EPUB Reading Systems 3.3

W3C Candidate Recommendation Draft

More details about this document
This version:
https://www.w3.org/TR/2022/CRD-epub-rs-33-20221124/
Latest published version:
https://www.w3.org/TR/epub-rs-33/
Latest editor's draft:
https://w3c.github.io/epub-specs/epub33/rs/
History:
https://www.w3.org/standards/history/epub-rs-33
Commit history
Test suite:
https://w3c.github.io/epub-tests/index.html
Implementation report:
https://w3c.github.io/epub-specs/epub33/reports/
Editors:
Matt Garrish (DAISY Consortium)
Ivan Herman (W3C)
Dave Cramer (Invited Expert)
Feedback:
GitHub w3c/epub-specs (pull requests, new issue, open issues)
public-epub-wg@w3.org with subject line [epub-rs-33] … message topic … (archives)

Abstract

EPUB® 3 defines a distribution and interchange format for digital publications and documents. The EPUB format provides a means of representing, packaging, and encoding structured and semantically enhanced web content — including HTML, CSS, SVG and other resources — for distribution in a single-file container.

This specification defines the conformance requirements for EPUB 3 reading systems — the user agents that render EPUB publications.

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the EPUB 3 Working Group as a Candidate Recommendation Draft using the Recommendation track.

Publication as a Candidate Recommendation does not imply endorsement by W3C and its Members. A Candidate Recommendation Draft integrates changes from the previous Candidate Recommendation that the Working Group intends to include in a subsequent Candidate Recommendation Snapshot.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 2 November 2021 W3C Process Document.

1. Introduction

1.1 Overview

This section is non-normative.

The EPUB 3 standard is separated into two distinct concerns: the authoring of EPUB publications is defined in the core specification [epub-33], while this specification details the rendering requirements for them in EPUB reading system.

An EPUB reading system can take many forms. It might have a visual display area for rendering the content to users, for example, or it might only provide audio playback of the content. Therefore, there is no single set of rules that applies to all reading systems. Rather, this specification breaks down the rendering requirements based on a reading system's capabilities and the features it supports.

Moreover, this specification allows for a great deal of flexibility for developers to create unique user interfaces, and requirements for things like metadata processing are intentionally minimal to allow for such flexibility.

So, although this specification identifies the formal requirements for reading systems, it is not possible to understand this document in isolation. Developers should also familiarize themselves with the full content structure of an EPUB publication in order to understand the complete range of information that is available.

Note

A conforming reading system is not necessarily a single dedicated program or device but might exist as a distributed system.

1.2 Terminology

This specification uses terminology defined in EPUB 3.3 [epub-33].

It also defines the following term:

content display area

The area within the viewport dedicated to the display of EPUB content documents. The content display area excludes any borders, margins, headers, footers, or other decoration a EPUB reading system might inject into the viewport.

In the case of synthetic spreads, the viewport contains two content display areas.

Note

Only the first instance of a term in a section links to its definition.

1.3 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, SHOULD, and SHOULD NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

All algorithm explanations are non-normative.

1.4 Relationship to other specifications

This section is non-normative.

1.4.1 Relationship to HTML

The [html] standard is continuously evolving — there are no longer versioned releases of it. That standard, in turn, references various technologies that continue to evolve, such as MathML, SVG, CSS, and JavaScript.

Reading system developers must keep track of the changes to HTML, and the technologies it references, to ensure they keep their systems up to date.

This specification does not require EPUB reading systems to support scripting, HTML forms or the HTML DOM. Reading systems conformant with this specification are only expected to be able to process a conforming EPUB content document. As support for scripting and HTML forms is not compulsory, a conformant reading system might not be a fully conformant HTML user agent.

1.4.2 Relationship to SVG

This specification does not reference a specific version of [svg], but instead uses an undated reference. Whenever there is any ambiguity in this reference, the latest recommended specification is the authoritative reference.

This approach ensures that EPUB will always keep pace with changes to the SVG standard. Reading system developers must keep track of changes to the SVG standard to ensure that they keep their systems up to date.

2. Reading system conformance

2.1 Requirements

Whether a reading system has to support a feature is mentioned at the beginning of its section. To be conformant with this specification, reading systems MUST support all required features as well as all applicable conditionally-required features (e.g., to support image rendering if the reading system has a viewport) as defined in their respective sections.

Note

As a reading system is not necessarily a single application, but may exist as a distributed system, it is not always the case that reading system requirements will be met in the application that renders EPUB publications to users. An example is a reading system that solely interacts with a controlled content repository (e.g., a bookstore or library system). In this case, if a reading system developer can demonstrate that requirements are not applicable to the application (e.g., EPUB publications with duplicate itemref entries [epub-33] cannot enter the system), the reading system as a whole is still considered conforming.

When supporting recommended and optional features, reading systems MUST meet all normative requirements as defined in their respective sections.

When supporting recommended and optional features, reading systems MUST meet all normative requirements as defined in their respective sections.

When reading system developers opt not to support a recommended or optional feature, it does not always mean none of the normative requirements of the section apply. In some cases, there may be alternative requirements when not implementing a feature (e.g., to process fallbacks when scripting is not supported). Reading systems MUST meet these alternative requirements when not supporting a feature.

Note

EPUB publications frequently contain information not required by this specification (e.g., package document metadata). Reading systems may use this additional information for any purposes (e.g., to improve the user interface).

2.2 Error handling

Reading systems are not required to load EPUB publications, or resources within them, when they violate content authoring or processing requirements.

2.3 Error reporting

This section is non-normative.

Although reading systems are not required to report errors encountered while processing and rendering EPUB publications (e.g., if the dimensions of a fixed-layout document have been inferred), they are strongly encouraged to provide a means of accessing this information. A comparable example are the developer tools that web browsers provide for debugging HTML pages and applications.

EPUB creators, for example, can greatly benefit from having access to such processing information (e.g., to efficiently debug their EPUB publications). For maximum use in debugging, it is recommended that reading systems not only report issues they directly encounter but also issues reported by any applications they use (e.g., HTML, CSS, and JavaScript errors reported from a browser core used to render the content, or validation issues reported by EPUBCheck).

It is not expected that error reporting will be an intrusive experience that affects the general reading experience for users. Rather, reporting information could, for example, be selectively activated from a settings menu so that it does not bother users unnecessarily.

3. Publication resource processing

Reading systems MUST process publication resources [epub-33].

3.1 Core Media types

If a reading system has a viewport, it MUST support the image core media type resources [epub-33].

If it has the capability to render prerecorded audio, it MUST support the audio core media type resources [epub-33].

Note

It is recommended that reading systems support at least one of the H.264 [h264] and VP8 [rfc6386] video codecs, but this is not a conformance requirement — a reading system may support any video codec, or none at all. Reading system developers should take into consideration factors such as breadth of adoption, playback quality, and technology royalties when deciding which video formats to support.

3.2 Foreign resources

Reading systems MAY support an arbitrary set of foreign resource types, and if a foreign resource is not supported, MUST process fallbacks as defined in foreign resources [epub-33].

3.3 Resource locations

Reading systems SHOULD support remote resources, as defined in Resource locations [epub-33].

To limit the risk of network attacks, reading systems SHOULD only load remote resources referenced via the https URI scheme [rfc7230].

3.4 Data URLs

Reading systems MUST prevent data URLs [rfc2397] from opening in top-level browsing contexts [html], except when initiated through a reading system affordance such as a context menu. If a reading system does not use a top-level browsing context for top-level content documents, for example if the top-level content document is an SVG, it MUST also prevent data URLs from opening as though they are top-level content documents.

3.5 File URLs

Reading Systems MUST prevent access to resources referenced via file URLs [rfc8089].

3.6 XML processing

A reading system MUST use a non-validating XML processor [xml] that:

3.7 Internationalization

As part of processing publication resources, a reading system is required to process the attributes to set the language and the base directions in XHTML content documents or SVG content documents, as well as the xml:lang attribute for all XML documents (e.g., the package document and media overlay documents).

Furthermore, a reading system MUST also process the dir attribute [epub-33] for the package document, where the base direction specified by dir applies to the element where it is specified, and to all elements in its content unless overridden with another instance of dir. (See also 5.1 Base direction for further details.)

In the absence of this information in a publication resource, reading systems MUST NOT assume either the language or the base direction of that resource from information expressed in the package document (i.e., in xml:lang and dir attributes, in hreflang attributes on link elements, or from dc:language elements [epub-33]). Refer to a resource's formal specification for more information about to handle the absence of explicit language or direction information.

3.8 Network access

Reading systems MAY support network access to retrieve remote resources and to allow scripted content documents to communicate with web-hosted APIs and retrieve resources.

Providing network access, however, increases both the security risks to the reading systems and the security and privacy risks to users. These risks are often unique to reading systems and the platforms they run on — the browser cores that most reading systems are built on do not offer the same security and privacy controls as web browsers themselves. Consequently, developers need to use extra caution when allowing network access, and more thoroughly test that their reading systems are not vulnerable to attacks. More information about these risks is provided in 15. Security and privacy.

If reading system developers allow network access, it is RECOMMENDED both that they:

4. Open Container Format (OCF) processing

Reading systems MUST process the EPUB container [epub-33].

Note

An application that processes EPUB containers does not have to be a full-fledged reading system (e.g., an application might only extract the content of a container or check the validity of the packaged content). In these cases, developers of such applications can ignore the rendering requirements for reading systems defined in this section.

4.1 OCF abstract container

4.1.1 URL of the root directory

Reading systems MUST assign a URL [url] to the root directory of the OCF abstract container. This URL is called the container root URL. It is implementation specific, but the implementation MUST have the following properties:

Note

The unicity of the origin [html] per each user-specific instance of an EPUB publication in a reading system means that if two different users acquire a copy of the same EPUB publication, the origins will be different for the two users on those copies even if the same reading system is used.

Note

The properties of the container root URL are such that a conforming reading system will parse any relative URL string to a content URL. In other words, relative links do not "leak" outside the container content, which is an important feature for security.

In practice, the container root URL behaves similarly to a URL defined as follows:

URL component Values
scheme http or https
host localhost
port a dynamic port uniquely assigned to the EPUB instance

for example:

Container File File Path URL
Root directory empty string http://localhost:49152/
Package document EPUB/package.opf http://localhost:49152/EPUB/package.opf
EPUB content document HTML/file name.xhtml http://localhost:49152/HTML/file%20name.xhtml
URL string
(found for example in the package document)
content URL
../HTML/file%20name.xhtml http://localhost:49152/HTML/file%20name.xhtml
/Media/img.png http://localhost:49152/Media/img.png
../../../Media/img.png http://localhost:49152/Media/img.png

Note that the last two links are disallowed in an EPUB publications to ensure better interoperability with non-conforming or legacy reading systems and toolchains.

Note

Some language specifications reference Requests For Comments that preceded [url], in which case the earlier RFC applies for content in that particular language.

Note

Unlike most language specifications, reading systems must use the container root URL as the base URL [url] for all files within the META-INF directory. See also the section on Parsing URLs in the META-INF directory in [epub-33].

4.1.2 File names

Although EPUB creators are required to follow various file name and file path restrictions [epub-33] for maximum interoperability, reading systems SHOULD attempt to process file names and paths that do not adhere to these requirements. Invalid file names and paths may only be problematic on some operating systems.

This specification does not specify how a reading system that is unable to represent OCF file names and paths would handle this incompatibility.

4.1.3 META-INF directory

Container file (container.xml)

A reading system MUST, by default, use the package document referenced the from first rootfile element [epub-33] to render the EPUB publication. If the reading system recognizes a means of selecting from the other available options, it MAY choose a more appropriate package document.

Metadata file (metadata.xml)

Reading systems SHOULD ignore metadata.xml files [epub-33] with unrecognized root elements.

Manifest file (manifest.xml)

Reading systems MUST NOT use ancillary manifest information contained in the ZIP archive or in the manifest.xml file [epub-33] for processing an EPUB publication.

Signature file (signatures.xml)

Before computing the digest used to validate the signature in the signatures.xml file [epub-33], reading systems MUST decrypt any data encrypted after signing — data encrypted before signing MUST NOT be decrypted.

Refer to Decryption Transform for XML Signature [xmlenc-decrypt] for more information about identifying data encrypted after signing.

Other files

Reading systems MUST NOT fail when encountering configuration files in the META-INF directory not listed in Reserved files [epub-33].

4.2 OCF ZIP container

A reading system:

With respect to specific fields in the OCF ZIP container archive, the reading system:

4.3 Font obfuscation

Reading systems SHOULD support deobfuscation of fonts as defined in Font obfuscation [epub-33].

To restore the original data, reading systems should simply reverse the process: the source file becomes the obfuscated data, and the destination file contains the raw data.

Note

EPUB 3 allowed font obfuscation prior to EPUB 3.0.1, but did not specify the order of obfuscation and compression. As a result, reading systems might encounter invalid fonts after decompression and deobfuscation. In such instances, deobfuscating the data before inflating it may return a valid font. Reading systems do not have to support this method of retrieval, but developers should consider it when supporting EPUB 3 content generally.

5. Package document processing

Reading systems MUST process the package document [epub-33].

5.1 Base direction

If the dir attribute [epub-33] is set and indicates a base direction of ltr or rtl, reading systems MUST override the bidi algorithm per the higher-level protocols defined in [bidi], setting the paragraph embedding level to 0 if the base direction is ltr, or 1 if the base direction is rtl.

Otherwise the base direction is auto, in which case reading systems MUST determine the text's direction by applying the Unicode Bidi Algorithm, beginning with Rule P2 of [bidi].

5.2 Unique identifier

Reading systems SHOULD NOT depend on the unique identifier being unique to one and only one EPUB publication. Determining whether two EPUB publications with the same unique identifier represent different versions of the same publication, or different publications, may require inspecting other metadata, such as their last modification dates, titles, and authors.

5.3 Metadata

White Space

Reading systems MUST strip and collapse ASCII whitespace [infra] from Dublin Core [dcterms] and meta element values [epub-33] before processing.

The dc:identifier element

To determine whether the value of a dc:identifier element [epub-33] conforms to an established system or has been granted by an issuing authority, reading systems SHOULD check for an identifier-type property [epub-33].

The dc:title element

Reading systems MUST recognize the first dc:title element [epub-33] in document order as the main title of the EPUB publication and present it to users before other title elements.

This specification does not define how to process additional dc:title elements.

The dc:language element

The language(s) of the EPUB publication specified in dc:language elements are informational. Some uses of this information include:

  • exposing it to the user through the reading system user interface
  • using it to enhance functionality in a bookshelf (e.g., sorting by language)
  • using it to optimize the reading interface (e.g., to preload text-to-speech languages)

See 3.7 Internationalization for more details on how to determine the language of a publication resource.

The dc:creator element

When determining display priority, reading systems MUST use the document order of dc:creator elements [epub-33] in the metadata section, where the first creator element encountered is the primary creator. If a reading system exposes creator metadata to the user, it SHOULD include all the creators listed in the metadata section whenever possible (e.g., when not constrained by display considerations).

The meta element

Reading systems SHOULD ignore all meta elements whose property attributes [epub-33] define expressions they do not recognize. A reading system MUST NOT fail when encountering unknown expressions.

If a reading system does not recognize the scheme attribute [epub-33] value, it SHOULD treat the value of the element as a string.

Retrieval and support of linked resources is OPTIONAL.

The language identified in an hreflang [EPUB-33] attribute is purely advisory. The language information expressed in the resource determines its language for processing and rendering purposes, as defined in the internationalization requirements.

In the case of a linked metadata record [epub-33], reading systems MUST NOT skip processing the metadata expressed in the package document (i.e., use only the information expressed in the record). Reading systems MAY compile metadata from multiple linked records.

5.4 Manifest

Reading systems MUST ignore values of the properties attribute [epub-33] they do not recognize.

Reading systems SHOULD NOT use linked resources in the rendering of an EPUB publication due to the inherent limitations and risks involved (e.g., lack of information about the resource and how to process it, security risks from remotely-hosted sources, lack of fallbacks, etc.).

A reading system that does not support the MIME media type [rfc2046] of a given publication resource MUST traverse the manifest fallback chain [epub-33] until it identifies a supported publication resource to use in place of the unsupported resource. If the reading system supports multiple publication resources in the fallback chain, it MAY select the resource to use based on the resource's properties attribute [epub-33] values, otherwise it SHOULD honor the EPUB creator's preferred fallback order. If a reading system does not support any resource in the fallback chain, it MUST alert the user that it could not display the content.

When manifest fallbacks [epub-33] are provided for top-level content documents, reading systems MAY choose from the available options to find the optimal version to render in a given context (e.g., by inspecting the properties attribute for each).

A reading system MUST terminate the fallback chain at the first reference to a manifest item it has already encountered.

5.5 Spine

Reading systems MUST provide a means of rendering an EPUB publication in the order defined in the spine element [epub-33], which includes:

When a user traverses the default reading order defined in the spine element, a reading system MAY automatically skip non-linear itemref elements [epub-33]. When a user activates a hyperlink to a non-linear resource, however, reading systems MUST render the referenced resource or a designated fallback. Reading systems MAY also provide the option for users to skip non-linear content by default or not.

If the EPUB creator has not specified the page-progression-direction attribute [epub-33], the reading system MUST assume the value of default. When page-progression-direction value is default, the reading system can choose the rendering direction.

If the page-progression-direction attribute has a value other than default, the reading system MUST ignore any directionality computed from pre-paginated XHTML content documents.

Reading systems MUST ignore all values expressed in spine itemref properties attributes [EPUB-33] that they do not recognize.

Reading systems MUST NOT skip spine references to duplicate manifest items [EPUB-33] when rendering the linear reading order. The reading system MUST treat these as distinct items for user interface (UI) purposes (for example, each occurrence could be independently bookmarked or annotated). When a reading system follows a hyperlink to a resource referenced multiple times in the spine, the reading system MUST navigate to the first occurrence of the document in the linear reading order.

5.5.1 Spine overrides

When a spine itemref element's properties attribute overrides a global rendering property [epub-33], reading systems MUST follow the requirements for the override's global value to display that spine item.

For example, a spine item that contains the layout-pre-paginated override [epub-33] is rendered following the requirements of the global pre-paginated value.

If more than one override for the same property is specified in a properties attribute, reading systems MUST use only the first value.

5.6 Collections

In the context of this specification, support for collections [epub-33] in reading systems is OPTIONAL. Reading systems MUST ignore collection elements that define unrecognized roles.

5.7 Legacy features

Reading systems MUST NOT support legacy features in content that conforms to this version of EPUB [epub-33].

6. EPUB content document processing

The definition of EPUB content documents [epub-33] includes various authoring restrictions to optimize the cross-compatibility of content (e.g., prohibiting CSS for setting language and direction [epub-33]). Unless stated otherwise in this specification, reading systems MAY support these restricted features.

6.1 XHTML content documents

Reading systems MUST process XHTML content documents [epub-33].

Unless explicitly defined in this section as overridden, reading systems MUST process XHTML content documents using semantics defined by the [html] specification and honor any applicable user agent conformance constraints expressed therein.

6.1.1 HTML extensions

6.1.1.1 RDFa

Reading system support for the attribute processing model [rdfa-core] is OPTIONAL.

6.1.1.2 Content switching (deprecated)

Use of the switch element is deprecated [epub-33]. Refer to its definition in [epubcontentdocs-301] for implementation information.

6.1.1.3 The epub:trigger element (deprecated)

Use of the trigger element is deprecated [epub-33]. Refer to its definition in [epubcontentdocs-301] for implementation information.

6.1.1.4 Custom attributes

Reading systems MAY support custom attributes provided the attributes do not modify the requirements of this specification.

6.1.2 HTML deviations and constraints

6.1.2.1 Microdata

Reading system support for the attribute processing model is OPTIONAL, as is the conversion to JSON [html].

6.1.2.2 MathML

To support MathML [mathml3] embedded in XHTML content documents, a reading system:

Note

Reading systems may choose to use third-party libraries such as MathJax to provide MathML rendering.

6.1.2.3 Embedded SVG

Reading systems MUST process SVG embedded in XHTML content documents as defined in 6.2 SVG content documents.

6.1.2.3.1 Embedded SVG and CSS

For the purposes of styling SVG embedded in XHTML content documents by reference, reading systems MUST NOT apply CSS style rules of the containing document to the referenced SVG document.

For the purposes of styling SVG embedded in XHTML content documents by inclusion, reading systems MUST apply applicable CSS rules of the containing document to the included SVG elements.

Note

SVG included by reference is processed as a separate document, and can include its own CSS style rules just like an SVG content document would. Note that this is consistent with situations where an [html] object element references an external [html] element.

6.1.2.4 Form submission

Reading system support for the submission of [html] forms is OPTIONAL. A reading system might, for example, prevent form submissions by limiting access to networking.

6.2 SVG content documents

Reading systems MUST process SVG content documents [epub-33].

To process SVG content documents and SVG embedded in XHTML content documents, a reading system:

6.3 Cascading Style Sheets (CSS)

If a reading system has a viewport, it MUST support the visual rendering of XHTML content documents via CSS [epub-33].

To support CSS, a reading system:

In addition to supporting CSS properties as defined above, a reading system's user agent style sheet SHOULD support the [html] suggested default rendering.

Reading system developers should implement CSS support at the level of major browsers and publicly document their user agent style sheets and how they interact with EPUB creator's style sheets.

6.4 Scripting

Reading systems SHOULD support scripting [epub-33].

Reading system support for scripting depends on its usage context:

If a reading system supports scripting:

If a reading system does not support scripting, it MUST process fallbacks for scripted content as defined in Fallbacks for scripted content documents [epub-33].

6.4.1 Local storage

Reading systems MAY block scripts from saving persistent data through cookies and web storage [html].

Reading systems that allow local storage [html] SHOULD provide methods for users to inspect or delete that data.

6.4.2 Event model

Reading systems SHOULD follow the DOM Event model as per [html] and pass UI events to the scripting environment before performing any default action associated with these events.

Reading system developers must ensure that scripts cannot disable critical functionality (such as navigation) to constrain the extent to which a potentially malicious script could impact their reading systems. As a result, although the scripting environment should be able to cancel the default action of any event, some events either might not be passed through or might not be cancelable.

6.4.3 Security considerations

This section is non-normative.

Reading system developers who also support scripting must be aware of the security issues that arise when reading systems execute scripted content. As the underlying scripting model employed by reading systems and browsers is the same, developers must take into consideration the same kinds of issues encountered in web contexts.

Each reading system must establish if it can trust the scripts in a particular document. Reading systems should treat all scripts as untrusted (and potentially malicious), and developers should examine all vectors of attack and protect against them. In particular, developers should consider the following:

  • an attack against the runtime environment (e.g., stealing files from a user's hard drive);

  • an attack against the reading system itself (e.g., stealing a list of a user's books or causing unexpected behavior);

  • an attack of one EPUB content document against another (e.g., stealing data that originated in a different document);

  • an attack of an unencrypted script against an encrypted portion of a document (e.g., an injected malicious script extracting protected content);

  • an attack against the local network (e.g., stealing data from a server behind a firewall).

To limit the possible damage of untrusted scripts, this specification recommends that reading systems establish a unique origin [html] allocated to each EPUB publication (see 4.1.1 URL of the root directory). Assigning a unique origin ensures that spine-level scripts [epub-33] are isolated from other EPUB publications, and limits access to cookies [html], web storage [html], etc.

Examples of web APIs that are tied to the concept of "origin" include web storage [html] and IndexedDB [indexeddb], which EPUB content documents can interact with via scripting. Reading systems that allow users to add/remove publications from a managed library (their "bookshelf") may maintain the publication's unique origin when the publication is removed and subsequently re-imported into the content library. Conversely, reading systems may create a new unique origin for every newly added publication.

This specification also recommends that container-constrained scripts [epub-33] not be allowed to modify the DOM of the host EPUB content document and/or manipulate the containing rectangle (see 6.4 Scripting).

Note that compliance with these recommendations does not guarantee protection from the possible attacks listed above; developers must examine each potential vulnerability within the context of their reading system.

7. Navigation document processing

Reading systems MUST process EPUB navigation documents [epub-33].

To process the EPUB navigation document, a reading system:

Reading systems MUST honor the above requirements irrespective of whether the EPUB navigation document is part of the spine.

8. Layout rendering control processing

8.1 Fixed-layout documents

Reading systems MUST support the rendering of fixed-layout documents [epub-33].

8.1.1 Fixed-layout properties

8.1.1.1 The rendition:layout property

The default value reflowable MUST be assumed by EPUB reading systems as the global value if no meta element carrying the rendition:layout property occurs in the package document metadata [epub-33].

When the rendition:layout property is set to pre-paginated, reading systems MUST NOT include space between the adjacent content slots when rendering synthetic spreads.

The rendition:layout property values have the following processing requirements:

reflowable

Reading systems MAY apply dynamic pagination when rendering.

pre-paginated

Reading systems MUST produce exactly one page per spine itemref [epub-33] when rendering.

8.1.1.2 The rendition:orientation property

The default value auto MUST be assumed by EPUB reading systems as the global value if no meta element carrying the rendition:orientation property occurs in the package document metadata [epub-33].

The rendition:orientation property values have the following processing requirements:

auto

The reading system determines the orientation in which to render EPUB content documents.

landscape

Reading systems that support multiple orientations SHOULD render EPUB content documents in landscape orientation.

portrait

Reading systems that support multiple orientations SHOULD render EPUB content documents in portrait orientation.

The means by which they convey the intent is implementation specific.

8.1.1.3 The rendition:spread property

Reading Systems MUSt assume the default value auto as the global value if no meta element carrying the rendition:spread property occurs in the package document metadata [epub-33].

The rendition:spread property values have the following processing requirements:

none

Reading systems MUST NOT incorporate spine items in a synthetic spread. Reading systems SHOULD create a single viewport positioned at the center of the screen.

landscape

Reading systems SHOULD render a synthetic spread for spine items only when the device is in landscape orientation.

portrait (deprecated)

Reading systems SHOULD treat the value "portrait" as a synonym of "both" and create spreads regardless of orientation.

both

Reading systems SHOULD render a synthetic spread regardless of device orientation.

auto

Reading systems MAY use synthetic spreads in specific or all device orientations as part of a content display area utilization optimization process.

8.1.1.4 The rendition:page-spread-* properties

The rendition:page-spread-left property [epub-33] indicates that the given spine item SHOULD be rendered in the left-hand slot of a spread. The rendition:page-spread-right property [epub-33] indicates that the given spine item SHOULD be rendered in the right-hand slot of a spread.

The rendition:page-spread-left and rendition:page-spread-right properties apply to both pre-paginated and reflowable content, and they only apply when the reading system is creating synthetic spreads.

The rendition:page-spread-* properties MUST take precedence over whatever value of the page-break-before property [csssnapshot] has been set for an XHTML content document.

When a reflowable spine item follows a pre-paginated one, the reflowable one SHOULD start on the next page — as defined by the page-progression-direction attribute [epub-33] — when it lacks a rendition:page-spread-* property value.

Reading systems MUST honor rendition:page-spread-* properties on both reflowable and pre-paginated spine items (e.g., by inserting a blank page).

When a pre-paginated spine item follows a reflowable one, the pre-paginated one SHOULD start on the next page (as defined by the page-progression-direction attribute) when it lacks a rendition:page-spread-* property value.

When a reading system encounters two spine items that represent a true spread (i.e., two adjacent spine items with the rendition:page-spread-left and rendition:page-spread-right properties), it SHOULD create the spread with no space between the adjacent pages.

8.1.2 Initial containing block dimensions

XHTML

Reading systems MUST create the initial containing block (ICB) using the width and height expressions declared in the viewport meta tag for XHTML content documents, as defined in Expressing in HTML [epub-33]. They MUST clip content positioned outside of the ICB.

If the width or height values in the viewport meta tag contain a non-numeric character but start with a number (e.g., the value includes a unit of length declaration such as "500px"), the number prefix SHOULD be used as the pixel value, otherwise the value MUST be treated as invalid.

Reading systems SHOULD attempt to extract width and height values from a viewport meta tag even if its syntax is invalid.

Reading systems MUST use the first declaration of a width and height property in a viewport meta tag (i.e., ignore repeated declarations).

If the viewport meta does not contain a width or a height value, or if these values are invalid, reading systems MAY supply the values. For example, a reading system may:

  • consider these as having the values device-width and device-height, respectively; or
  • look for the previous content document in the spine, if applicable, and use the ICB value defined there; or
  • consider the content document as erroneous XHTML content altogether.

If an XHTML content document contains more than one viewport meta tags, reading systems MUST use the first in document order to obtain the height and width dimensions. Subsequent declarations MUST be ignored.

When the ICB aspect ratio does not match the aspect ratio of the reading system content display area, reading systems MAY position the ICB inside the area to accommodate the user interface; in other words, added letter-boxing space MAY appear on either side (or both) of the content.

SVG

Reading systems MUST create the initial containing block (ICB) using the dimensions as defined in Expressing the ICB in SVG [epub-33] to render SVG content documents.

Note

When the ICB aspect ratio does not match the aspect ratio of the reading system content display area, reading systems should follow the rules for the viewBox and the preserveAspectRatio attributes, as defined in [SVG].

8.1.3 Viewport rendering

When rendering fixed-layout documents, the default intent is that the content display area SHOULD occupy as much of the available viewport area as possible. Reading systems SHOULD NOT inject additional content such as border, margins, headers, or footers into the viewport.

Note

This specification does not define how the initial containing block [css2] is placed within the reading system content display area.

Note

The exposure of reading system control widgets to the user is implementation-specific and not included in the above behavioral expectations.

8.2 Reflowable layouts

Reading systems SHOULD process the reflowable layout properties [epub-33].

8.2.1 The rendition:flow property

If a reading system supports the specified rendering, it SHOULD use that method to handle overflow content, but MAY provide the option for users to override the requested rendering.

The default global value is auto if no meta element carrying this property occurs in the metadata section [epub-33]. Reading systems MAY support only this default value.

The rendition:flow property values have the following processing requirements:

paginated

The reading system SHOULD dynamically paginate all overflow content.

scrolled-continuous

The reading system SHOULD render all EPUB content documents such that overflow content is scrollable, and SHOULD present the EPUB publication as one continuous scroll from spine item to spine item (except where locally overridden [epub-33]).

scrolled-doc

The reading system SHOULD render all EPUB content documents such that users can scroll overflow content, and SHOULD present each spine item as a separate scrollable document.

auto

The reading system MAY render overflow content using its default method or a user preference, whichever is applicable.

For the rendition:flow-scrolled-continuous property, the scroll direction MUST be defined relative to the block flow direction of the root element of the XHTML content document referenced by the itemref element [epub-33]. The scroll direction MUST be vertical if the block flow direction is downward (top-to-bottom). It MUST be horizontal if the block flow direction of the root element is rightward (left-to-right) or leftward (right-to-left).

Reading systems MUST ignore the rendition:flow property and its overrides when processing pre-paginated spine items [epub-33].

Note

Reading system developers may decide to disregard this restriction, and accept the scrolled-continuous value of rendition:flow as a switch to display each pre-paginated spine item on a long, vertical strip (making it is easier to read on a smartphone or computer). This type of presentation is often referred to as "webtoons". Some publishers already use this possibility. After some further experimentation and incubation, a future version of this specification may introduce this approach as a standard feature for fixed-layout documents. See also the (deferred) github issue 2412.

8.2.2 The rendition:align-x-center property

When the rendition:align-x-center property is set on a spine item, reading systems SHOULD render the content centered horizontally within the viewport or spread, as applicable. This property does not affect the rendering of the spine item, only the placement of the resulting content box.

For reflowable content, reading systems that support this property MUST center each virtual page.

This specification does not define a default rendering behavior when reading systems do not support this property or EPUB creators do not specify it. Reading systems MAY render spine items by their own design.

8.3 The viewport meta tag

Except when obtaining the initial containing block dimensions for fixed-layout documents, reading systems MUST ignore rendering instructions in viewport meta declarations.

This restriction applies to both fixed-layout and reflowable documents.

8.4 Custom properties

Reading systems MAY support custom properties provided they do not introduce expressions that conflict behaviorally with the properties defined in the Package rendering vocabulary [epub-33].

9. Media overlays processing

Reading systems with the capability to render prerecorded audio SHOULD support media overlays [epub-33].

If a reading system does not support media overlays, it MUST ignore both:

9.1 Loading the media overlay

When a reading system loads a package document, it MUST refer to the manifest item elements' [epub-33] media-overlay attributes to discover the corresponding media overlays for EPUB content documents.

Reading systems MUST support playback for XHTML content documents, and MAY support SVG content documents.

Playback MUST start at the media overlay element which corresponds to the desired EPUB content document starting point. Note that the start of an EPUB content document could correspond to an element at the start or in the middle of a media overlay. When the media overlay document finishes playing, the reading system SHOULD load the next EPUB content document (as specified in the package document spine) and also load its corresponding media overlay document, provided that one is given.

9.2 Basic playback

9.2.1 Timing and synchronization

Reading systems MUST render immediate children of the body element [epub-33] in a sequence. A seq element's [epub-33] children MUST be rendered in sequence, and playback completes when the last child finishes playing. Reading system MUST render a par element's [epub-33] children in parallel (with each starting at the same time), and playback completes when all the children finish playing. Reading system playback of the media overlay document completes when the body element's last child finishes playing.

9.2.2 Rendering audio

When presented with a media overlay audio element [EPUB-33], reading systems MUST play the audio resource referenced by the src attribute, starting at the clip offset time given by the clipBegin attribute and ending at the clip offset time given by the clipEnd attribute [epub-33].

In addition:

  • If the EPUB creator has not specified a clipBegin attribute, reading systems MUST assume the value "0".

  • If the EPUB creator has not specified a clipEnd attribute, reading systems MUST assume the value to be the full duration of the physical media.

  • If the value of clipEnd exceeds the full duration of the physical media, reading systems MUST assume its value to be the full duration of the physical media.

User-controllable audio playback options SHOULD include timescale modification, in which the user can alter the playback rate without distorting the pitch. The suggested range is half-speed to double-speed.

9.2.3 Rendering EPUB content document elements

When presented with a media overlay text element [epub-33] whose src attribute contains a URL-fragment string referencing a specific part of an EPUB content document, reading systems SHOULD ensure the referenced portion is visible in the viewport. In addition to [html] element ID references and SVG Fragment Identifiers [svg], reading systems MAY support other fragment identifier schemes.

During media overlays playback, reading systems with a viewport SHOULD add the class names given by the metadata properties active-class and playback-active-class [epub-33] to the appropriate elements, when specified, in the EPUB content document. Conversely, the class names SHOULD be removed when the playback state changes, as described in Associating style information [epub-33].

The active-class and playback-active-class metadata properties are OPTIONAL, and if omitted, reading system behavior is implementation-specific.

Reading system behavior when a fragment identifier [epub-33] does not reference an element is also implementation-specific.

9.3 Interacting with the EPUB content document

Note

Earlier versions of this specification included some information about embedded audio and video [epubmediaoverlays-32]. This feature has been deprecated.

9.3.1 Navigation

Because the media overlay is closely linked to the EPUB content document, it is very easy for reading systems to locate a position in the EPUB content document based on the current position in the media overlay playback. If the user pauses synchronized playback and navigates to a different part of the EPUB publication, synchronized playback MUST resume at that point. For example, if a specific page number in the EPUB content document is the desired location, then this same point is located in the media overlay and playback started there.

This same approach allows for synchronizing the media overlay playback with user selection of a navigation point in the EPUB navigation document. The reading system loads the media overlay for that file and finds the correct point for starting playback based on the ID of the navigation point target.

Note

EPUB creators may associate a media overlay document directly with an EPUB navigation document in order to provide synchronized playback of its contents, regardless of whether the XHTML content document in which it resides is included in the spine. See EPUB navigation document [epub-33] for more information.

Note

EPUB creators may associate media overlay document elements with EPUB content document structures such as tables. Reading systems should ensure that media overlay playback remains synchronized with user navigation of table rows and cells. The reading system might also play the corresponding table header preceding the contents of the cell.

9.3.2 Embedded audio and video (deprecated)

Guidance for automatic playback of embedded audio and video is now deprecated.

Refer to its definition in [epubmediaoverlays-32] for more information.

9.3.3 Text-to-speech

When a media overlay text element with no audio [epub-33] sibling element references text within the target EPUB content document, reading systems capable of text-to-speech (TTS) playback SHOULD render the referenced text using TTS.

Reading systems SHOULD use the speech-related information provided in the target EPUB content document to play the audio stream as part of the media overlay rendering.

Note

See EPUB 3 Text-to-Speech Support [epub-tts-10] for more information about supporting TTS technologies in EPUB publications.

The media overlay text element's lifespan corresponds to the rendering time of the associated speech synthesis. The implicit duration of the text element (and by inference, of the parent par element) is therefore determined by the execution of the Text-to-Speech engine, and cannot be known at authoring time (factors like speech rate, pauses and other prosody parameters influence the audio output). This also means that reading systems should treat the duration property values set in the package document as approximative when making use of them.

9.4 Skippability and escapability

9.4.1 Skippability

Reading systems SHOULD use the semantic information provided by media overlay elements' epub:type attribute to offer users the option of skipping content.

When skipping of content is enabled, reading systems MUST suppress playback of any par and seq elements whose epub:type attribute contains a semantic that matches a skippable structure.

9.4.2 Escapability

While playing media overlays, reading systems SHOULD offer users the option to leave ("escape") escapable structures [epub-33], which are determined by the presence of an epub:type attribute [epub-33] with a value from the escapable structures list. If a user opts to escape from an escapable structure, then the reading system MUST continue playback with the next sequential element after the structure.

10. Processing structural semantics

Reading systems MAY support structural semantics [epub-33] in EPUB content documents.

When processing the epub:type attribute, a reading system:

11. Processing property values

Reading systems MAY support the vocabulary association mechanisms for processing property data type values [epub-33].

This section defines an algorithm for obtaining an expanded URL from a property data type value. It applies only to reading systems that support the [epub-33] vocabulary association mechanisms.

Reading systems that do not support the [epub-33] vocabulary association mechanisms MAY process property values as plain string values [infra]. It is not required to support the expansion of these values to URLs to add reading system behaviors based on their presence.

The algorithm describes the process using the terminology and data types defined in [infra], and, if successful, results in a string value with the expanded URL being returned. A null value is returned for invalid properties.

This algorithm takes the following arguments:

To obtain an expanded URL, apply the following steps:

  1. Let baseURL, expandedURL, propertyPrefix, and propertyReference be empty strings.

    Explanation

    In this algorithm:

    • baseURL will hold the base URL associated with the value, whether this URL is assigned by the EPUB creator, corresponds to a default vocabulary, or comes from a reserved prefix.
    • expandedURL will hold the final URL that results from the concatenation of the base URL and property reference.
    • propertyPrefix will hold the property's prefix [epub-33] (i.e., the value before the colon). Properties from a default vocabulary will not have a prefix, but all others will.
    • propertyReference will hold the property's reference [epub-33] (i.e., the value after the prefix). All valid properties require a reference.
  2. Obtain the values of propertyPrefix and propertyReference as follows:

    1. If value does not contain a colon (U+003A), set propertyReference to value.

      Explanation

      If a property value does not have a colon, it does not have a prefix. In this case, the value is drawn from the default vocabulary as described in the next step of the algorithm.

    2. Otherwise, if value begins with a colon, the value is invalid. Return null.

      Explanation

      A colon at the beginning of the value is invalid as it indicates the prefix is not set.

    3. Otherwise, split value on the first colon and set propertyPrefix to the string before the colon and set propertyReference to the string after the colon.

    If propertyReference is not a valid path-relative-scheme-less-URL string, as required by the property data type definition [epub-33], the value is invalid. Return null.

    Explanation

    The path-relative-scheme-less-URL string definition has a number of restrictions that apply to the reference whether it has a prefix or not.

    For example, the reference must not begin with a URL-scheme string followed by a colon. This restriction means that the following is not a valid property value as the second colon could represent a scheme: foo:bar:baz/qux.

    There are also restrictions on what characters must be percent encoded.

  3. Obtain the value of baseURL as follows:

    1. If propertyPrefix is an empty string:

      1. If attr is epub:type [epub-33], set baseURL to
        http://idpf.org/epub/vocab/structure/#
      2. Otherwise, if elem is the package document meta element [epub-33] and attr is scheme, the property value is invalid. Return null.
      3. Otherwise, if elem is the package document meta element [epub-33], set baseURL to
        http://idpf.org/epub/vocab/package/meta/#
      4. Otherwise, if elem is the package document link element [epub-33], set baseURL to
        http://idpf.org/epub/vocab/package/link/#
      5. Otherwise, if elem is the package document item element [epub-33], set baseURL to
        http://idpf.org/epub/vocab/package/item/#
      6. Otherwise, if elem is the package document itemref element [epub-33], set baseURL to
        http://idpf.org/epub/vocab/package/itemref/#
      Explanation

      If the property value does not have a prefix, then this step assigns the default vocabulary URL to use based on the attribute or element to which it belongs. When an element in the package document has more than one attribute that takes a property data type, those attributes share the same default vocabulary. For this reason, it is not necessary to check both the element and attribute to determine what URL to assign.

      The one attribute in EPUB 3 that does not have a default vocabulary is the scheme attribute [epub-33]. A scheme value without a prefix is invalid.

    2. Otherwise:

      1. If a prefix attribute is declared on the document element of doc, and the attribute contains a prefix that matches propertyPrefix, set baseURL to the URL associated with the prefix declaration.

      2. Otherwise, if propertyPrefix matches a reserved prefix [epub-33] for doc, set baseURL to the URL associated with the reserved prefix.

      Explanation

      When a property value has a prefix, the first place to check for its base URL is in a prefix attribute declaration on the document element.

      If the author has not assigned a URL for the prefix, the next step is to check if the prefix matches one of the reserved prefixes.

      Note that author-assigned prefix URLs override the reserved prefix URLs.

    If baseURL is an empty string, the property value is invalid. Return null.

    Explanation

    If the base URL is empty at the end of this processing step, then either the prefix is not mapped or reserved, or the element or attribute being processed does not accept property data types as defined in [epub-33].

    Without a base URL, it is impossible to generate an expanded URL, so the value is invalid.

  4. Set expandedURL to the concatenated values of baseURL and propertyReference. Do not add a separator when concatenating the values.
  5. If expandedURL is not a valid URL string, the value is invalid. Return null.

    Otherwise, return expandedURL.

    Explanation

    Although an expanded value may be obtained, it is not necessarily the case that it is a valid URL. This is only likely to occur when the EPUB creator assigns an invalid base URL to a prefix.

Note

Reading systems do not have to parse the resulting URL [url] or attempt to dereference the resulting expanded URL. Expanding a property data type value to a full URL only ensures a reading system has encountered the value it expects (i.e., because different EPUB creators can assign the same prefix to different URLs, two values may appear the same until expanded).

12. Backward compatibility

Reading systems MUST attempt to process an EPUB publication whose package document version attribute [epub-33] is less than "3.0".

EPUB publications with older version numbers will not always render exactly as intended unless processed according to their respective specifications. Reading systems SHOULD support such EPUB publications as defined by those specifications.

13. Forward compatibility

Reading systems SHOULD attempt to process an EPUB publication whose package document version attribute [epub-33] is greater than "3.0".

14. Accessibility

This section is non-normative.

Although the primary focus of this specification is on how to process and render EPUB publications, it does not mandate specific user interfaces that all reading systems must offer. This does not mean that there are not common accessibility issues that all reading systems developers should be aware of, or seek to avoid in their applications.

The W3C's User Agent Accessibility Guidelines [uaag20] provides many useful practices developers should apply to improve their reading systems as many browser accessibility issues have parallels in EPUB-specific user agents.

The following list outlines some additional EPUB-specific areas where a lack of accessibility impacts the reading experience for users:

The DAISY Consortium maintains an accessibility test suite to aid in evaluating these issues and more.

15. Security and privacy

15.1 Overview

This section is non-normative.

The particularity of an EPUB publication is its structure. The EPUB format provides a means of representing, packaging, and encoding structured and semantically enhanced web content — including HTML, CSS, SVG, and other resources — for distribution in a single-file container.

For reading systems, this means that the security and privacy issues are primarily based on the features of those formats, and closely mirror the threats presented by web content generally.

Reading system developers also have a dual responsibility of both ensuring the security and privacy of their applications and helping limit the threats to users from the content that renders within them. The rest of this section explores the risk model of EPUB 3 with the aim of helping developers recognize and mitigate these risks.

Note

For the risks associated with the authoring of EPUB publications, refer to the security and privacy section of [epub-33].

15.2 Threat model

This section is non-normative.

The greatest threats to users come from the content they read [epub-33], and the first line of defense against these attacks is the reading systems they use. Users expect that reading systems act as safeguards against malicious content and are often unaware that EPUB publications are susceptible to the same security risks as web sites.

But although reading systems are relied on to provide security and privacy, they can also pose unintended threats to users depending on how information is handled. Tracking user information to optimize experiences is a common need, for example, but done without user permission and reading systems can run afoul of legal privacy requirements.

This section outlines some of the key threats that reading system developers must take into consideration, with further details and recommendations in the following sections.

Scripting

Malicious scripts present several attack vectors against reading systems. If local storage is not secure, for example, they can attempt to compromise the user's data. Provided with network access, they may attempt unauthorized collection of user data.

More detailed discussion of these issues and how to mitigate them is provided in 6.4.3 Security considerations.

Malicious content

EPUB publications may contain resources designed to exploit security flaws in reading systems or the operating systems they run on. Attackers may also try to gain access to remote resources using file indirection techniques, such as symbolic links or file aliases.

The lack of a standard method of signing EPUB publications means that reading systems cannot always verify whether the content has been tampered with between authoring and loading in the device.

Remote resources

Remote resources present the same risks as any EPUB publication loaded from an untrusted source. Even if the publisher of the EPUB publication is trusted, remote resources may be compromised.

Calls to remote resources can also be used to track information about users (e.g., through server logs). Reading systems should limit the information they expose through HTTP requests to only what is essential to obtain the resource.

The origin of an EPUB is both unknown to the EPUB creator and specific to each reading system implementation. Consequently, if the EPUB creator hosts remote resources on a web server they control, the server effectively cannot use security features that require specifying allowable origins, such as headers for CORS, Content-Security-Policy, or X-Frame-Options.

External links

Like remote resources, external links may be used to trick unwitting users into opening malicious resources on the web designed to exploit the reading system or operating system.

Likewise, reading systems should also avoid exposing potentially identifying information about users through the traversal of links (e.g., not using tracking identifiers or exposing unnecessary information about the user's environment).

User-generated content

User-generated content within a reading experience, for example through text areas or other interactive components, could pose a threat to reading system security or user privacy if the content is not properly secured. More details on scripting security are provided in 6.4.3 Security considerations.

Collection of user data

Collecting information about the user and their reading habits without obtaining their permission can violate their privacy, even if the information is only intended for internal use.

Attempting to profile users based on their reading habits or through metadata in their publication (e.g., accessibility preferences) can expose users to unintended harms.

Additionally, the security considerations that apply to [xml] and [zip] files also apply to the package document and the Open Container Format, respectively. See the "Security Consideration" sections of the Media Type registrations for the application/oebps-package+xml and the application/epub+zip formats for further details.

15.3 Recommendations

The strongest measure that reading system developers can take for privacy is to specify the data they intend to collect and use about the user and/or their reading behavior and seek the consent of users to obtain it. They SHOULD also allow personalization and control over this information.

If a reading system allows users to store persistent data, especially personally identifiable information, it SHOULD treat that data as sensitive and not allow access to it by third parties.

It is understood that the collection of some user data may be required for the sale, delivery, and operation of an EPUB publication, particularly on platforms where the sale of an EPUB publication and the method of reading it are connected. In these cases, the reading system SHOULD identify the data being collected, how it is used, and allow for user opt-outs (retailers may choose to inform users by other means, however, such as when a user creates an account on their web site). Anonymization of any collected data is RECOMMENDED for the privacy and the security of the user and reading system.

It is also understood that user data may be required or helpful for some reading system affordances. In these cases, anonymization is also RECOMMENDED. Reading systems also SHOULD inform users of what data is needed, what it is to be used for, and to provide methods to opt-out.

Content processors — defined as entities that handle the ingestion of EPUB content for distribution, display, or sale — also need to be aware of the potential risks in ingestion. It is advised that content processors check content for malicious content on ingestion, in addition to the validation steps that usually occur. This could include running virus scans, validating external links and remote resources, and other precautions.

Reading systems that allow users to load untrustworthy EPUB publications (e.g., unsigned EPUB publications through the process of "sideloading") SHOULD treat such content as insecure (e.g., prompt users to allow scripting and network access).

When processing XML documents, a reading system SHOULD NOT resolve external identifiers in DOCTYPE, ENTITY and NOTATION declarations [xml]. Reading systems SHOULD also consider security risks related to internal or external XML entities like, for example, DoS attacks also known as "Billion laughs attacks" or "XML external entity attacks".

Note

Additional security recommendations for external links, network access and scripting are available in 3.9 External links, 3.8 Network access, and 6.4.3 Security considerations, respectively.

A. Unsupported features

For features marked as unsupported, reading systems:

Note

Developers should consider the unlikelihood of encountering content with deprecated features before adding new support for them.

B. epubReadingSystem object

Note

Reading systems act as the core rendering engines of EPUB publications and provide a scripting environment based on the [dom] specification. So, although this interface definition uses the [webidl] notation for implementation by reading systems, web browsers generally do not have to implement these objects.

B.1 Interface definition

This specification extends the Navigator object [html] as follows.

WebIDL[Exposed=(Window)]
interface EpubReadingSystem {
    boolean hasFeature(DOMString feature, optional DOMString version);
};

partial interface Navigator {
    [LegacyUnforgeable, SameObject] readonly attribute EpubReadingSystem epubReadingSystem;
};
Note

This specification does not define an epubReadingSystem property extension for the WorkerNavigator object [html]. Reading systems therefore do not have to expose the epubReadingSystem object in the scripting context of Workers, and EPUB creators cannot rely on its presence.

B.2 Description

The Navigator.epubReadingSystem object provides an interface through which a scripted content document can query information about a user's reading system.

Reading systems MUST expose the epubReadingSystem object on the navigator object of all loaded scripted content documents, including any nested container-constrained scripting contexts [epub-33]. Reading systems MUST ensure that the epubReadingSystem object is available no later than when the DOMContentLoaded event is triggered [html].

Note

Reading systems implementations may create cloned instances of the epubReadingSystem object in scripted content documents for technical feasibility reasons. In such cases, the reading system must ensure they consistently maintain the object's state — as reflected by the values of its properties and methods — across all copied instances.

B.3 Properties

This specification used to define the name, version, and the layoutStyle properties, but these are now deprecated [epub-33]. For more information refer to their definitions in [epubcontentdocs-32] (for name and version) and in [epubcontentdocs-301] (for layoutStyle).

B.4 Methods

B.4.1 hasFeature

B.4.1.1 Description

The hasFeature method returns a boolean value indicating whether the reading system supports any version of the specified feature, or undefined if the reading system does not recognize the specified feature.

The optional version parameter allows EPUB creators to query custom features that could change in incompatible ways over time. The return value indicates support only for the specified version of the feature.

Features defined in this specification are versionless. If a reading system supports a feature defined in this specification, it MUST ignore any supplied version parameter and return a true value.

B.4.1.2 Features

The following table lists the set of features that reading systems that support the epubReadingSystem object MUST recognize. When the features are queried from the hasFeature method, reading systems MUST return a boolean value indicating their support.

Name Description
dom-manipulation Scripts may make structural changes to the document’s DOM (applies to spine-level scripting [epub-33] only).
layout-changes Scripts may modify attributes and CSS styles that affect content layout (applies to spine-level scripting [epub-33] only).
touch-events The device supports touch events, and the reading system passes touch events to the content.
mouse-events The device supports mouse events, and the reading system passes mouse events to the content.
keyboard-events The device supports keyboard events, and the reading system passes keyboard events to the content.
spine-scripting Indicates whether the reading system supports spine-level scripting [epub-33] (e.g., so a container-constrained script [epub-33] can determine whether any actions that depend on scripting support in a top-level content document have any chance of success before attempting them).

Reading system developers MAY add additional features, but future versions of this specification could append to this list in ways that might conflict or be incompatible with any such custom additions.

C. Index

C.1 Terms defined by this specification

C.2 Terms defined by reference

D. Change log

This section is non-normative.

Note that this change log only identifies substantive Changes since EPUB 3.2 — those that affect the conformance of reading systems or are similarly noteworthy.

For a list of all issues addressed during the revision, refer to the Working Group's issue tracker.

D.1 Substantive changes since Candidate Recommendation

D.2 Substantive changes since EPUB 3.2

E. Acknowledgements

This section is non-normative.

Specifications, like art, are human creations. No human has done more for EPUB than Garth Conboy, who has been there every step of the way, from the very first OEB 1.0 in 1999 to today's EPUB 3.3. None of this would have happened without Garth's vision, knowledge, and preternatural good nature. We dedicate EPUB 3.3 to his memory. We are forever in your debt, Garth.

The following members of the EPUB 3 Working Group contributed to the development of this document:

In addition, the Working Group would like to extend a special thanks to the former editors of the EPUB 3 specifications and overview: Garth Conboy, Marisa DeMeglio, Elika J. Etemad, Markus Gylling, William McCoy, MURATA Makoto, James Pritchett, Tzviya Siegman, and Daniel Weck.

F. References

F.1 Normative references

[bidi]
Unicode Bidirectional Algorithm. Mark Davis; Ken Whistler. Unicode Consortium. 16 August 2022. Unicode Standard Annex #9. URL: https://www.unicode.org/reports/tr9/tr9-46.html
[css-fonts-4]
CSS Fonts Module Level 4. John Daggett; Myles Maxfield; Chris Lilley. W3C. 21 December 2021. W3C Working Draft. URL: https://www.w3.org/TR/css-fonts-4/
[csssnapshot]
CSS Snapshot. URL: https://www.w3.org/TR/CSS/
[dcterms]
DCMI Metadata Terms. DCMI Usage Board. DCMI. 20 January 2020. DCMI Recommendation. URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[dom]
DOM Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://dom.spec.whatwg.org/
[dom-level-2-style]
Document Object Model (DOM) Level 2 Style Specification. Chris Wilson; Philippe Le Hegaret. W3C. 3 November 2020. W3C Recommendation. URL: https://www.w3.org/TR/DOM-Level-2-Style/
[epub-33]
EPUB 3.3. Matt Garrish; Ivan Herman; Dave Cramer. W3C. 2 November 2022. W3C Candidate Recommendation. URL: https://www.w3.org/TR/epub-33/
[epubcontentdocs-301]
EPUB Content Documents 3.0.1. Markus Gylling; William McCoy; Elika J. Etimad; Matt Garrish. IDPF. 26 June 2014. URL: https://idpf.org/epub/301/spec/epub-contentdocs-20140626.html
[epubcontentdocs-32]
EPUB Content Documents 3.2. Dave Cramer; Matt Garrish. W3C. 08 May 2019. URL: https://www.w3.org/publishing/epub32/epub-contentdocs.html
[epubmediaoverlays-32]
EPUB Media Overlays 3.2. Marisa DeMeglio; Daniel Weck. EPUB 3 Community Group. 08 May 2019. URL: https://www.w3.org/publishing/epub32/epub-mediaoverlays.html
[html]
HTML Standard. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters. WHATWG. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[mathml3]
Mathematical Markup Language (MathML) Version 3.0 2nd Edition. David Carlisle; Patrick D F Ion; Robert R Miner. W3C. 10 April 2014. W3C Recommendation. URL: https://www.w3.org/TR/MathML3/
[opentype]
OpenType specification. Microsoft. URL: http://www.microsoft.com/typography/otspec/default.htm
[rdfa-core]
RDFa Core 1.1 - Third Edition. Ben Adida; Mark Birbeck; Shane McCarron; Ivan Herman et al. W3C. 17 March 2015. W3C Recommendation. URL: https://www.w3.org/TR/rdfa-core/
[rfc1951]
DEFLATE Compressed Data Format Specification version 1.3. P. Deutsch. IETF. May 1996. Informational. URL: https://www.rfc-editor.org/rfc/rfc1951
[rfc2046]
Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types. N. Freed; N. Borenstein. IETF. November 1996. Draft Standard. URL: https://www.rfc-editor.org/rfc/rfc2046
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[rfc2397]
The "data" URL scheme. L. Masinter. IETF. August 1998. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc2397
[rfc7230]
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. R. Fielding, Ed.; J. Reschke, Ed.. IETF. June 2014. Proposed Standard. URL: https://httpwg.org/specs/rfc7230.html
[rfc8089]
The "file" URI Scheme. M. Kerwin. IETF. February 2017. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8089
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[svg]
SVG. W3C. URL: https://www.w3.org/TR/SVG/
[truetype]
TrueType™ Reference Manual. Apple, Inc. URL: https://developer.apple.com/fonts/TrueType-Reference-Manual/
[url]
URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/
[w3cprocess]
W3C Process Document. URL: https://www.w3.org/Consortium/Process/
[webidl]
Web IDL Standard. Edgar Chen; Timothy Gu. WHATWG. Living Standard. URL: https://webidl.spec.whatwg.org/
[woff]
WOFF File Format 1.0. Jonathan Kew; Tal Leming; Erik van Blokland. W3C. 13 December 2012. W3C Recommendation. URL: https://www.w3.org/TR/WOFF/
[woff2]
WOFF File Format 2.0. Vladimir Levantovsky; Raph Levien. W3C. 10 March 2022. W3C Recommendation. URL: https://www.w3.org/TR/WOFF2/
[xml]
Extensible Markup Language (XML) 1.0 (Fifth Edition). Tim Bray; Jean Paoli; Michael Sperberg-McQueen; Eve Maler; François Yergeau et al. W3C. 26 November 2008. W3C Recommendation. URL: https://www.w3.org/TR/xml/
[xml-names]
Namespaces in XML 1.0 (Third Edition). Tim Bray; Dave Hollander; Andrew Layman; Richard Tobin; Henry Thompson et al. W3C. 8 December 2009. W3C Recommendation. URL: https://www.w3.org/TR/xml-names/
[xmlenc-decrypt]
Decryption Transform for XML Signature. Merlin Hughes; Takeshi Imamura; Hiroshi Maruyama. W3C. 10 December 2002. W3C Recommendation. URL: https://www.w3.org/TR/xmlenc-decrypt/
[zip]
.ZIP File Format Specification. 15 July 2020. Final. URL: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT

F.2 Informative references

[css2]
Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification. Bert Bos; Tantek Çelik; Ian Hickson; Håkon Wium Lie. W3C. 7 June 2011. W3C Recommendation. URL: https://www.w3.org/TR/CSS21/
[epub-tts-10]
EPUB 3 Text-to-Speech Enhancements 1.0. Matt Garrish. W3C. 10 August 2022. W3C Working Group Note. URL: https://www.w3.org/TR/epub-tts-10/
[epubpackages-32]
EPUB Packages 3.2. Matt Garrish; Dave Cramer. EPUB 3 Community Group. 08 May 2019. URL: https://www.w3.org/publishing/epub32/epub-packages.html
[h264]
H.264 : Advanced video coding for generic audiovisual services. 2017-04-13. URL: https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=13189
[indexeddb]
Indexed Database API. Nikunj Mehta; Jonas Sicking; Eliot Graff; Andrei Popescu; Jeremy Orlow; Joshua Bell. W3C. 8 January 2015. W3C Recommendation. URL: https://www.w3.org/TR/IndexedDB/
[rfc6386]
VP8 Data Format and Decoding Guide. J. Bankoski; J. Koleszar; L. Quillio; J. Salonen; P. Wilkins; Y. Xu. IETF. November 2011. Informational. URL: https://www.rfc-editor.org/rfc/rfc6386
[uaag20]
User Agent Accessibility Guidelines (UAAG) 2.0. James Allan; Greg Lowney; Kimberly Patch; Jeanne F Spellman. W3C. 15 December 2015. W3C Working Group Note. URL: https://www.w3.org/TR/UAAG20/
[wai-aria-11]
Accessible Rich Internet Applications (WAI-ARIA) 1.1. Joanmarie Diggs; Shane McCarron; Michael Cooper; Richard Schwerdtfeger; James Craig. W3C. 14 December 2017. W3C Recommendation. URL: https://www.w3.org/TR/wai-aria-1.1/