W3C home > Mailing lists > Public > public-html@w3.org > June 2010

Re: text/sandboxed-html

From: Artur Adib <arturadib@gmail.com>
Date: Fri, 4 Jun 2010 13:50:56 -0400
Message-ID: <AANLkTimRXbohLZOKYZUU7qXtQwKX5QOehHJ4IuRp5zGM@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
On Fri, Jun 4, 2010 at 1:00 PM, Adam Barth <w3c@adambarth.com> wrote:
> In a year or two, you'll have the same problems you have
> today, except that all these sites will be using Flash to framebust
> rather than JavaScript.

Not if plugin @sandbox compliance gets there first.

All I am suggesting is to do things in parallel rather than serially:
introduce the 'allow-plugins' option in tandem with ongoing plugin
compliance, rather than "plugin compliance first, allow-plugins

For the reasons I outlined, in the short-term this is *very* useful
for products such as ours.  The assumption is that plugin compliance
will catch up sooner than (hypothetical) exploits become pervasive;
as Julian pointed out, the ball has been set in motion in that
direction.  If it doesn't (for some bizarre reason), authors can
simply avoid using the option.  (In that case, it probably means
plugin makers have gone bankrupt, so the option can be safely set to

Additionally, neither of us seems to know for sure if Flash has access
to top.location...  If it turns out it doesn't, then your example is
not an issue at all.

Received on Friday, 4 June 2010 17:51:28 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:19 UTC