W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP Plugin

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 27 Aug 2015 15:47:27 +0200
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55DF14EF.4080600@gmail.com>
On 2015-08-27 15:26, Kepeng Li wrote:
> Hello all,

Hello Kepeng,


> I want to initiate some discussions about allow-plugin in sandbox.

I may be off here but you mean NPAPI or ActiveX plugins here?

>
> There was some discussion in the mailing list before:
>
> https://lists.w3.org/Archives/Public/public-web-security/2011Feb/0112.html
>
> Can we add an allow-plugins policy that turns on plugins that understand the HTML sandbox?

Plugins are being deprecated and there's another problem as well:
The primary reason for using Plugins is getting out of the Web sandbox like for example dealing with keys in smart cards.

If there ever will be a "plugin" solution, Native Messaging seems to be our best bet:
https://lists.w3.org/Archives/Public/public-webapps/2015JulSep/0319.html


>
> By default, the plugins can be blocked by the browser, but in the sandbox, we can allow plugins. This can improve the web security.
>
>
> Any feedback about this?
>
>
> Thanks,
>
> Kind Regards
>
> Kepeng Li
>
> Alibaba Group
>
> _

Cheers,
Anders Rundgren
Received on Thursday, 27 August 2015 13:48:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC