W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP Plugin

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 27 Aug 2015 15:47:27 +0200
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55DF14EF.4080600@gmail.com>
On 2015-08-27 15:26, Kepeng Li wrote:
> Hello all,

Hello Kepeng,

> I want to initiate some discussions about allow-plugin in sandbox.

I may be off here but you mean NPAPI or ActiveX plugins here?

> There was some discussion in the mailing list before:
> https://lists.w3.org/Archives/Public/public-web-security/2011Feb/0112.html
> Can we add an allow-plugins policy that turns on plugins that understand the HTML sandbox?

Plugins are being deprecated and there's another problem as well:
The primary reason for using Plugins is getting out of the Web sandbox like for example dealing with keys in smart cards.

If there ever will be a "plugin" solution, Native Messaging seems to be our best bet:

> By default, the plugins can be blocked by the browser, but in the sandbox, we can allow plugins. This can improve the web security.
> Any feedback about this?
> Thanks,
> Kind Regards
> Kepeng Li
> Alibaba Group
> _

Anders Rundgren
Received on Thursday, 27 August 2015 13:48:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC