Disallow plug-ins in text/html-sandboxed? (was: Re: text/sandboxed-html)

On Wed, Jan 13, 2010 at 7:57 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Jan 13, 2010, at 6:38 AM, Leonard Rosenthol wrote:
>> How would this work for content that references resources that require the
>> use of a plugin to view?
>> How would a UA know if the specific plugin can run sandboxed or not?  How
>> would the UA communicate to the plugin that is should be running sandboxed?
> At present, content running in a sandboxed iframe cannot use plugins at all.
> See the sandboxed plugins browsing flag:
> <http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox>.

There are actually two things going on here, and we should be careful
to make sure each works correctly:

1) Content loaded in an iframe with the @sandbox attribute.  Here,
Maciej is correct that plug-ins are disabled.
2) Content loaded with the media type text/html-sandboxed.  Here, as
described by Ian in his email, I think plug-ins are still allowed.

We probably should disallow plug-ins in case (2) for the same reason
we disallow them in case (1): Existing plug-ins likely won't respect
the unique origin of the document.  For example, I bet Gears would let
a "text/html-sandboxed" document access the database for it's normal

Of course, once we have an API for plug-ins to understand these
security restrictions, we can lift the prohibition in case (2) for
plug-ins that understand the security model.


Received on Wednesday, 13 January 2010 19:48:07 UTC