W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 20 Jan 2010 01:35:33 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <Pine.LNX.4.64.1001200120340.3970@ps20323.dreamhostps.com>
On Wed, 13 Jan 2010, Adam Barth wrote:
> 
> There are actually two things going on here, and we should be careful to 
> make sure each works correctly:
> 
> 1) Content loaded in an iframe with the @sandbox attribute.  Here,
> Maciej is correct that plug-ins are disabled.
> 2) Content loaded with the media type text/html-sandboxed.  Here, as
> described by Ian in his email, I think plug-ins are still allowed.
> 
> We probably should disallow plug-ins in case (2) for the same reason we 
> disallow them in case (1): Existing plug-ins likely won't respect the 
> unique origin of the document.  For example, I bet Gears would let a 
> "text/html-sandboxed" document access the database for it's normal 
> origin.

Wouldn't it be trivial to get around this restriction in case #2 by just 
making the page redirect to the plugin full-page?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 20 January 2010 01:36:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:00 GMT