W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > August 2011

[Bug 13032] "allow-plugins" option for iframe sandbox attribute

From: <bugzilla@jessica.w3.org>
Date: Thu, 04 Aug 2011 15:59:15 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Qp0KJ-0005Y8-QA@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13032

--- Comment #10 from Jacob Rossi [MSFT] <jrossi@microsoft.com> 2011-08-04 15:59:14 UTC ---
(In reply to comment #7)
> (In reply to comment #6)
> > Agreed.
> > 
> > What I do think we should do is to make it clear that plugins are allowed to
> > run in the sandbox, as long as the browser is sure that it satisfies the
> > restrictions put upon the sandbox.
> > 
> > So for example if it was possible for the browser to tell Flash that it's not
> > allowed to run script and not allowed to navigate any parent frames, and those
> > are the only restrictions placed on a given sandbox, then the browser could run
> > flash.
> 
> Related to this: <https://wiki.mozilla.org/Plugins:SandboxedPlugins>

Even with this kind of approach, I don't see how you can guarantee security.
What stops an attacker from creating a plugin which claims support for
sandboxing but doesn't in reality?

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 4 August 2011 15:59:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:16 UTC