Re: [whatwg] Seeking clarification on sandboxed iframes and plugins (Flash, etc.)

>
> Actually, sandboxing iframes of your own site is one of the main sandbox
> use cases: ...


Oh, hehe.

... it allows limited user upload of content without creating security
> holes, in theory.


Then let us hope that such content creation/collection/uploading doesn't
require the use of Flash/Java/etc., eh? :)


Sincerely,
    James Greene


On Tue, Dec 2, 2014 at 11:04 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 12/2/14, 8:01 AM, James M. Greene wrote:
>
>> So, it sounds like sandboxed iframes will probably /never/ support
>> plugin instantiation -- even if such a plugin were hosted on the same
>> origin as both the iframe page /and/ top-level page.
>>
>
> For Gecko it depends.
>
> For example, we plan to ship a PDF viewer plugin (based on pdf.js) that we
> may decide to allow in sandboxed iframes.  Will need to audit it a bit.
>
> For third-party plug-ins, I suspect the "never" answer is a good
> assumption for now.
>
>  This mostly makes sense to me as you would only infrequently want to
>> sandbox an iframe of your own site
>>
>
> Actually, sandboxing iframes of your own site is one of the main sandbox
> use cases: it allows limited user upload of content without creating
> security holes, in theory.
>
> -Boris
>

Received on Tuesday, 2 December 2014 17:50:54 UTC