W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: What defines a "plugin"? WRT sandboxing?

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 24 Jan 2010 10:20:08 -0800
Cc: "public-html@w3.org" <public-html@w3.org>
Message-id: <8BCC477E-2B32-499C-B94A-F664FB443FF6@apple.com>
To: Leonard Rosenthol <lrosenth@adobe.com>

On Jan 24, 2010, at 10:12 AM, Leonard Rosenthol wrote:

> If I understand what you are saying, then it also means that your internal support for ANY format – whether it be specifically listed in the HTML5 spec or not AND whether it is implemented via plugin or not – would need to be covered by the sandbox rules.   That seems completely valid and logical (and consistent). 
>  
> In that case, I would argue that plugins NOT EVEN BE MENTIONED in the sandbox specification – and that instead, the general rules for sandboxing (scripting, external refs, etc.) be applied to the content regardless of how that content is displayed.

If that was the design, we'd probably never allow any plugins. Mixing a different execution model, even if the author has chosen to allow script, is something that can have unpredictable security consequences, so we would not do it without specific opt-in. So you're not going to see allow-script enabling Java for example, and it certainly wouldn't make sense to run any plugin that runs some form of code when allow-script is not set.

>  
> So in Safari’s case, if someone references QuickTime and they are allowing external references, then it would be OK for you to use it.  OR if your PDF viewer DID support scripting AND the sandbox rule was allow scripting, then it would be OK for you to view it, otherwise it would not. 
>  
> The rule for plugins then simply become whether the UA can establish whether the plugin is able to adhere to the requirement(s) for that sandbox. If it can, then it runs – if it cannot, then it can’t.  BUT explicit disabling of plugins should not be an option!

The option should be to explicitly enable them back, after being disabled by sandbox. And then only if they can follow the rules. The use cases for this require predictable attack surface and strong guarantees of what can and can't be done more than they require availability of a wide range of features.

Regards,
Maciej
Received on Sunday, 24 January 2010 18:20:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:13 UTC