- From: Artur Adib <arturadib@gmail.com>
- Date: Fri, 4 Jun 2010 13:50:56 -0400
- To: Adam Barth <w3c@adambarth.com>
- Cc: robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
On Fri, Jun 4, 2010 at 1:00 PM, Adam Barth <w3c@adambarth.com> wrote: > In a year or two, you'll have the same problems you have > today, except that all these sites will be using Flash to framebust > rather than JavaScript. Not if plugin @sandbox compliance gets there first. All I am suggesting is to do things in parallel rather than serially: introduce the 'allow-plugins' option in tandem with ongoing plugin compliance, rather than "plugin compliance first, allow-plugins later". For the reasons I outlined, in the short-term this is *very* useful for products such as ours. The assumption is that plugin compliance will catch up sooner than (hypothetical) exploits become pervasive; as Julian pointed out, the ball has been set in motion in that direction. If it doesn't (for some bizarre reason), authors can simply avoid using the option. (In that case, it probably means plugin makers have gone bankrupt, so the option can be safely set to 'deprecated'). Additionally, neither of us seems to know for sure if Flash has access to top.location... If it turns out it doesn't, then your example is not an issue at all. -Artur
Received on Friday, 4 June 2010 17:51:28 UTC