hixie: Define how sandboxing works with plugins in a hypothetical world where plugins honour the sandbox. (whatwg r6573) from poot on 2011-09-23 (public-html-diffs@w3.org from September 2011)

From: poot <cvsmail@w3.org>
Date: Fri, 23 Sep 2011 15:43:23 -0400
To: public-html-diffs@w3.org
Message-Id: <E1R7Bec-0002Z7-W9@jay.w3.org>
hixie: Define how sandboxing works with plugins in a hypothetical world
where plugins honour the sandbox. (whatwg r6573)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5266&r2=1.5267&f=h
http://html5.org/tools/web-apps-tracker?from=6572&to=6573

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5266
retrieving revision 1.5267
diff -u -d -r1.5266 -r1.5267
--- Overview.html 23 Sep 2011 19:14:21 -0000 1.5266
+++ Overview.html 23 Sep 2011 19:43:08 -0000 1.5267
@@ -2683,7 +2683,10 @@
   such as the Netscape Plugin API; others might use remote content
   converters or have built-in support for certain types. Indeed, this
   specification doesn't require user agents to support plugins at all.
-  <a href="#refsNPAPI">[NPAPI]</a><div class="impl">
+  <a href="#refsNPAPI">[NPAPI]</a><p>A plugin can be <dfn id="concept-plugin-secure" title="concept-plugin-secure">secured</dfn>
+  if it honors the semantics of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.<p class="example">For example, a secured plugin would prevent its
+  contents from creating pop-up windows when the plugin is
+  instantiated inside a sandboxed <code><a href="#the-iframe-element">iframe</a></code>.<div class="impl">
 
   <p class="warning">Browsers should take extreme care when
   interacting with external content intended for <a href="#plugin" title="plugin">plugins</a>. When third-party software is run with
@@ -19719,7 +19722,7 @@
   When the attribute is set, the content is treated as being from a
   unique <a href="#origin">origin</a>, forms and scripts are disabled, links
   are prevented from targeting other <a href="#browsing-context" title="browsing
-  context">browsing contexts</a>, and plugins are disabled. The
+  context">browsing contexts</a>, and plugins are secured. The
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
   keyword allows the content to be treated as being from the same
   origin instead of forcing it into a unique origin, the <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
@@ -19793,7 +19796,7 @@
     <p>This flag prevents content from instantiating <a href="#plugin" title="plugin">plugins</a>, whether using <a href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a href="#sandboxPluginObject">the <code>object</code> element</a>,
     <a href="#sandboxPluginApplet">the <code>applet</code>
     element</a>, or through <a href="#sandboxPluginNavigate">navigation</a> of a <a href="#nested-browsing-context">nested
-    browsing context</a>.</p>
+    browsing context</a>, unless those <a href="#plugin" title="plugin">plugins</a> can be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a>.</p>
 
    </dd>
 
@@ -20216,33 +20219,6 @@
   content</a>, any plugins instantiated for the element must be
   removed, and the <code><a href="#the-embed-element">embed</a></code> element represents nothing.</p>
 
-  <p id="sandboxPluginEmbed">If either:
-
-  <ul><li>the <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a> was
-   set on the <a href="#browsing-context">browsing context</a> for which the
-   <code><a href="#the-embed-element">embed</a></code> element's <code><a href="#document">Document</a></code> is the
-   <a href="#active-document">active document</a> when that <code><a href="#document">Document</a></code> was
-   created, or</li>
-
-   <li>the <code><a href="#the-embed-element">embed</a></code> element's <code><a href="#document">Document</a></code> was
-   parsed from a resource whose <a href="#content-type-sniffing-0" title="Content-Type
-   sniffing">sniffed type</a> as determined during <a href="#navigate" title="navigate">navigation</a> is
-   <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code></li>
-
-  </ul><p>...then the user agent must render the <code><a href="#the-embed-element">embed</a></code> element
-  in a manner that conveys that the <a href="#plugin">plugin</a> was
-  disabled. The user agent may offer the user the option to override
-  the sandbox and instantiate the <a href="#plugin">plugin</a> anyway; if the
-  user invokes such an option, the user agent must act as if the
-  conditions above did not apply for the purposes of this element.</p>
-
-  <p class="warning">Plugins are disabled in sandboxed browsing
-  contexts because they might not honor the restrictions imposed by
-  the sandbox (e.g. they might allow scripting even when scripting in
-  the sandbox is disabled). User agents should convey the danger of
-  overriding the sandbox to the user if an option to do so is
-  provided.</p>
-
   <p>An <code><a href="#the-embed-element">embed</a></code> element is said to be <dfn id="concept-embed-active" title="concept-embed-active">potentially active</dfn> when the
   following conditions are all met simultaneously:</p>
 
@@ -20250,7 +20226,6 @@
    <li>The element's <code><a href="#document">Document</a></code> is <a href="#fully-active">fully active</a>.</li>
    <li>The element has either a <code title="attr-embed-src"><a href="#attr-embed-src">src</a></code> attribute set or a <code title="attr-embed-type"><a href="#attr-embed-type">type</a></code> attribute set (or both).</li>
    <li>The element's <code title="attr-embed-src"><a href="#attr-embed-src">src</a></code> attribute is either absent or its value is the empty string.</li>
-   <li>The element is not in a <code><a href="#document">Document</a></code> whose <a href="#browsing-context">browsing context</a> had the <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a> set when the <code><a href="#document">Document</a></code> was created (unless this has been overridden as described above).</li>
    <li>The element's <code><a href="#document">Document</a></code> was not parsed from a resource whose <a href="#content-type-sniffing-0" title="Content-Type sniffing">sniffed type</a> as determined during <a href="#navigate" title="navigate">navigation</a> is <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
    <li>The element is not a descendant of a <a href="#media-element">media element</a>.</li>
    <li>The element is not a descendant of an <code><a href="#the-object-element">object</a></code> element that is not showing its <a href="#fallback-content">fallback content</a>.</li>
@@ -20295,6 +20270,35 @@
   <a href="#plugin">plugin</a> that had been instantiated for that element must
   be unloaded.</p>
 
+  <p id="sandboxPluginEmbed">When a <a href="#plugin">plugin</a> is to be
+  instantiated but it cannot be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a> and either:
+
+  <ul><li>the <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a> was
+   set on the <a href="#browsing-context">browsing context</a> for which the
+   <code><a href="#the-embed-element">embed</a></code> element's <code><a href="#document">Document</a></code> is the
+   <a href="#active-document">active document</a> when that <code><a href="#document">Document</a></code> was
+   created, or</li>
+
+   <li>the <code><a href="#the-embed-element">embed</a></code> element's <code><a href="#document">Document</a></code> was
+   parsed from a resource whose <a href="#content-type-sniffing-0" title="Content-Type
+   sniffing">sniffed type</a> as determined during <a href="#navigate" title="navigate">navigation</a> is
+   <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code></li>
+
+  </ul><p>...then the user agent must not instantiate the
+  <a href="#plugin">plugin</a>, and must instead render the <code><a href="#the-embed-element">embed</a></code>
+  element in a manner that conveys that the <a href="#plugin">plugin</a> was
+  disabled. The user agent may offer the user the option to override
+  the sandbox and instantiate the <a href="#plugin">plugin</a> anyway; if the
+  user invokes such an option, the user agent must act as if the
+  conditions above did not apply for the purposes of this element.</p>
+
+  <p class="warning">Plugins that cannot be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a> are disabled in
+  sandboxed browsing contexts because they might not honor the
+  restrictions imposed by the sandbox (e.g. they might allow scripting
+  even when scripting in the sandbox is disabled). User agents should
+  convey the danger of overriding the sandbox to the user if an option
+  to do so is provided.</p>
+
   <p class="note">The <code><a href="#the-embed-element">embed</a></code> element is unaffected by the
   CSS 'display' property. The selected plugin is instantiated even if
   the element is hidden with a 'display:none' CSS style.</p>
@@ -20520,13 +20524,15 @@
     <p>If the <code title="attr-object-classid"><a href="#attr-object-classid">classid</a></code>
     attribute is present, and has a value that isn't the empty string,
     then: if the user agent can find a <a href="#plugin">plugin</a> suitable
-    according to the value of the <code title="attr-object-classid"><a href="#attr-object-classid">classid</a></code> attribute, and <a href="#sandboxPluginObject">plugins aren't being sandboxed</a>,
-    then that <a href="#plugin">plugin</a> <a href="#object-plugin">should be
-    used</a>, and the value of the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute, if any, should be
-    passed to the <a href="#plugin">plugin</a>. If no suitable
-    <a href="#plugin">plugin</a> can be found, or if the <a href="#plugin">plugin</a>
-    reports an error, jump to the last step in the overall set of
-    steps (fallback).</p>
+    according to the value of the <code title="attr-object-classid"><a href="#attr-object-classid">classid</a></code> attribute, and either
+    <a href="#sandboxPluginObject">plugins aren't being sandboxed</a>
+    or that <a href="#plugin">plugin</a> can be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a>, then that
+    <a href="#plugin">plugin</a> <a href="#object-plugin">should be used</a>,
+    and the value of the <code title="attr-object-data"><a href="#attr-object-data">data</a></code>
+    attribute, if any, should be passed to the <a href="#plugin">plugin</a>. If
+    no suitable <a href="#plugin">plugin</a> can be found, or if the
+    <a href="#plugin">plugin</a> reports an error, jump to the last step in the
+    overall set of steps (fallback).</p>
 
     
    </li>
@@ -20785,8 +20791,8 @@
        <dd>
 
         <p>If <a href="#sandboxPluginObject">plugins are being
-        sandboxed</a>, jump to the last step in the overall set of
-        steps (fallback).</p>
+        sandboxed</a> and the plugin that supports <var title="">resource type</var> cannot be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a>, jump to the last
+        step in the overall set of steps (fallback).</p>
 
         <p>Otherwise, the user agent should <a href="#object-plugin">use the plugin that supports <var title="">resource type</var></a> and pass the content of the
         resource to that <a href="#plugin">plugin</a>. If the
@@ -20905,13 +20911,12 @@
 
    <li><p>If the <code title="attr-object-data"><a href="#attr-object-data">data</a></code> attribute
    is absent but the <code title="attr-object-type"><a href="#attr-object-type">type</a></code>
-   attribute is present, <a href="#sandboxPluginObject">plugins aren't
-   being sandboxed</a>, and the user agent can find a
-   <a href="#plugin">plugin</a> suitable according to the value of the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute, then that
+   attribute is present, and the user agent can find a
+   <a href="#plugin">plugin</a> suitable according to the value of the <code title="attr-object-type"><a href="#attr-object-type">type</a></code> attribute, and either <a href="#sandboxPluginObject">plugins aren't being sandboxed</a> or
+   the <a href="#plugin">plugin</a> can be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a>, then that
    <a href="#plugin">plugin</a> <a href="#object-plugin">should be used</a>. If
-   no suitable <a href="#plugin">plugin</a> can be found, or if the
-   <a href="#plugin">plugin</a> reports an error, jump to the next step
-   (fallback).</li>
+   these conditions cannot be met, or if the <a href="#plugin">plugin</a>
+   reports an error, jump to the next step (fallback).</li>
 
    <li><p>(Fallback.) The <code><a href="#the-object-element">object</a></code> element
    <a href="#represents">represents</a> the element's children, ignoring any
@@ -20935,7 +20940,8 @@
   <a href="#plugin">plugin</a> is not a nested <a href="#browsing-context">browsing
   context</a>.</p>
 
-  <p id="sandboxPluginObject">If either:</p>
+  <p id="sandboxPluginObject">Plugins are considered sandboxed for the
+  purpose of an <code><a href="#the-object-element">object</a></code> element if either:</p>
 
   <ul><li>the <a href="#sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</a> was
    set on the <code><a href="#the-object-element">object</a></code> element's <code><a href="#document">Document</a></code>'s
@@ -20947,11 +20953,7 @@
    sniffing">sniffed type</a> as determined during <a href="#navigate" title="navigate">navigation</a> is
    <code><a href="#text-html-sandboxed">text/html-sandboxed</a></code></li>
 
-  </ul><p>...then the steps above must always act as if they had failed to
-  find a <a href="#plugin">plugin</a>, even if one would otherwise have been
-  used.</p>
-
-  <p class="note">The above algorithm is independent of CSS properties
+  </ul><p class="note">The above algorithm is independent of CSS properties
   (including 'display', 'overflow', and 'visibility'). For example, it
   runs even if the element is hidden with a 'display:none' CSS style,
   and does not run <em>again</em> if the element's visibility
@@ -46493,7 +46495,8 @@
   <p class="note" id="sandboxPluginNavigate">If the <a href="#sandboxed-plugins-browsing-context-flag">sandboxed
   plugins browsing context flag</a> was set on the <a href="#browsing-context">browsing
   context</a> when the <code><a href="#document">Document</a></code> was created, the
-  synthesized <code><a href="#the-embed-element">embed</a></code> element will <a href="#sandboxPluginEmbed">fail to render the content</a>.</p>
+  synthesized <code><a href="#the-embed-element">embed</a></code> element will <a href="#sandboxPluginEmbed">fail to render the content</a> if the
+  relevant <a href="#plugin">plugin</a> cannot be <a href="#concept-plugin-secure" title="concept-plugin-secure">secured</a>.</p>
 
 
   <h4 id="read-ua-inline"><span class="secno">5.5.7 </span><dfn title="navigate-ua-inline">Page load processing model for inline content that doesn't have a DOM</dfn></h4>
@@ -67538,6 +67541,7 @@
   but it is disabled, the element <a href="#represents">represents</a> its
   contents.</p>
 
+  
   <p>Otherwise, the user agent should instantiate a Java Language
   runtime <a href="#plugin">plugin</a>, and should pass the names and values of
   all the attributes on the element, in the order they were added to
Received on Friday, 23 September 2011 19:43:25 UTC