W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: What defines a "plugin"? WRT sandboxing?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 25 Jan 2010 04:55:24 +0000
Message-ID: <7789133a1001242055m6bcd681cye942a3f1ff23c8a6@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Leonard Rosenthol <lrosenth@adobe.com>, "public-html@w3.org" <public-html@w3.org>
On Mon, Jan 25, 2010 at 4:49 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Jan 24, 2010, at 8:45 PM, Adam Barth wrote:
>> The problem with that approach is that authors will have a difficult
>> time predicting how user agents will behave.  Perhaps a more
>> operational definition is in order?  We could say that sandboxed
>> content will not be able to use the <object> or <embed> elements
>> (including the implied versions that can be created via frames).
>
> You would also want to banish <applent> in that case. Are we ok with sandboxed content embedding unusual things via <img>, <video> or <audio> if the browser supports that? Safari supports PDF in the <img> element, and also as a CSS background image.

Those seem fine.  Of course, a user agent could do something insane
with <img>, <video>, or <audio>, but then that user agent would likely
introduce security vulnerabilities into web sites (such as forums)
that let users embed <img> elements with (almost!) arbitrary src
attributes.

Adam
Received on Monday, 25 January 2010 04:59:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:00 GMT