Re: text/sandboxed-html

On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>
> Could an attacker use a custom Flash object to force top-level navigation?

Good question.

Adam- Do you happen to know if that's possible in WebKit?  I mean, I
don't even know if Flash has access to 'top.location', but if it does,
will @sandbox protect it?

At any rate, since most of our problems are Javascript-based, that's a
risk we're willing to take.  Hopefully the plugin APIs will soon
respect @sandbox, but until then, as I have argued "allow-plugins" is
still useful, and can be implemented in parallel with the APIs (see my
previous message).

-Artur

Received on Thursday, 3 June 2010 21:56:12 UTC