- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Tue, 02 Dec 2014 09:04:15 -0800
- To: "James M. Greene" <james.m.greene@gmail.com>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On 12/2/14, 8:01 AM, James M. Greene wrote: > So, it sounds like sandboxed iframes will probably /never/ support > plugin instantiation -- even if such a plugin were hosted on the same > origin as both the iframe page /and/ top-level page. For Gecko it depends. For example, we plan to ship a PDF viewer plugin (based on pdf.js) that we may decide to allow in sandboxed iframes. Will need to audit it a bit. For third-party plug-ins, I suspect the "never" answer is a good assumption for now. > This mostly makes sense to me as you would only infrequently want to > sandbox an iframe of your own site Actually, sandboxing iframes of your own site is one of the main sandbox use cases: it allows limited user upload of content without creating security holes, in theory. -Boris
Received on Tuesday, 2 December 2014 17:04:50 UTC