- The security considerations of [[ttml2]] apply. + The security considerations of [[ttml2]] apply, + since DAPT is a profile of [[ttml2]]; + every conformant DAPT document is a TTML document instance. +
+ +Notwithstanding the XML-related considerations of [[ttml2]],
+ DAPT documents are required by the mandatory
+ #serialization
+ extension feature to avoid
+ declaring or referencing a Document Type Declaration and to avoid using
+ the [[xml]] entity expansion mechanism.
+ Therefore implementations can protect against
+ potential denial of service attacks or external content
+ injection associated with those features of XML by not
+ supporting them when parsing DAPT documents.
+
DAPT documents permit referencing of external audio resources, + also described as "subresources". + One potential threat associated with such references is that + the origin might return a different audio resource to the one + intended at authoring time. No scheme is currently provided for + verifying the integrity of such subresources. + Content providers that cannot ensure that the + appropriate audio resources are served, for example if some + part of the chain is outside their control, + can consider adding subresource integrity metadata, + for example an attribute including a hash of the + intended subresource, and implementing a client-side + check to use this to verify that the received subresource + is the intended one.
@@ -4193,8 +4223,12 @@A transformation processor or a presentation processor supports
the #serialization extension if