- From: Brad Hill <hillbrad@gmail.com>
- Date: Thu, 27 Aug 2015 18:10:13 +0000
- To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 27 August 2015 18:10:52 UTC
Almost all popular plugins have their own, proprietary, interpretation of what the "same origin policy" means for them. Flash, Java and Silverlight all have special rules about requesting policy files and enabling SOP bypasses based on them, treating the host from which they are loaded as part of their origin vs. operating under the origin into which they are loaded, loading additional code, creating new child browsing or execution contexts, etc. Basically this means it's impossible to reason about the security properties of what allowing a plugin in a sandbox actually means, and most plugins can scape the sandbox, so there is no practical value to such a directive. We could imagine a well-behaved plugin that respects the Same Origin Policy and doesn't allow sandbox escapes, but that's not what we actually have in the world. So there is very little value in doing the work to specify or engineer this, especially as traditional plugins are being deprecated in growing number of user agent implementations. -Brad
Received on Thursday, 27 August 2015 18:10:52 UTC