W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 24 Jan 2010 09:45:14 -0600
Message-ID: <dd0fbad1001240745r5aaa31d7v753d8f76c6e7c97b@mail.gmail.com>
To: Leonard Rosenthol <lrosenth@adobe.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, "public-html@w3.org" <public-html@w3.org>
On Sun, Jan 24, 2010 at 7:37 AM, Leonard Rosenthol <lrosenth@adobe.com> wrote:
> The problem here is that unlike the other method (@sandbox), where the page author has control over what things are sandboxed and what are not - there is no such control when using a mimetype :(.   That means that a renegade server (or proxy or ...) could simply swap out mimetypes and block a users access to required content (exposed via plugins).

Is this an attack to worry about?  A renegade server or proxy can do
*anything it wants* to the data passing through it over http; worrying
about one swapping mimetypes so that plugins don't work seems like
vacuuming a desert - there's still plenty of sand left over no matter
what you do.

~TJ
Received on Sunday, 24 January 2010 15:46:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:00 GMT