- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 20 Jan 2010 01:35:33 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Wed, 13 Jan 2010, Adam Barth wrote: > > There are actually two things going on here, and we should be careful to > make sure each works correctly: > > 1) Content loaded in an iframe with the @sandbox attribute. Here, > Maciej is correct that plug-ins are disabled. > 2) Content loaded with the media type text/html-sandboxed. Here, as > described by Ian in his email, I think plug-ins are still allowed. > > We probably should disallow plug-ins in case (2) for the same reason we > disallow them in case (1): Existing plug-ins likely won't respect the > unique origin of the document. For example, I bet Gears would let a > "text/html-sandboxed" document access the database for it's normal > origin. Wouldn't it be trivial to get around this restriction in case #2 by just making the page redirect to the plugin full-page? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 20 January 2010 01:36:02 UTC