[whatwg] Iframe Sandbox Attribute - allow-plugins?

Jonas Sicking jonas at sicking.cc
Thu Jul 14 08:01:52 PDT 2011


On Thu, Jul 14, 2011 at 1:16 AM, Julian Reschke <julian.reschke at gmx.de> wrote:
> On 2011-07-14 08:22, Jonas Sicking wrote:
>>
>> On Wed, Jul 13, 2011 at 9:49 PM, Anne van Kesteren<annevk at opera.com>
>>  wrote:
>>>
>>> On Wed, 13 Jul 2011 23:13:05 +0200, Julian Reschke<julian.reschke at gmx.de>
>>>  wrote:
>>>>
>>>> Yes, but we can *define* the flag in HTML and write down what it means
>>>> with respect to plugin APIs.
>>>
>>> It seems much better to wait until it can actually be implemented.
>>
>> Especially since it's not at all clear to me that a specific opt-in
>> mechanism is at all needed once we have the appropriate plugin APIs
>> implemented. And those APIs are needed anyway if we want to allow
>> plugins in any form in the sandbox.
>
> "When the attribute is set, the content is treated as being from a unique
> origin, forms and scripts are disabled, links are prevented from targeting
> other browsing contexts, and plugins are disabled."
>
> A browser negotiating something with plugins using that API and enabling
> them despite @sandbox would violate the above requirement, no?

True. I would be fine with removing the plugin requirement. Or
changing it such that it states that plugins can only be loaded if
it's done in a manner that ensures that all other requirements are
still fulfilled. Or just dealing with this once there actually are
plugins and plugin APIs which could be loaded while still fulfilling
the other requirements.

/ Jonas



More information about the whatwg mailing list