- From: James M. Greene <james.m.greene@gmail.com>
- Date: Tue, 2 Dec 2014 11:50:08 -0600
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WHATWG <whatwg@lists.whatwg.org>
>
> Actually, sandboxing iframes of your own site is one of the main sandbox
> use cases: ...
Oh, hehe.
... it allows limited user upload of content without creating security
> holes, in theory.
Then let us hope that such content creation/collection/uploading doesn't
require the use of Flash/Java/etc., eh? :)
Sincerely,
James Greene
On Tue, Dec 2, 2014 at 11:04 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 12/2/14, 8:01 AM, James M. Greene wrote:
>
>> So, it sounds like sandboxed iframes will probably /never/ support
>> plugin instantiation -- even if such a plugin were hosted on the same
>> origin as both the iframe page /and/ top-level page.
>>
>
> For Gecko it depends.
>
> For example, we plan to ship a PDF viewer plugin (based on pdf.js) that we
> may decide to allow in sandboxed iframes. Will need to audit it a bit.
>
> For third-party plug-ins, I suspect the "never" answer is a good
> assumption for now.
>
> This mostly makes sense to me as you would only infrequently want to
>> sandbox an iframe of your own site
>>
>
> Actually, sandboxing iframes of your own site is one of the main sandbox
> use cases: it allows limited user upload of content without creating
> security holes, in theory.
>
> -Boris
>
Received on Tuesday, 2 December 2014 17:50:54 UTC