- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 14 Jul 2011 08:01:52 -0700
On Thu, Jul 14, 2011 at 1:16 AM, Julian Reschke <julian.reschke at gmx.de> wrote: > On 2011-07-14 08:22, Jonas Sicking wrote: >> >> On Wed, Jul 13, 2011 at 9:49 PM, Anne van Kesteren<annevk at opera.com> >> ?wrote: >>> >>> On Wed, 13 Jul 2011 23:13:05 +0200, Julian Reschke<julian.reschke at gmx.de> >>> ?wrote: >>>> >>>> Yes, but we can *define* the flag in HTML and write down what it means >>>> with respect to plugin APIs. >>> >>> It seems much better to wait until it can actually be implemented. >> >> Especially since it's not at all clear to me that a specific opt-in >> mechanism is at all needed once we have the appropriate plugin APIs >> implemented. And those APIs are needed anyway if we want to allow >> plugins in any form in the sandbox. > > "When the attribute is set, the content is treated as being from a unique > origin, forms and scripts are disabled, links are prevented from targeting > other browsing contexts, and plugins are disabled." > > A browser negotiating something with plugins using that API and enabling > them despite @sandbox would violate the above requirement, no? True. I would be fine with removing the plugin requirement. Or changing it such that it states that plugins can only be loaded if it's done in a manner that ensures that all other requirements are still fulfilled. Or just dealing with this once there actually are plugins and plugin APIs which could be loaded while still fulfilling the other requirements. / Jonas
Received on Thursday, 14 July 2011 08:01:52 UTC