RE: What defines a "plugin"? WRT sandboxing? from Leonard Rosenthol on 2010-01-25 (public-html@w3.org from January 2010)

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Mon, 25 Jan 2010 13:24:14 -0800
To: Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>
CC: "public-html@w3.org" <public-html@w3.org>
Message-ID: <D23D6B9E57D654429A9AB6918CACEAA97CA34171EA@NAMBX02.corp.adobe.com>

What exactly are we trying to prevent?  Maciej seemed to be pushing on the XSS attack as a problem - and said that this is tied to scripting outside the browser's controls.   OK - I can accept that.

Then you should block any file format - regardless of how it is implemented - that allows such things.  In the same vein, any format - regardless of how it is implemented - should be allowed.

So if we say (for example) that TIFF images don't have XSS issues - then I would put forth that they be allowed in sandboxed content REGARDLESS of whether they are implemented natively or via plugin.

Same thing with the other side of that coin.  If a certain type of video format - say QuickTime - does allow such things, they it should be forbidden REGARDLESS of how the particular UA implements it.

Wouldn't you agree??

Leonard

-----Original Message-----
From: Adam Barth [mailto:w3c@adambarth.com] 
Sent: Monday, January 25, 2010 5:55 AM
To: Maciej Stachowiak
Cc: Leonard Rosenthol; public-html@w3.org
Subject: Re: What defines a "plugin"? WRT sandboxing?

On Mon, Jan 25, 2010 at 4:49 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Jan 24, 2010, at 8:45 PM, Adam Barth wrote:
>> The problem with that approach is that authors will have a difficult
>> time predicting how user agents will behave.  Perhaps a more
>> operational definition is in order?  We could say that sandboxed
>> content will not be able to use the <object> or <embed> elements
>> (including the implied versions that can be created via frames).
>
> You would also want to banish <applent> in that case. Are we ok with sandboxed content embedding unusual things via <img>, <video> or <audio> if the browser supports that? Safari supports PDF in the <img> element, and also as a CSS background image.

Those seem fine.  Of course, a user agent could do something insane
with <img>, <video>, or <audio>, but then that user agent would likely
introduce security vulnerabilities into web sites (such as forums)
that let users embed <img> elements with (almost!) arbitrary src
attributes.

Adam

Received on Monday, 25 January 2010 21:24:47 UTC