[html5] r6573 - [giow] (0) Define how sandboxing works with plugins in a hypothetical world wher [...]
whatwg at whatwg.org
whatwg at whatwg.org
Fri Sep 23 12:40:44 PDT 2011
Author: ianh
Date: 2011-09-23 12:40:42 -0700 (Fri, 23 Sep 2011)
New Revision: 6573
Modified:
complete.html
index
source
Log:
[giow] (0) Define how sandboxing works with plugins in a hypothetical world where plugins honour the sandbox.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=13267
Modified: complete.html
===================================================================
--- complete.html 2011-09-23 19:11:54 UTC (rev 6572)
+++ complete.html 2011-09-23 19:40:42 UTC (rev 6573)
@@ -3299,6 +3299,13 @@
specification doesn't require user agents to support plugins at all.
<a href=#refsNPAPI>[NPAPI]</a></p>
+ <p>A plugin can be <dfn id=concept-plugin-secure title=concept-plugin-secure>secured</dfn>
+ if it honors the semantics of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+ <p class=example>For example, a secured plugin would prevent its
+ contents from creating pop-up windows when the plugin is
+ instantiated inside a sandboxed <code><a href=#the-iframe-element>iframe</a></code>.</p>
+
<div class=impl>
<p class=warning>Browsers should take extreme care when
@@ -23831,7 +23838,7 @@
When the attribute is set, the content is treated as being from a
unique <a href=#origin>origin</a>, forms and scripts are disabled, links
are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are disabled. The
+ context">browsing contexts</a>, and plugins are secured. The
<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
keyword allows the content to be treated as being from the same
origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
@@ -23917,7 +23924,7 @@
<p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
<a href=#sandboxPluginApplet>the <code>applet</code>
element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>.</p>
+ browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
</dd>
@@ -24404,33 +24411,6 @@
content</a>, any plugins instantiated for the element must be
removed, and the <code><a href=#the-embed-element>embed</a></code> element represents nothing.</p>
- <p id=sandboxPluginEmbed>If either:
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must render the <code><a href=#the-embed-element>embed</a></code> element
- in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
- <p class=warning>Plugins are disabled in sandboxed browsing
- contexts because they might not honor the restrictions imposed by
- the sandbox (e.g. they might allow scripting even when scripting in
- the sandbox is disabled). User agents should convey the danger of
- overriding the sandbox to the user if an option to do so is
- provided.</p>
-
<p>An <code><a href=#the-embed-element>embed</a></code> element is said to be <dfn id=concept-embed-active title=concept-embed-active>potentially active</dfn> when the
following conditions are all met simultaneously:</p>
@@ -24438,7 +24418,6 @@
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element is not in a <code><a href=#document>Document</a></code> whose <a href=#browsing-context>browsing context</a> had the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set when the <code><a href=#document>Document</a></code> was created (unless this has been overridden as described above).</li>
<li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
@@ -24494,6 +24473,35 @@
<a href=#plugin>plugin</a> that had been instantiated for that element must
be unloaded.</p>
+ <p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
+
+ <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
+ set on the <a href=#browsing-context>browsing context</a> for which the
+ <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
+ <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
+ created, or</li>
+
+ <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
+ parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
+ sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
+ <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+
+ </ul><p>...then the user agent must not instantiate the
+ <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
+ element in a manner that conveys that the <a href=#plugin>plugin</a> was
+ disabled. The user agent may offer the user the option to override
+ the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
+ user invokes such an option, the user agent must act as if the
+ conditions above did not apply for the purposes of this element.</p>
+
+ <p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
+ sandboxed browsing contexts because they might not honor the
+ restrictions imposed by the sandbox (e.g. they might allow scripting
+ even when scripting in the sandbox is disabled). User agents should
+ convey the danger of overriding the sandbox to the user if an option
+ to do so is provided.</p>
+
<p class=note>The <code><a href=#the-embed-element>embed</a></code> element is unaffected by the
CSS 'display' property. The selected plugin is instantiated even if
the element is hidden with a 'display:none' CSS style.</p>
@@ -24768,13 +24776,15 @@
<p>If the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code>
attribute is present, and has a value that isn't the empty string,
then: if the user agent can find a <a href=#plugin>plugin</a> suitable
- according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>,
- then that <a href=#plugin>plugin</a> <a href=#object-plugin>should be
- used</a>, and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute, if any, should be
- passed to the <a href=#plugin>plugin</a>. If no suitable
- <a href=#plugin>plugin</a> can be found, or if the <a href=#plugin>plugin</a>
- reports an error, jump to the last step in the overall set of
- steps (fallback).</p>
+ according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and either
+ <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>
+ or that <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
+ <a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>,
+ and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code>
+ attribute, if any, should be passed to the <a href=#plugin>plugin</a>. If
+ no suitable <a href=#plugin>plugin</a> can be found, or if the
+ <a href=#plugin>plugin</a> reports an error, jump to the last step in the
+ overall set of steps (fallback).</p>
<!--
case insensitive:
@@ -25118,8 +25128,8 @@
<dd>
<p>If <a href=#sandboxPluginObject>plugins are being
- sandboxed</a>, jump to the last step in the overall set of
- steps (fallback).</p>
+ sandboxed</a> and the plugin that supports <var title="">resource type</var> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, jump to the last
+ step in the overall set of steps (fallback).</p>
<p>Otherwise, the user agent should <a href=#object-plugin>use the plugin that supports <var title="">resource type</var></a> and pass the content of the
resource to that <a href=#plugin>plugin</a>. If the
@@ -25239,13 +25249,12 @@
<li><p>If the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute
is absent but the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
- attribute is present, <a href=#sandboxPluginObject>plugins aren't
- being sandboxed</a>, and the user agent can find a
- <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then that
+ attribute is present, and the user agent can find a
+ <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, and either <a href=#sandboxPluginObject>plugins aren't being sandboxed</a> or
+ the <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
<a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>. If
- no suitable <a href=#plugin>plugin</a> can be found, or if the
- <a href=#plugin>plugin</a> reports an error, jump to the next step
- (fallback).</li>
+ these conditions cannot be met, or if the <a href=#plugin>plugin</a>
+ reports an error, jump to the next step (fallback).</li>
<li><p>(Fallback.) The <code><a href=#the-object-element>object</a></code> element
<a href=#represents>represents</a> the element's children, ignoring any
@@ -25269,7 +25278,8 @@
<a href=#plugin>plugin</a> is not a nested <a href=#browsing-context>browsing
context</a>.</p>
- <p id=sandboxPluginObject>If either:</p>
+ <p id=sandboxPluginObject>Plugins are considered sandboxed for the
+ purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
<ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
@@ -25281,11 +25291,7 @@
sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
- </ul><p>...then the steps above must always act as if they had failed to
- find a <a href=#plugin>plugin</a>, even if one would otherwise have been
- used.</p>
-
- <p class=note>The above algorithm is independent of CSS properties
+ </ul><p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -64849,7 +64855,8 @@
<p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
context</a> when the <code><a href=#document>Document</a></code> was created, the
- synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a>.</p>
+ synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
+ relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
<h4 id=read-ua-inline><span class=secno>6.5.7 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
@@ -95609,6 +95616,10 @@
but it is disabled, the element <a href=#represents>represents</a> its
contents.</p>
+ <!-- we assume here that the Java plugin can't be <span
+ title="concept-plugin-secure">secured</span>; if anyone does end up
+ securing one we can always change this -->
+
<p>Otherwise, the user agent should instantiate a Java Language
runtime <a href=#plugin>plugin</a>, and should pass the names and values of
all the attributes on the element, in the order they were added to
Modified: index
===================================================================
--- index 2011-09-23 19:11:54 UTC (rev 6572)
+++ index 2011-09-23 19:40:42 UTC (rev 6573)
@@ -3196,6 +3196,13 @@
specification doesn't require user agents to support plugins at all.
<a href=#refsNPAPI>[NPAPI]</a></p>
+ <p>A plugin can be <dfn id=concept-plugin-secure title=concept-plugin-secure>secured</dfn>
+ if it honors the semantics of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+ <p class=example>For example, a secured plugin would prevent its
+ contents from creating pop-up windows when the plugin is
+ instantiated inside a sandboxed <code><a href=#the-iframe-element>iframe</a></code>.</p>
+
<div class=impl>
<p class=warning>Browsers should take extreme care when
@@ -23695,7 +23702,7 @@
When the attribute is set, the content is treated as being from a
unique <a href=#origin>origin</a>, forms and scripts are disabled, links
are prevented from targeting other <a href=#browsing-context title="browsing
- context">browsing contexts</a>, and plugins are disabled. The
+ context">browsing contexts</a>, and plugins are secured. The
<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
keyword allows the content to be treated as being from the same
origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
@@ -23781,7 +23788,7 @@
<p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
<a href=#sandboxPluginApplet>the <code>applet</code>
element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
- browsing context</a>.</p>
+ browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
</dd>
@@ -24271,33 +24278,6 @@
content</a>, any plugins instantiated for the element must be
removed, and the <code><a href=#the-embed-element>embed</a></code> element represents nothing.</p>
- <p id=sandboxPluginEmbed>If either:
-
- <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
- set on the <a href=#browsing-context>browsing context</a> for which the
- <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
- <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
- created, or</li>
-
- <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
- parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
- sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
- <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
- </ul><p>...then the user agent must render the <code><a href=#the-embed-element>embed</a></code> element
- in a manner that conveys that the <a href=#plugin>plugin</a> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
- <p class=warning>Plugins are disabled in sandboxed browsing
- contexts because they might not honor the restrictions imposed by
- the sandbox (e.g. they might allow scripting even when scripting in
- the sandbox is disabled). User agents should convey the danger of
- overriding the sandbox to the user if an option to do so is
- provided.</p>
-
<p>An <code><a href=#the-embed-element>embed</a></code> element is said to be <dfn id=concept-embed-active title=concept-embed-active>potentially active</dfn> when the
following conditions are all met simultaneously:</p>
@@ -24305,7 +24285,6 @@
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
- <li>The element is not in a <code><a href=#document>Document</a></code> whose <a href=#browsing-context>browsing context</a> had the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set when the <code><a href=#document>Document</a></code> was created (unless this has been overridden as described above).</li>
<li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
@@ -24361,6 +24340,35 @@
<a href=#plugin>plugin</a> that had been instantiated for that element must
be unloaded.</p>
+ <p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
+ instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
+
+ <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
+ set on the <a href=#browsing-context>browsing context</a> for which the
+ <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
+ <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
+ created, or</li>
+
+ <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
+ parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
+ sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
+ <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+
+ </ul><p>...then the user agent must not instantiate the
+ <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
+ element in a manner that conveys that the <a href=#plugin>plugin</a> was
+ disabled. The user agent may offer the user the option to override
+ the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
+ user invokes such an option, the user agent must act as if the
+ conditions above did not apply for the purposes of this element.</p>
+
+ <p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
+ sandboxed browsing contexts because they might not honor the
+ restrictions imposed by the sandbox (e.g. they might allow scripting
+ even when scripting in the sandbox is disabled). User agents should
+ convey the danger of overriding the sandbox to the user if an option
+ to do so is provided.</p>
+
<p class=note>The <code><a href=#the-embed-element>embed</a></code> element is unaffected by the
CSS 'display' property. The selected plugin is instantiated even if
the element is hidden with a 'display:none' CSS style.</p>
@@ -24635,13 +24643,15 @@
<p>If the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code>
attribute is present, and has a value that isn't the empty string,
then: if the user agent can find a <a href=#plugin>plugin</a> suitable
- according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>,
- then that <a href=#plugin>plugin</a> <a href=#object-plugin>should be
- used</a>, and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute, if any, should be
- passed to the <a href=#plugin>plugin</a>. If no suitable
- <a href=#plugin>plugin</a> can be found, or if the <a href=#plugin>plugin</a>
- reports an error, jump to the last step in the overall set of
- steps (fallback).</p>
+ according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and either
+ <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>
+ or that <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
+ <a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>,
+ and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code>
+ attribute, if any, should be passed to the <a href=#plugin>plugin</a>. If
+ no suitable <a href=#plugin>plugin</a> can be found, or if the
+ <a href=#plugin>plugin</a> reports an error, jump to the last step in the
+ overall set of steps (fallback).</p>
<!--
case insensitive:
@@ -24985,8 +24995,8 @@
<dd>
<p>If <a href=#sandboxPluginObject>plugins are being
- sandboxed</a>, jump to the last step in the overall set of
- steps (fallback).</p>
+ sandboxed</a> and the plugin that supports <var title="">resource type</var> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, jump to the last
+ step in the overall set of steps (fallback).</p>
<p>Otherwise, the user agent should <a href=#object-plugin>use the plugin that supports <var title="">resource type</var></a> and pass the content of the
resource to that <a href=#plugin>plugin</a>. If the
@@ -25106,13 +25116,12 @@
<li><p>If the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute
is absent but the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
- attribute is present, <a href=#sandboxPluginObject>plugins aren't
- being sandboxed</a>, and the user agent can find a
- <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then that
+ attribute is present, and the user agent can find a
+ <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, and either <a href=#sandboxPluginObject>plugins aren't being sandboxed</a> or
+ the <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
<a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>. If
- no suitable <a href=#plugin>plugin</a> can be found, or if the
- <a href=#plugin>plugin</a> reports an error, jump to the next step
- (fallback).</li>
+ these conditions cannot be met, or if the <a href=#plugin>plugin</a>
+ reports an error, jump to the next step (fallback).</li>
<li><p>(Fallback.) The <code><a href=#the-object-element>object</a></code> element
<a href=#represents>represents</a> the element's children, ignoring any
@@ -25136,7 +25145,8 @@
<a href=#plugin>plugin</a> is not a nested <a href=#browsing-context>browsing
context</a>.</p>
- <p id=sandboxPluginObject>If either:</p>
+ <p id=sandboxPluginObject>Plugins are considered sandboxed for the
+ purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
<ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
@@ -25148,11 +25158,7 @@
sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
- </ul><p>...then the steps above must always act as if they had failed to
- find a <a href=#plugin>plugin</a>, even if one would otherwise have been
- used.</p>
-
- <p class=note>The above algorithm is independent of CSS properties
+ </ul><p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
@@ -64716,7 +64722,8 @@
<p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
context</a> when the <code><a href=#document>Document</a></code> was created, the
- synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a>.</p>
+ synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
+ relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
<h4 id=read-ua-inline><span class=secno>6.5.7 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
@@ -91034,6 +91041,10 @@
but it is disabled, the element <a href=#represents>represents</a> its
contents.</p>
+ <!-- we assume here that the Java plugin can't be <span
+ title="concept-plugin-secure">secured</span>; if anyone does end up
+ securing one we can always change this -->
+
<p>Otherwise, the user agent should instantiate a Java Language
runtime <a href=#plugin>plugin</a>, and should pass the names and values of
all the attributes on the element, in the order they were added to
Modified: source
===================================================================
--- source 2011-09-23 19:11:54 UTC (rev 6572)
+++ source 2011-09-23 19:40:42 UTC (rev 6573)
@@ -2166,6 +2166,14 @@
specification doesn't require user agents to support plugins at all.
<a href="#refsNPAPI">[NPAPI]</a></p>
+ <p>A plugin can be <dfn title="concept-plugin-secure">secured</dfn>
+ if it honors the semantics of the <code
+ title="attr-iframe-sandbox">sandbox</code> attribute.</p>
+
+ <p class="example">For example, a secured plugin would prevent its
+ contents from creating pop-up windows when the plugin is
+ instantiated inside a sandboxed <code>iframe</code>.</p>
+
<div class="impl">
<p class="warning">Browsers should take extreme care when
@@ -25514,7 +25522,7 @@
When the attribute is set, the content is treated as being from a
unique <span>origin</span>, forms and scripts are disabled, links
are prevented from targeting other <span title="browsing
- context">browsing contexts</span>, and plugins are disabled. The
+ context">browsing contexts</span>, and plugins are secured. The
<code
title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
keyword allows the content to be treated as being from the same
@@ -25616,7 +25624,9 @@
<a href="#sandboxPluginApplet">the <code>applet</code>
element</a>, or through <a
href="#sandboxPluginNavigate">navigation</a> of a <span>nested
- browsing context</span>.</p>
+ browsing context</span>, unless those <span
+ title="plugin">plugins</span> can be <span
+ title="concept-plugin-secure">secured</span>.</p>
</dd>
@@ -26159,38 +26169,6 @@
content</span>, any plugins instantiated for the element must be
removed, and the <code>embed</code> element represents nothing.</p>
- <p id="sandboxPluginEmbed">If either:
-
- <ul>
-
- <li>the <span>sandboxed plugins browsing context flag</span> was
- set on the <span>browsing context</span> for which the
- <code>embed</code> element's <code>Document</code> is the
- <span>active document</span> when that <code>Document</code> was
- created, or</li>
-
- <li>the <code>embed</code> element's <code>Document</code> was
- parsed from a resource whose <span title="Content-Type
- sniffing">sniffed type</span> as determined during <span
- title="navigate">navigation</span> is
- <code>text/html-sandboxed</code></li>
-
- </ul>
-
- <p>...then the user agent must render the <code>embed</code> element
- in a manner that conveys that the <span>plugin</span> was
- disabled. The user agent may offer the user the option to override
- the sandbox and instantiate the <span>plugin</span> anyway; if the
- user invokes such an option, the user agent must act as if the
- conditions above did not apply for the purposes of this element.</p>
-
- <p class="warning">Plugins are disabled in sandboxed browsing
- contexts because they might not honor the restrictions imposed by
- the sandbox (e.g. they might allow scripting even when scripting in
- the sandbox is disabled). User agents should convey the danger of
- overriding the sandbox to the user if an option to do so is
- provided.</p>
-
<p>An <code>embed</code> element is said to be <dfn
title="concept-embed-active">potentially active</dfn> when the
following conditions are all met simultaneously:</p>
@@ -26200,7 +26178,6 @@
<li>The element's <code>Document</code> is <span>fully active</span>.</li>
<li>The element has either a <code title="attr-embed-src">src</code> attribute set or a <code title="attr-embed-type">type</code> attribute set (or both).</li>
<li>The element's <code title="attr-embed-src">src</code> attribute is either absent or its value is the empty string.</li>
- <li>The element is not in a <code>Document</code> whose <span>browsing context</span> had the <span>sandboxed plugins browsing context flag</span> set when the <code>Document</code> was created (unless this has been overridden as described above).</li>
<li>The element's <code>Document</code> was not parsed from a resource whose <span title="Content-Type sniffing">sniffed type</span> as determined during <span title="navigate">navigation</span> is <code>text/html-sandboxed</code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <span>media element</span>.</li>
<li>The element is not a descendant of an <code>object</code> element that is not showing its <span>fallback content</span>.</li>
@@ -26271,6 +26248,42 @@
<span>plugin</span> that had been instantiated for that element must
be unloaded.</p>
+ <p id="sandboxPluginEmbed">When a <span>plugin</span> is to be
+ instantiated but it cannot be <span
+ title="concept-plugin-secure">secured</span> and either:
+
+ <ul>
+
+ <li>the <span>sandboxed plugins browsing context flag</span> was
+ set on the <span>browsing context</span> for which the
+ <code>embed</code> element's <code>Document</code> is the
+ <span>active document</span> when that <code>Document</code> was
+ created, or</li>
+
+ <li>the <code>embed</code> element's <code>Document</code> was
+ parsed from a resource whose <span title="Content-Type
+ sniffing">sniffed type</span> as determined during <span
+ title="navigate">navigation</span> is
+ <code>text/html-sandboxed</code></li>
+
+ </ul>
+
+ <p>...then the user agent must not instantiate the
+ <span>plugin</span>, and must instead render the <code>embed</code>
+ element in a manner that conveys that the <span>plugin</span> was
+ disabled. The user agent may offer the user the option to override
+ the sandbox and instantiate the <span>plugin</span> anyway; if the
+ user invokes such an option, the user agent must act as if the
+ conditions above did not apply for the purposes of this element.</p>
+
+ <p class="warning">Plugins that cannot be <span
+ title="concept-plugin-secure">secured</span> are disabled in
+ sandboxed browsing contexts because they might not honor the
+ restrictions imposed by the sandbox (e.g. they might allow scripting
+ even when scripting in the sandbox is disabled). User agents should
+ convey the danger of overriding the sandbox to the user if an option
+ to do so is provided.</p>
+
<p class="note">The <code>embed</code> element is unaffected by the
CSS 'display' property. The selected plugin is instantiated even if
the element is hidden with a 'display:none' CSS style.</p>
@@ -26576,15 +26589,16 @@
attribute is present, and has a value that isn't the empty string,
then: if the user agent can find a <span>plugin</span> suitable
according to the value of the <code
- title="attr-object-classid">classid</code> attribute, and <a
- href="#sandboxPluginObject">plugins aren't being sandboxed</a>,
- then that <span>plugin</span> <a href="#object-plugin">should be
- used</a>, and the value of the <code
- title="attr-object-data">data</code> attribute, if any, should be
- passed to the <span>plugin</span>. If no suitable
- <span>plugin</span> can be found, or if the <span>plugin</span>
- reports an error, jump to the last step in the overall set of
- steps (fallback).</p>
+ title="attr-object-classid">classid</code> attribute, and either
+ <a href="#sandboxPluginObject">plugins aren't being sandboxed</a>
+ or that <span>plugin</span> can be <span
+ title="concept-plugin-secure">secured</span>, then that
+ <span>plugin</span> <a href="#object-plugin">should be used</a>,
+ and the value of the <code title="attr-object-data">data</code>
+ attribute, if any, should be passed to the <span>plugin</span>. If
+ no suitable <span>plugin</span> can be found, or if the
+ <span>plugin</span> reports an error, jump to the last step in the
+ overall set of steps (fallback).</p>
<!--
case insensitive:
@@ -26968,8 +26982,10 @@
<dd>
<p>If <a href="#sandboxPluginObject">plugins are being
- sandboxed</a>, jump to the last step in the overall set of
- steps (fallback).</p>
+ sandboxed</a> and the plugin that supports <var
+ title="">resource type</var> cannot be <span
+ title="concept-plugin-secure">secured</span>, jump to the last
+ step in the overall set of steps (fallback).</p>
<p>Otherwise, the user agent should <a
href="#object-plugin">use the plugin that supports <var
@@ -27100,14 +27116,15 @@
<li><p>If the <code title="attr-object-data">data</code> attribute
is absent but the <code title="attr-object-type">type</code>
- attribute is present, <a href="#sandboxPluginObject">plugins aren't
- being sandboxed</a>, and the user agent can find a
+ attribute is present, and the user agent can find a
<span>plugin</span> suitable according to the value of the <code
- title="attr-object-type">type</code> attribute, then that
+ title="attr-object-type">type</code> attribute, and either <a
+ href="#sandboxPluginObject">plugins aren't being sandboxed</a> or
+ the <span>plugin</span> can be <span
+ title="concept-plugin-secure">secured</span>, then that
<span>plugin</span> <a href="#object-plugin">should be used</a>. If
- no suitable <span>plugin</span> can be found, or if the
- <span>plugin</span> reports an error, jump to the next step
- (fallback).</p></li>
+ these conditions cannot be met, or if the <span>plugin</span>
+ reports an error, jump to the next step (fallback).</p></li>
<li><p>(Fallback.) The <code>object</code> element
<span>represents</span> the element's children, ignoring any
@@ -27134,7 +27151,8 @@
<span>plugin</span> is not a nested <span>browsing
context</span>.</p>
- <p id="sandboxPluginObject">If either:</p>
+ <p id="sandboxPluginObject">Plugins are considered sandboxed for the
+ purpose of an <code>object</code> element if either:</p>
<ul>
@@ -27151,10 +27169,6 @@
</ul>
- <p>...then the steps above must always act as if they had failed to
- find a <span>plugin</span>, even if one would otherwise have been
- used.</p>
-
<p class="note">The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
@@ -73607,7 +73621,9 @@
plugins browsing context flag</span> was set on the <span>browsing
context</span> when the <code>Document</code> was created, the
synthesized <code>embed</code> element will <a
- href="#sandboxPluginEmbed">fail to render the content</a>.</p>
+ href="#sandboxPluginEmbed">fail to render the content</a> if the
+ relevant <span>plugin</span> cannot be <span
+ title="concept-plugin-secure">secured</span>.</p>
<h4 id="read-ua-inline"><dfn title="navigate-ua-inline">Page load processing model for inline content that doesn't have a DOM</dfn></h4>
@@ -108351,6 +108367,10 @@
but it is disabled, the element <span>represents</span> its
contents.</p>
+ <!-- we assume here that the Java plugin can't be <span
+ title="concept-plugin-secure">secured</span>; if anyone does end up
+ securing one we can always change this -->
+
<p>Otherwise, the user agent should instantiate a Java Language
runtime <span>plugin</span>, and should pass the names and values of
all the attributes on the element, in the order they were added to
More information about the Commit-Watchers
mailing list