Re: text/sandboxed-html from Maciej Stachowiak on 2010-06-10 (public-html@w3.org from June 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 10 Jun 2010 16:33:40 -0700
To: robert@ocallahan.org
Cc: Adam Barth <w3c@adambarth.com>, Artur Adib <arturadib@gmail.com>, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
Message-id: <2E2A0B7E-1FB2-4EB4-8CE5-590D67548F28@apple.com>

On Jun 10, 2010, at 2:24 PM, Robert O'Callahan wrote:

> On Thu, Jun 10, 2010 at 5:21 PM, Adam Barth <w3c@adambarth.com> wrote:
> I guess I don't understand the transition plan.  Would we eventually
> remove support for plug-ins that don't understand sandboxing?  If not,
> couldn't an attacker always use XYZ random plug-in to break the
> security properties?
> 
> Users that don't have XYZ random plugin installed (i.e. almost all users) would be protected.

Unless XYZ random plugin is "the old version of some very popular plugin". I'm reasonably confident that at least Flash, Java and Silverlight are general-purpose enough to allow circumvention of any of the sandboxed iframe defenses, and I'm not confident enough in users having the latest versions of those to consider that a strong security measure.

In the long run, I think it makes a lot more sense to have a feature that only allow plugins that respect sandboxing restrictiions. If we want a shorter-term feature to allow plugins, then it would be good to have a clear transition story.

Regards,
Maciej

Received on Thursday, 10 June 2010 23:34:13 UTC