W3C home > Mailing lists > Public > public-html@w3.org > January 2010

RE: Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Sun, 24 Jan 2010 07:58:18 -0800
To: "Tab Atkins Jr." <jackalmage@gmail.com>
CC: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, "public-html@w3.org" <public-html@w3.org>
Message-ID: <D23D6B9E57D654429A9AB6918CACEAA97CA3417167@NAMBX02.corp.adobe.com>
Guess it depends on your definition of "attack" and which side of the battle you sit on...(and it was also what led to the my other message about "what is a plugin").

As someone who wants to ensure that users can expose their content in formats other than HTML (regardless of what mechanisms are used to render that content), any features of HTML and its UA's that would enable someone to block those formats (against the authors wishes) is an attack.

Leonard

-----Original Message-----
From: Tab Atkins Jr. [mailto:jackalmage@gmail.com] 
Sent: Sunday, January 24, 2010 4:45 PM
To: Leonard Rosenthol
Cc: Maciej Stachowiak; Adam Barth; Ian Hickson; public-html@w3.org
Subject: Re: Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

On Sun, Jan 24, 2010 at 7:37 AM, Leonard Rosenthol <lrosenth@adobe.com> wrote:
> The problem here is that unlike the other method (@sandbox), where the page author has control over what things are sandboxed and what are not - there is no such control when using a mimetype :(.   That means that a renegade server (or proxy or ...) could simply swap out mimetypes and block a users access to required content (exposed via plugins).

Is this an attack to worry about?  A renegade server or proxy can do
*anything it wants* to the data passing through it over http; worrying
about one swapping mimetypes so that plugins don't work seems like
vacuuming a desert - there's still plenty of sand left over no matter
what you do.

~TJ
Received on Sunday, 24 January 2010 15:58:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:13 UTC