[whatwg] Iframe Sandbox Attribute - allow-plugins?
Julian Reschke
julian.reschke at gmx.de
Thu Jul 14 01:16:18 PDT 2011
On 2011-07-14 08:22, Jonas Sicking wrote:
> On Wed, Jul 13, 2011 at 9:49 PM, Anne van Kesteren<annevk at opera.com> wrote:
>>
>> On Wed, 13 Jul 2011 23:13:05 +0200, Julian Reschke<julian.reschke at gmx.de> wrote:
>>>
>>> Yes, but we can *define* the flag in HTML and write down what it means with respect to plugin APIs.
>>
>> It seems much better to wait until it can actually be implemented.
>
> Especially since it's not at all clear to me that a specific opt-in
> mechanism is at all needed once we have the appropriate plugin APIs
> implemented. And those APIs are needed anyway if we want to allow
> plugins in any form in the sandbox.
"When the attribute is set, the content is treated as being from a
unique origin, forms and scripts are disabled, links are prevented from
targeting other browsing contexts, and plugins are disabled."
A browser negotiating something with plugins using that API and enabling
them despite @sandbox would violate the above requirement, no?
More information about the whatwg
mailing list