Skip to content
Permalink
Browse files

[giow] (0) Define how sandboxing works with plugins in a hypothetical…

… world where plugins honour the sandbox.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=13267

git-svn-id: http://svn.whatwg.org/webapps@6573 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Sep 23, 2011
1 parent 68e68b7 commit ddae8779ed68de5d0b91cba79f29482496041dde
Showing with 204 additions and 162 deletions.
  1. +63 −52 complete.html
  2. +63 −52 index
  3. +78 −58 source
specification doesn't require user agents to support plugins at all.
<a href=#refsNPAPI>[NPAPI]</a></p>

<p>A plugin can be <dfn id=concept-plugin-secure title=concept-plugin-secure>secured</dfn>
if it honors the semantics of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>

<p class=example>For example, a secured plugin would prevent its
contents from creating pop-up windows when the plugin is
instantiated inside a sandboxed <code><a href=#the-iframe-element>iframe</a></code>.</p>

<div class=impl>

<p class=warning>Browsers should take extreme care when
When the attribute is set, the content is treated as being from a
unique <a href=#origin>origin</a>, forms and scripts are disabled, links
are prevented from targeting other <a href=#browsing-context title="browsing
context">browsing contexts</a>, and plugins are disabled. The
context">browsing contexts</a>, and plugins are secured. The
<code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
keyword allows the content to be treated as being from the same
origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
<p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
<a href=#sandboxPluginApplet>the <code>applet</code>
element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
browsing context</a>.</p>
browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>

</dd>

content</a>, any plugins instantiated for the element must be
removed, and the <code><a href=#the-embed-element>embed</a></code> element represents nothing.</p>

<p id=sandboxPluginEmbed>If either:

<ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
set on the <a href=#browsing-context>browsing context</a> for which the
<code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
<a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
created, or</li>

<li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>

</ul><p>...then the user agent must render the <code><a href=#the-embed-element>embed</a></code> element
in a manner that conveys that the <a href=#plugin>plugin</a> was
disabled. The user agent may offer the user the option to override
the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
user invokes such an option, the user agent must act as if the
conditions above did not apply for the purposes of this element.</p>

<p class=warning>Plugins are disabled in sandboxed browsing
contexts because they might not honor the restrictions imposed by
the sandbox (e.g. they might allow scripting even when scripting in
the sandbox is disabled). User agents should convey the danger of
overriding the sandbox to the user if an option to do so is
provided.</p>

<p>An <code><a href=#the-embed-element>embed</a></code> element is said to be <dfn id=concept-embed-active title=concept-embed-active>potentially active</dfn> when the
following conditions are all met simultaneously:</p>

<ul class=brief><li>The element is <a href=#in-a-document title="in a document">in a <code>Document</code></a>.</li>
<li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
<li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
<li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
<li>The element is not in a <code><a href=#document>Document</a></code> whose <a href=#browsing-context>browsing context</a> had the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set when the <code><a href=#document>Document</a></code> was created (unless this has been overridden as described above).</li>
<li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
<li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
<li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
<a href=#plugin>plugin</a> that had been instantiated for that element must
be unloaded.</p>

<p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:

<ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
set on the <a href=#browsing-context>browsing context</a> for which the
<code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
<a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
created, or</li>

<li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>

</ul><p>...then the user agent must not instantiate the
<a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
element in a manner that conveys that the <a href=#plugin>plugin</a> was
disabled. The user agent may offer the user the option to override
the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
user invokes such an option, the user agent must act as if the
conditions above did not apply for the purposes of this element.</p>

<p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
sandboxed browsing contexts because they might not honor the
restrictions imposed by the sandbox (e.g. they might allow scripting
even when scripting in the sandbox is disabled). User agents should
convey the danger of overriding the sandbox to the user if an option
to do so is provided.</p>

<p class=note>The <code><a href=#the-embed-element>embed</a></code> element is unaffected by the
CSS 'display' property. The selected plugin is instantiated even if
the element is hidden with a 'display:none' CSS style.</p>
<p>If the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code>
attribute is present, and has a value that isn't the empty string,
then: if the user agent can find a <a href=#plugin>plugin</a> suitable
according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>,
then that <a href=#plugin>plugin</a> <a href=#object-plugin>should be
used</a>, and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute, if any, should be
passed to the <a href=#plugin>plugin</a>. If no suitable
<a href=#plugin>plugin</a> can be found, or if the <a href=#plugin>plugin</a>
reports an error, jump to the last step in the overall set of
steps (fallback).</p>
according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and either
<a href=#sandboxPluginObject>plugins aren't being sandboxed</a>
or that <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
<a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>,
and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code>
attribute, if any, should be passed to the <a href=#plugin>plugin</a>. If
no suitable <a href=#plugin>plugin</a> can be found, or if the
<a href=#plugin>plugin</a> reports an error, jump to the last step in the
overall set of steps (fallback).</p>

<!--
case insensitive:
<dd>

<p>If <a href=#sandboxPluginObject>plugins are being
sandboxed</a>, jump to the last step in the overall set of
steps (fallback).</p>
sandboxed</a> and the plugin that supports <var title="">resource type</var> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, jump to the last
step in the overall set of steps (fallback).</p>

<p>Otherwise, the user agent should <a href=#object-plugin>use the plugin that supports <var title="">resource type</var></a> and pass the content of the
resource to that <a href=#plugin>plugin</a>. If the

<li><p>If the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute
is absent but the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
attribute is present, <a href=#sandboxPluginObject>plugins aren't
being sandboxed</a>, and the user agent can find a
<a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then that
attribute is present, and the user agent can find a
<a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, and either <a href=#sandboxPluginObject>plugins aren't being sandboxed</a> or
the <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
<a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>. If
no suitable <a href=#plugin>plugin</a> can be found, or if the
<a href=#plugin>plugin</a> reports an error, jump to the next step
(fallback).</li>
these conditions cannot be met, or if the <a href=#plugin>plugin</a>
reports an error, jump to the next step (fallback).</li>

<li><p>(Fallback.) The <code><a href=#the-object-element>object</a></code> element
<a href=#represents>represents</a> the element's children, ignoring any
<a href=#plugin>plugin</a> is not a nested <a href=#browsing-context>browsing
context</a>.</p>

<p id=sandboxPluginObject>If either:</p>
<p id=sandboxPluginObject>Plugins are considered sandboxed for the
purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>

<ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
<code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>

</ul><p>...then the steps above must always act as if they had failed to
find a <a href=#plugin>plugin</a>, even if one would otherwise have been
used.</p>

<p class=note>The above algorithm is independent of CSS properties
</ul><p class=note>The above algorithm is independent of CSS properties
(including 'display', 'overflow', and 'visibility'). For example, it
runs even if the element is hidden with a 'display:none' CSS style,
and does not run <em>again</em> if the element's visibility
<p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
context</a> when the <code><a href=#document>Document</a></code> was created, the
synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a>.</p>
synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>


<h4 id=read-ua-inline><span class=secno>6.5.7 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
but it is disabled, the element <a href=#represents>represents</a> its
contents.</p>

<!-- we assume here that the Java plugin can't be <span
title="concept-plugin-secure">secured</span>; if anyone does end up
securing one we can always change this -->

<p>Otherwise, the user agent should instantiate a Java Language
runtime <a href=#plugin>plugin</a>, and should pass the names and values of
all the attributes on the element, in the order they were added to

0 comments on commit ddae877

Please sign in to comment.