Re: text/sandboxed-html from Adam Barth on 2010-06-11 (public-html@w3.org from June 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 10 Jun 2010 18:25:38 -0700
To: Artur Adib <arturadib@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
Message-ID: <AANLkTinJQvAyLVTkiJwC9aTRRB7jLLCpmmHqc7MZu1fs@mail.gmail.com>

Realistically, it's a tricky business to change the semantics of a
piece of the web platform after it's used by developers.  If we're
only talking about a year, maybe we should just be patient.

Adam


On Thu, Jun 10, 2010 at 6:18 PM, Artur Adib <arturadib@gmail.com> wrote:
> How about this transition story:
>
> (1) Introduce "allow-plugins", allowing *any* plugin regardless of
> sandbox compliance; add warning to the HTML5 specs along the lines of
> "WARNING: This white-list option might allow some plugins to break
> sandbox restrictions, etc.";
> (2) Wait until one or two major plugins comply with sandbox;
> (3) Modify (1) so that only compliant plugins are allowed by
> "allow-plugins"; remove warning from HTML5 specs.
>
> Ideally, (2) would happen ASAP (<1 year?), so that the web wouldn't
> have time to discover and exploit plugin-sandbox vulnerabilities.
>
> If it takes too long to happen, authors can just stop using the option.
>
> -Artur
>
>
>
> On Thu, Jun 10, 2010 at 7:33 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>>
>> On Jun 10, 2010, at 2:24 PM, Robert O'Callahan wrote:
>>
>> On Thu, Jun 10, 2010 at 5:21 PM, Adam Barth <w3c@adambarth.com> wrote:
>>>
>>> I guess I don't understand the transition plan.  Would we eventually
>>> remove support for plug-ins that don't understand sandboxing?  If not,
>>> couldn't an attacker always use XYZ random plug-in to break the
>>> security properties?
>>
>> Users that don't have XYZ random plugin installed (i.e. almost all users)
>> would be protected.
>>
>> Unless XYZ random plugin is "the old version of some very popular plugin".
>> I'm reasonably confident that at least Flash, Java and Silverlight are
>> general-purpose enough to allow circumvention of any of the sandboxed iframe
>> defenses, and I'm not confident enough in users having the latest versions
>> of those to consider that a strong security measure.
>> In the long run, I think it makes a lot more sense to have a feature that
>> only allow plugins that respect sandboxing restrictiions. If we want a
>> shorter-term feature to allow plugins, then it would be good to have a clear
>> transition story.
>> Regards,
>> Maciej
>>
>

Received on Friday, 11 June 2010 01:26:27 UTC