W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 19 Jan 2010 18:15:18 -0800
Cc: Ian Hickson <ian@hixie.ch>, "public-html@w3.org" <public-html@w3.org>
Message-id: <FD96D55A-B12D-4347-AC35-85978409A6D9@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Jan 19, 2010, at 5:52 PM, Adam Barth wrote:

> 
> Consider the case of Google Gears.  Gears provides access to databases
> based on the origin of the embedding page.  Unfortunately, Gears
> doesn't understand text/html-sandboxed and so would grant the
> sandboxed content access to the origin's databases.

It seems like, in this case, if plugins are blocked, then you can't use a redirect to circumvent the protection. Likewise if Flash has similar vulnerabilities (I suspect it does).

Regards,
Maciej
Received on Wednesday, 20 January 2010 02:15:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC