W3C home > Mailing lists > Public > public-html@w3.org > June 2010

Re: text/sandboxed-html

From: Artur Adib <arturadib@gmail.com>
Date: Thu, 3 Jun 2010 17:55:40 -0400
Message-ID: <AANLkTinnSNUmltKtSKerhlcjTiL6SLLxcLBl2zCNbWlM@mail.gmail.com>
To: robert@ocallahan.org
Cc: public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> Could an attacker use a custom Flash object to force top-level navigation?

Good question.

Adam- Do you happen to know if that's possible in WebKit?  I mean, I
don't even know if Flash has access to 'top.location', but if it does,
will @sandbox protect it?

At any rate, since most of our problems are Javascript-based, that's a
risk we're willing to take.  Hopefully the plugin APIs will soon
respect @sandbox, but until then, as I have argued "allow-plugins" is
still useful, and can be implemented in parallel with the APIs (see my
previous message).

Received on Thursday, 3 June 2010 21:56:12 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:02 UTC