegivenelement's node document'srelevant global object.

4. Navigateelement'scontent navigabletourlusingelement'snode document,with historyHandlingset tohistoryHandling,referrerPolicyset toreferrerPolicy,anddocumentResourceset tosrcdocString.

EachDocumenthas aniframe load in progressflag and amute iframe loadflag. When aDocumentis created, these flags must be unset for thatDocument.

To run theiframe load event steps,given aniframeelement element:

1. Assert:element'scontent navigableis not null.

2. LetchildDocumentbeelement'scontent navigable's active document.

3. IfchildDocumenthas itsmute iframe loadflag set, then return.

4. Ifelement'spending resource-timing start timeis not null, then:

   1. Letglobalbeelement'snode document's relevant global object.

   2. LetfallbackTimingInfobe a newfetch timing infowhosestart timeiselement'spending resource-timing start time and whoseresponse end timeis the current high resolution timegivenglobal.

   3. Mark resource timinggivenfallbackTimingInfo,url, "iframe",global,the empty string, a new response body info,and 0.

   4. Setelement'spending resource-timing start time to null.

5. SetchildDocument'siframe load in progressflag.

6. Fire an eventnamedloadatelement.

7. UnsetchildDocument'siframe load in progressflag.

This, in conjunction with scripting, can be used to probe the URL space of the local network's HTTP servers. User agents may implementcross-origin access control policies that are stricter than those described above to mitigate this attack, but unfortunately such policies are typically not compatible with existing web content.

If an element typepotentially delays the load event,then for each element elementof that type, the user agent mustdelay the load eventof element'snode documentifelement'scontent navigableis non-null and any of the following are true:

• element'scontent navigable'sactive documentis notready for post-load tasks;

• element'scontent navigable'sis delayingloadeventsis true; or

• anything isdelaying the load eventof element'scontent navigable'sactive document.

If, during the handling of theloadevent, element'scontent navigableis againnavigated,that will furtherdelay the load event.

Eachiframeelement has an associatedcurrent navigation was lazy loadedboolean, initially false. It is set and unset in theprocess the iframeattributesalgorithm.

Aniframeelement whosecurrent navigation was lazy loadedboolean is falsepotentially delays the load event.

Eachiframeelement has an associated null or DOMHighResTimeStamppending resource-timing start time, initially set to null.

If, when the element is created, thesrcdocattribute is not set, and thesrcattribute is either also not set or set but its value cannot beparsed,the element'scontent navigablewill remain at theinitial about:blankDocument.

If the usernavigatesaway from this page, the iframe'scontent navigable'sactive WindowProxyobject will proxy newWindowobjects for new Documentobjects, but thesrcattribute will not change.

Thename attribute, if present, must be avalid navigable target name.The given value is used to name the element'scontent navigableif present when that iscreated.

Thesandbox attribute, when specified, enables a set of extra restrictions on any content hosted by the iframe.Its value must be anunordered set of unique space-separated tokensthat areASCII case-insensitive.The allowed values are:

• allow-downloads
• allow-forms
• allow-modals
• allow-orientation-lock
• allow-pointer-lock
• allow-popups
• allow-popups-to-escape-sandbox
• allow-presentation
• allow-same-origin
• allow-scripts
• allow-top-navigation
• allow-top-navigation-by-user-activation
• allow-top-navigation-to-custom-protocols

When the attribute is set, the content is treated as being from a uniqueopaque origin,forms, scripts, and various potentially annoying APIs are disabled, and links are prevented from targeting othernavigables.Theallow-same-originkeyword causes the content to be treated as being from its real origin instead of forcing it into anopaque origin;theallow-top-navigationkeyword allows the content tonavigateitstraversable navigable; theallow-top-navigation-by-user-activation keyword behaves similarly but allows suchnavigationonly when the browsing context'sactive windowhastransient activation;theallow-top-navigation-to-custom-protocols reenables navigations toward nonfetch schemeto behanded off to external software;and theallow-forms,allow-modals,allow-orientation-lock,allow-pointer-lock,allow-popups,allow-presentation,allow-scripts,andallow-popups-to-escape-sandbox keywords re-enable forms, modal dialogs, screen orientation lock, the pointer lock API, popups, the presentation API, scripts, and the creation of unsandboxedauxiliary browsing contextsrespectively. Theallow-downloadskeyword allows content to perform downloads.[POINTERLOCK][SCREENORIENTATION][PRESENTATION]

Theallow-top-navigationandallow-top-navigation-by-user-activation keywords must not both be specified, as doing so is redundant; onlyallow-top-navigationwill have an effect in such non-conformant markup.

Similarly, theallow-top-navigation-to-custom-protocols keyword must not be specified if eitherallow-top-navigationorallow-popupsare specified, as doing so is redundant.

To allowalert(),confirm(),andprompt()inside sandboxed content, both theallow-modals andallow-same-originkeywords need to be specified, and the loaded URL needs to besame originwith thetop-level origin.Without theallow-same-originkeyword, the content is always treated as cross-origin, and cross-origin contentcannot show simple dialogs.

Setting both theallow-scriptsandallow-same-originkeywords together when the embedded page has thesame originas the page containing theiframe allows the embedded page to simply remove thesandbox attribute and then reload itself, effectively breaking out of the sandbox altogether.

These flags only take effect when thecontent navigableof the iframeelement isnavigated.Removing them, or removing the entiresandboxattribute, has no effect on an already-loaded page.

Potentially hostile files should not be served from the same server as the file containing theiframeelement. Sandboxing hostile content is of minimal help if an attacker can convince the user to just visit the hostile content directly, rather than in the iframe.To limit the damage that can be caused by hostile HTML content, it should be served from a separate dedicated domain. Using a different domain ensures that scripts in the files are unable to attack the site, even if the user is tricked into visiting those pages directly, without the protection of thesandbox attribute.

When aniframeelement'ssandbox attribute is set or changed while it has a non-nullcontent navigable,the user agent mustparse the sandboxing directive given the attribute's value and theiframeelement'siframe sandboxing flag set.

When aniframeelement'ssandbox attribute is removed while it has a non-nullcontent navigable,the user agent must empty theiframeelement'siframesandboxing flag set.

<p>We're not scared of you! Here is your content, unedited:</p>
<iframesandboxsrc="https://usercontent.example.net/getusercontent.cgi?id=12193"></iframe>

<iframesandbox="allow-same-origin allow-forms allow-scripts"
src="https://maps.example.com/embedded.html"></iframe>

<iframesandbox="allow-same-origin allow-forms"src=B></iframe>

<iframesandbox="allow-scripts"src=C></iframe>

<ahref=D>Link</a>

Theallow attribute, when specified, determines thecontainer policythat will be used when thepermissions policyfor a Documentin theiframe'scontent navigableis initialized. Its value must be aserialized permissions policy.[PERMISSIONSPOLICY]

<iframesrc="https://maps.example.com/"allow="geolocation"></iframe>

Theallowfullscreenattribute is aboolean attribute.When specified, it indicates thatDocumentobjects in the iframeelement'scontent navigablewill be initialized with apermissions policywhich allows the "fullscreen"feature to be used from anyorigin.This is enforced by theprocess permissions policy attributesalgorithm.[PERMISSIONSPOLICY]

<article>
<header>
<p><imgsrc="/usericons/1627591962735"><b>Fred Flintstone</b></p>
<p><ahref="/posts/3095182851"rel=bookmark>12:44</a>—<ahref="#acl-3095182851">Private Post</a></p>
</header>
<p>Check out my new ride!</p>
<iframesrc="https://video.example.com/embed?id=92469812"allowfullscreen></iframe>
</article>

Neitherallownorallowfullscreencan grant access to a feature in an iframeelement'scontent navigableif the element'snode documentis not already allowed to use that feature.

To determine whether aDocumentobjectdocument isallowed to usethe policy-controlled-featurefeature,run these steps:

1. Ifdocument'sbrowsing contextis null, then return false.

2. Ifdocumentis notfully active,then return false.

3. If the result of runningis feature enabled in document for originonfeature,document,anddocument'soriginis "Enabled",then return true.

4. Return false.

Because they only influence thepermissions policyof thecontent navigable'sactive document,theallowandallowfullscreenattributes only take effect when the content navigableof theiframeisnavigated.Adding or removing them has no effect on an already-loaded document.

Theiframeelement supportsdimension attributesfor cases where the embedded content has specific dimensions (e.g. ad units have well-defined dimensions).

Aniframeelement never hasfallback content,as it will always create a new child navigable,regardless of whether the specified initial contents are successfully used.

Thereferrerpolicyattribute is a referrer policy attribute.Its purpose is to set thereferrer policy used whenprocessing theiframe attributes.[REFERRERPOLICY]

Theloadingattribute is alazy loading attribute.Its purpose is to indicate the policy for loadingiframe elements that are outside the viewport.

When theloadingattribute's state is changed to the Eagerstate, the user agent must run these steps:

1. LetresumptionStepsbe theiframeelement'slazy load resumption steps.

2. IfresumptionStepsis null, then return.

3. Set theiframe'slazy load resumption stepsto null.

4. InvokeresumptionSteps.

Descendants ofiframeelements represent nothing. (In legacy user agents that do not supportiframeelements, the contents would be parsed as markup that could act as fallback content.)

TheHTML parsertreats markup insideiframeelements as text.

The IDL attributessrc,name,sandbox,andallowmust reflectthe respective content attributes of the same name.

Thesrcdocgetter steps are:

1. Letattributebe the result of runningget an attribute by namespace and local namegiven null,srcdoc'slocal name,andthis.

2. Ifattributeis null, then return the empty string.

3. Returnattribute'svalue.

Thesrcdocsetter steps are:

1. LetcompliantStringbe the result of invoking theGet Trusted Type compliant stringalgorithm withTrustedHTML,this'srelevant global object,the given value, "HTMLIFrameElement srcdoc",and"script".

2. Set an attribute valuegiven this,srcdoc'slocal name,and compliantString.

Thesupported tokensforsandbox'sDOMTokenListare the allowed values defined in thesandboxattribute and supported by the user agent.

TheallowFullscreenIDL attribute must reflecttheallowfullscreencontent attribute.

ThereferrerPolicyIDL attribute must reflectthereferrerpolicycontent attribute,limited to only known values.

TheloadingIDL attribute mustreflecttheloadingcontent attribute,limited to only known values.

ThecontentDocumentgetter steps are to return the this'scontent document.

ThecontentWindowgetter steps are to return this'scontent window.

<iframesrc="https://ads.example.com/?customerid=923513721&amp;format=banner"
width="468"height="60"></iframe>

4.8.6Theembedelement

Categories:

Flow content.

Phrasing content.

Embedded content.

Interactive content.

Palpable content.

Contexts in which this element can be used:

Whereembedded contentis expected.

Content model:

Nothing.

Tag omission in text/html:

Noend tag.

Content attributes:

Global attributes

src— Address of the resource

type— Type of embedded resource

width— Horizontal dimension

height— Vertical dimension

Any other attribute that has no namespace (see prose).

Accessibility considerations:

For authors.

For implementers.

DOM interface:

[Exposed=Window]
interfaceHTMLEmbedElement:HTMLElement{
[HTMLConstructor]constructor();

[CEReactions]attributeUSVStringsrc;
[CEReactions]attributeDOMStringtype;
[CEReactions]attributeDOMStringwidth;
[CEReactions]attributeDOMStringheight;
Document?getSVGDocument();

//also has obsolete members
};

Theembedelement provides an integration point for an external application or interactive content.

Thesrcattribute gives theURLof the resource being embedded. The attribute, if present, must contain avalid non-empty URL potentially surrounded by spaces.

If theitempropattribute is specified on an embedelement, then thesrcattribute must also be specified.

Thetypeattribute, if present, gives theMIME typeby which the plugin to instantiate is selected. The value must be avalid MIME type string.If both thetypeattribute and thesrc attribute are present, then thetypeattribute must specify the same type as theexplicit Content-Type metadataof the resource given by thesrcattribute.

While any of the following conditions are occurring, anyplugininstantiated for the element must be removed, and theembedelementrepresents nothing:

• The element has neither asrcattribute nor atypeattribute.

• The element has amedia elementancestor.

• The element has an ancestorobjectelement that isnotshowing its fallback content.

Anembedelement is said to bepotentially activewhen the following conditions are all met simultaneously:

• The element isin a documentor wasin a documentthe last time theevent loopreachedstep 1.

• The element'snode documentisfully active.

• The element has either asrcattribute set or a typeattribute set (or both).

• The element'ssrcattribute is either absent or its value is not the empty string.

• The element is not a descendant of amedia element.

• The element is not a descendant of anobjectelement that is not showing its fallback content.

• The element isbeing rendered,or wasbeing renderedthe last time theevent loopreachedstep 1.

Whenever anembedelement that was notpotentially activebecomespotentially active,and whenever apotentially activeembedelement that is remainingpotentially activeand has itssrcattribute set, changed, or removed or itstypeattribute set, changed, or removed, the user agent must queue an element taskon theembed task sourcegiven the element to runtheembedelement setup stepsfor that element.

Theembedelement setup stepsfor a givenembedelement elementare as follows:

1. If anothertaskhas since been queued to runthe embedelement setup stepsforelement,then return.

2. Ifelementhas asrcattribute set, then:

   1. Leturlbe the result ofencoding-parsing a URLgiven element'ssrcattribute's value, relative to element'snode document.

   2. Ifurlis failure, then return.

   3. Letrequestbe a newrequestwhose URLisurl,clientiselement'snode document'srelevant settings object,destinationis "embed", credentials modeis "include",modeis "navigate",initiator typeis "embed",and whoseuse-URL-credentials flag is set.

   4. Fetchrequest,withprocessResponseset to the following steps givenresponseresponse:

      1. If anothertaskhas since been queued to run theembedelement setup stepsforelement,then return.

      2. Ifresponseis anetwork error,thenfire an eventnamedloadatelement,and return.

      3. Lettypebe the result of determining thetype of contentgivenelementand response.

      4. Switch ontype:

         null

         1. Display no pluginforelement.

         Otherwise

         1. Ifelement'scontent navigableis null, then create a new child navigableforelement.

         2. Navigateelement'scontent navigabletoresponse'sURLusingelement'snode document,withresponseset to response,andhistoryHandlingset to "replace".

            element'ssrcattribute does not get updated if thecontent navigablegets further navigated to other locations.

         3. elementnowrepresentsitscontent navigable.

      Fetching the resource mustdelay the load eventofelement's node document.

3. Otherwise,display no pluginforelement.

To determine thetype of the contentgiven an embedelementelementand aresponseresponse,run the following steps:

1. Ifelementhas atypeattribute, and that attribute's value is a type that apluginsupports, then return the value of the typeattribute.

2. If thepathcomponent ofresponse's urlmatches a pattern that aplugin supports, then return the type that that plugin can handle.

   For example, a plugin might say that it can handle URLs withpathcomponents that end with the four character string ".swf".

3. Ifresponsehasexplicit Content-Type metadata,and that value is a type that apluginsupports, then return that value.

4. Return null.

It is intentional that the above algorithm allowsresponseto have a non-ok status.This allows servers to return data for plugins even with error responses (e.g., HTTP 500 Internal Server Error codes can still contain plugin data).

Todisplay no pluginfor anembedelementelement:

1. Destroy a child navigablegivenelement.

2. Display an indication that noplugincould be found forelement, as the contents ofelement.

3. elementnowrepresentsnothing.

Theembedelement has nofallback content;its descendants are ignored.

Whenever anembedelement that waspotentially activestops beingpotentially active,any pluginthat had been instantiated for that element must be unloaded.

Theembedelementpotentially delays the load event.

Theembedelement supportsdimension attributes.

The IDL attributessrcandtypeeach mustreflectthe respective content attributes of the same name.

4.8.7Theobjectelement

Categories:

Flow content.

Phrasing content.

Embedded content.

Listedform-associated element.

Palpable content.

Contexts in which this element can be used:

Whereembedded contentis expected.

Content model:

Transparent.

Tag omission in text/html:

Neither tag is omissible.

Content attributes:

Global attributes

data— Address of the resource

type— Type of embedded resource

name— Name ofcontent navigable

form— Associates the element with aformelement

width— Horizontal dimension

height— Vertical dimension

Accessibility considerations:

For authors.

For implementers.

DOM interface:

[Exposed=Window]
interfaceHTMLObjectElement:HTMLElement{
[HTMLConstructor]constructor();

[CEReactions]attributeUSVStringdata;
[CEReactions]attributeDOMStringtype;
[CEReactions]attributeDOMStringname;
readonlyattributeHTMLFormElement?form;
[CEReactions]attributeDOMStringwidth;
[CEReactions]attributeDOMStringheight;
readonlyattributeDocument?contentDocument;
readonlyattributeWindowProxy?contentWindow;
Document?getSVGDocument();

readonlyattributebooleanwillValidate;
readonlyattributeValidityStatevalidity;
readonlyattributeDOMStringvalidationMessage;
booleancheckValidity();
booleanreportValidity();
undefinedsetCustomValidity(DOMStringerror);

//also has obsolete members
};

Depending on the type of content instantiated by the objectelement, the node also supports other interfaces.

Theobjectelement can represent an external resource, which, depending on the type of the resource, will either be treated as an image or as achild navigable.

Thedataattribute specifies theURLof the resource. It must be present, and must contain a valid non-empty URL potentially surrounded by spaces.

Thetypeattribute, if present, specifies the type of the resource. If present, the attribute must be avalid MIME type string.

Thename attribute, if present, must be avalid navigable target name.The given value is used to name the element'scontent navigable,if applicable, and if present when the element'scontent navigableiscreated.

Whenever one of the following conditions occur:

• the element is created,
• the element is popped off thestack of open elementsof anHTML parserorXML parser,
• the element is not on thestack of open elementsof anHTML parser orXML parser,and it is eitherinserted into a documentorremoved from a document,
• the element'snode documentchanges whether it isfully active,
• one of the element's ancestorobjectelements changes to or from showing its fallback content,
• the element'sclassidattribute is set, changed, or removed,
• the element'sclassidattribute is not present, and itsdataattribute is set, changed, or removed,
• neither the element'sclassidattribute nor its dataattribute are present, and itstypeattribute is set, changed, or removed,
• the element changes frombeing renderedto not being rendered, or vice versa,

...the user agent mustqueue an element taskon theDOM manipulation task sourcegiven theobjectelement to run the following steps to (re)determine what theobjectelement represents. Thistask beingqueuedor actively running mustdelay the load eventof the element'snode document.

1. If the user has indicated a preference that thisobjectelement'sfallback contentbe shown instead of the element's usual behavior, then jump to the step below labeledfallback.

   For example, a user could ask for the element'sfallback contentto be shown because that content uses a format that the user finds more accessible.

2. If the element has an ancestormedia element,or has an ancestor objectelement that isnotshowing itsfallback content,or if the element is notin a documentwhosebrowsing contextis non-null, or if the element'snode documentis notfully active,or if the element is still in thestack of open elementsof an HTML parserorXML parser,or if the element is notbeing rendered,then jump to the step below labeledfallback.

3. If thedataattribute is present and its value is not the empty string, then:

   1. If thetypeattribute is present and its value is not a type that the user agent supports, then the user agent may jump to the step below labeled fallbackwithout fetching the content to examine its real type.

   2. Leturlbe the result ofencoding-parsing a URLgiven thedataattribute's value, relative to the element'snode document.

   3. Ifurlis failure, thenfire an eventnamederrorat the element and jump to the step below labeledfallback.

   4. Letrequestbe a newrequestwhose URLisurl,clientis the element'snode document's relevant settings object,destinationis "object", credentials modeis "include",modeis "navigate",initiator typeis "object",and whoseuse-URL-credentials flagis set.

   5. Fetchrequest.

      Fetching the resource mustdelay the load eventof the element'snode documentuntil thetaskthat isqueuedby thenetworking task sourceonce the resource has been fetched (defined next) has been run.

   6. If the resource is not yet available (e.g. because the resource was not available in the cache, so that loading the resource required making a request over the network), then jump to the step below labeledfallback.Thetaskthat is queuedby thenetworking task sourceonce the resource is available must restart this algorithm from this step. Resources can load incrementally; user agents may opt to consider a resource "available" whenever enough data has been obtained to begin processing the resource.

   7. If the load failed (e.g. there was an HTTP 404 error, there was a DNS error),fire an eventnamederror at the element, then jump to the step below labeledfallback.

   8. Determine theresource type,as follows:

      1. Let theresource typebe unknown.

      2. If the user agent is configured to strictly obey Content-Type headers for this resource, and the resource hasassociated Content-Type metadata, then let theresource typebe the type specified inthe resource's Content-Type metadata,and jump to the step below labeledhandler.

         This can introduce a vulnerability, wherein a site is trying to embed a resource that uses a particular type, but the remote site overrides that and instead furnishes the user agent with a resource that triggers a different type of content with different security characteristics.

      3. Run the appropriate set of steps from the following list:

         If the resource hasassociated Content-Type metadata

         1. Letbinarybe false.

         2. If the type specified inthe resource's Content-Type metadatais "text/plain",and the result of applying therules for distinguishing if a resource is text or binaryto the resource is that the resource is not text/plain,then setbinaryto true.

         3. If the type specified inthe resource's Content-Type metadatais "application/octet-stream",then setbinaryto true.

         4. Ifbinaryis false, then let theresource typebe the type specified inthe resource's Content-Type metadata,and jump to the step below labeledhandler.

         5. If there is atypeattribute present on the objectelement, and its value is notapplication/octet-stream, then run the following steps:

            1. If the attribute's value is a type that starts with "image/"that is not also anXML MIME type,then let theresource typebe the type specified in thattypeattribute.

            2. Jump to the step below labeledhandler.

         Otherwise, if the resource does not haveassociated Content-Type metadata

         1. If there is atypeattribute present on the objectelement, then let thetentative typebe the type specified in thattypeattribute.

            Otherwise, lettentative typebe thecomputed type of the resource.

         2. Iftentative typeisnot application/octet-stream,then letresource typebe tentative typeand jump to the step below labeled handler.

      4. If applying theURL parseralgorithm to theURLof the specified resource (after any redirects) results in aURL recordwhosepathcomponent matches a pattern that aplugin supports, then letresource typebe the type that that plugin can handle.

         For example, a plugin might say that it can handle resources withpathcomponents that end with the four character string ".swf".

      It is possible for this step to finish, or for one of the substeps above to jump straight to the next step, withresource typestill being unknown. In both cases, the next step will trigger fallback.

   9. Handler:Handle the content as given by the first of the following cases that matches:

      If theresource typeis anXML MIME type,or if theresource type does not start with "image/"

      If theobjectelement'scontent navigableis null, then create a new child navigablefor the element.

      Letresponsebe theresponsefrom fetch.

      Ifresponse'sURLdoes notmatchabout:blank,then navigatethe element'scontent navigableto response'sURLusing the element's node document,withhistoryHandlingset to "replace".

      Thedataattribute of the objectelement doesn't get updated if thecontent navigablegets furthernavigatedto other locations.

      Theobjectelementrepresentsitscontent navigable.

      If theresource typestarts with "image/",and support for images has not been disabled

      Destroy a child navigablegiven theobjectelement.

      Apply theimage sniffingrules to determine the type of the image.

      Theobjectelementrepresentsthe specified image.

      If the image cannot be rendered, e.g. because it is malformed or in an unsupported format, jump to the step below labeledfallback.

      Otherwise

      The givenresource typeis not supported. Jump to the step below labeledfallback.

      If the previous step ended with theresource typebeing unknown, this is the case that is triggered.

   10. The element's contents are not part of what theobjectelement represents.

   11. If theobjectelement does not represent itscontent navigable, then once the resource is completely loaded,queue an element taskon the DOM manipulation task sourcegiven theobjectelement tofire an eventnamedload at the element.

       If the elementdoesrepresent itscontent navigable, then an analogous task will be queued when the createdDocumentiscompletely finished loading.

   12. Return.

4. Fallback:Theobjectelementrepresentsthe element's children. This is the element'sfallback content.Destroy a child navigablegiven the element.

Due to the algorithm above, the contents ofobjectelements act asfallback content,used only when referenced resources can't be shown (e.g. because it returned a 404 error). This allows multipleobjectelements to be nested inside each other, targeting multiple user agents with different capabilities, with the user agent picking the first one it supports.

Theobjectelementpotentially delays the load event.

Theformattribute is used to explicitly associate the objectelement with itsform owner.

Theobjectelement supportsdimension attributes.

The IDL attributesdata,type,andnameeach mustreflectthe respective content attributes of the same name.

ThecontentDocumentgetter steps are to return this'scontent document.

ThecontentWindowgetter steps are to return this'scontent window.

ThewillValidate,validity,andvalidationMessageattributes, and thecheckValidity(),reportValidity(),andsetCustomValidity()methods, are part of the constraint validation API.TheformIDL attribute is part of the element's forms API.

<figure>
<objectdata="clock.html"></object>
<figcaption>My HTML Clock</figcaption>
</figure>