Re: [whatwg] Seeking clarification on sandboxed iframes and plugins (Flash, etc.) from James M. Greene on 2014-12-02 (public-whatwg-archive@w3.org from December 2014)

From: James M. Greene <james.m.greene@gmail.com>
Date: Tue, 2 Dec 2014 10:01:12 -0600
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WHATWG <whatwg@lists.whatwg.org>
Message-ID: <CALrbKZh75PPFEAaZ_MHcvPByOdY1e6WiCk1e+BBYRojSucTySQ@mail.gmail.com>

OK, those answers are all about what I expected, particularly the note
about securing the API surface of Flash.

So, it sounds like sandboxed iframes will probably *never* support plugin
instantiation -- even if such a plugin were hosted on the same origin as
both the iframe page *and* top-level page.

This mostly makes sense to me as you would only infrequently want to
sandbox an iframe of your own site, though it does seem to present a gap
as, if I *did* want to sandbox an iframe of my own site, it would probably
be to do something more like preventing top-level navigation and/or popups
rather than to prevent the instantiation of personally-built plugins... but
I cannot achieve the former without implicitly suffering the latter.

Not critical but slightly frustrating until the HTML Clipboard API (for
which ZeroClipboard is the best interim solution) eventually gets polished
and implemented more widely.

Sincerely,
    James Greene

On Tue, Dec 2, 2014 at 9:49 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 12/2/14, 7:46 AM, James M. Greene wrote:
>
>>   1. Is there any existing way or guidance for browser vendors on how to
>> confirm that a plugin can be "secured" and thus allowed to be instantiated
>> within a sandboxed iframe?
>>
>
> As far as I know, there is not.  For Gecko there definitely is not.
>
>    2. Is there any existing way or guidance for library/plugin developers
>> on
>> how to provide appropriate metadata to the browser in order to allow a
>> plugin to be considered "secured" and thus allowed to be instantiated
>> within a sandboxed iframe?
>>
>
> Again, as far as I know there is not.
>
>    3. Is this really just confusing/misleading text that may never actually
>> correlate to a real implementation?
>>
>
> The text is intended to allow people to develop such systems if they want
> to.  I don't think any current UAs particularly want to.
>
> Note that making sure something with the API surface of Flash is "secured"
> would be quite an undertaking...
>
> -Boris
>

Received on Tuesday, 2 December 2014 16:02:09 UTC