Skip to content

Commit

Permalink
Remove the notion of "secured plugins"
Browse files Browse the repository at this point in the history
Instead, sandboxed iframes are just never allowed to display plugins. (Which, in the modern world, just means PDFs.)

Closes #3958. Helps with #6003.
  • Loading branch information
domenic committed Aug 9, 2021
1 parent 0050553 commit ef166a5
Showing 1 changed file with 18 additions and 39 deletions.
57 changes: 18 additions & 39 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -1849,12 +1849,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
built-in support for certain types. Indeed, this specification doesn't require user agents to
support plugins at all. <ref spec=NPAPI></p>

<p>A plugin can be <dfn data-x="concept-plugin-secure">secured</dfn> if it honors the semantics of
the <code data-x="attr-iframe-sandbox">sandbox</code> attribute.</p>

<p class="example">For example, a secured plugin would prevent its contents from creating popups
when the plugin is instantiated inside a sandboxed <code>iframe</code>.</p>

<div w-nodev>

<p class="warning">Browsers should take extreme care when interacting with external content
Expand Down Expand Up @@ -31602,20 +31596,11 @@ interface <dfn interface>HTMLEmbedElement</dfn> : <span>HTMLElement</span> {
active</span> stops being <span data-x="concept-embed-active">potentially active</span>, any
<span>plugin</span> that had been instantiated for that element must be unloaded.</p>

<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be instantiated but it cannot be <span
data-x="concept-plugin-secure">secured</span> and the <span>sandboxed plugins browsing context
flag</span> is set on the <code>embed</code> element's <span>node document</span>'s <span>active
sandboxing flag set</span>, then the user agent must not instantiate the <span>plugin</span>, and
must instead render the <code>embed</code> element in a manner that conveys that the
<span>plugin</span> was disabled. The user agent may offer the user the option to override the
sandbox and instantiate the <span>plugin</span> anyway; if the user invokes such an option, the
user agent must act as if the conditions above did not apply for the purposes of this element.</p>

<p class="warning">Plugins that cannot be <span data-x="concept-plugin-secure">secured</span> are
disabled in sandboxed browsing contexts because they might not honor the restrictions imposed by
the sandbox (e.g. they might allow scripting even when scripting in the sandbox is disabled). User
agents should convey the danger of overriding the sandbox to the user if an option to do so is
provided.</p>
<p id="sandboxPluginEmbed">When a <span>plugin</span> is to be instantiated but the
<span>sandboxed plugins browsing context flag</span> is set on the <code>embed</code> element's
<span>node document</span>'s <span>active sandboxing flag set</span>, then the user agent must
not instantiate the <span>plugin</span>, and must instead render the <code>embed</code> element
in a manner that conveys that the <span>plugin</span> was disabled.</p>

<p>The <code>embed</code> element <span>potentially delays the load event</span>.</p>

Expand Down Expand Up @@ -31839,8 +31824,7 @@ interface <dfn interface>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
<p>If the <code data-x="attr-object-classid">classid</code> attribute is present, and has a
value that isn't the empty string, then: if the user agent can find a <span>plugin</span>
suitable according to the value of the <code data-x="attr-object-classid">classid</code>
attribute, and either <a href="#sandboxPluginObject">plugins aren't being sandboxed</a> or that
<span>plugin</span> can be <span data-x="concept-plugin-secure">secured</span>, then that
attribute, and <a href="#sandboxPluginObject">plugins aren't being sandboxed</a>, then that
<span>plugin</span> <a href="#object-plugin">should be used</a>, and the value of the <code
data-x="attr-object-data">data</code> attribute, if any, should be passed to the
<span>plugin</span>. If no suitable <span>plugin</span> can be found, or if the
Expand Down Expand Up @@ -32124,9 +32108,8 @@ interface <dfn interface>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
then it must be <span data-x="a browsing context is discarded">discarded</span> and then set
to null.</p>

<p>If <a href="#sandboxPluginObject">plugins are being sandboxed</a> and the plugin that
supports <var>resource type</var> cannot be <span
data-x="concept-plugin-secure">secured</span>, jump to the step below labeled <i>fallback</i>.</p>
<p>If <a href="#sandboxPluginObject">plugins are being sandboxed</a>, then jump to the step
below labeled <i>fallback</i>.</p>

<p>Otherwise, the user agent should <a href="#object-plugin">use the plugin that supports
<var>resource type</var></a> and pass the content of the resource to that
Expand Down Expand Up @@ -32211,15 +32194,13 @@ interface <dfn interface>HTMLObjectElement</dfn> : <span>HTMLElement</span> {
<li><p>If the <code data-x="attr-object-data">data</code> attribute is absent but the <code
data-x="attr-object-type">type</code> attribute is present, and the user agent can find a
<span>plugin</span> suitable according to the value of the <code
data-x="attr-object-type">type</code> attribute, and either <a
href="#sandboxPluginObject">plugins aren't being sandboxed</a> or the <span>plugin</span> can be
<span data-x="concept-plugin-secure">secured</span>, then that <span>plugin</span> <a
href="#object-plugin">should be used</a>. If these conditions cannot be met, or if the
<span>plugin</span> reports an error, jump to the step below labeled <i>fallback</i>. Otherwise
return; once the plugin is completely loaded, <span>queue an element task</span> on the
<span>DOM manipulation task source</span> given the <code>object</code> element to <span
data-x="concept-event-fire">fire an event</span> named <code data-x="event-load">load</code> at
the element.</p></li>
data-x="attr-object-type">type</code> attribute, and <a href="#sandboxPluginObject">plugins
aren't being sandboxed</a>, then that <span>plugin</span> <a href="#object-plugin">should be
used</a>. If these conditions cannot be met, or if the <span>plugin</span> reports an error,
jump to the step below labeled <i>fallback</i>. Otherwise return; once the plugin is completely
loaded, <span>queue an element task</span> on the <span>DOM manipulation task source</span>
given the <code>object</code> element to <span data-x="concept-event-fire">fire an event</span>
named <code data-x="event-load">load</code> at the element.</p></li>

<li><p><i>Fallback</i>: The <code>object</code> element <span>represents</span> the element's
children, ignoring any leading <code>param</code> element children. This is the element's
Expand Down Expand Up @@ -82485,9 +82466,8 @@ interface <dfn interface>BarProp</dfn> {
<dd><p>This flag prevents content from instantiating <span data-x="plugin">plugins</span>,
whether using <a href="#sandboxPluginEmbed">the <code>embed</code> element</a>, <a
href="#sandboxPluginObject">the <code>object</code> element</a>, or through <a
href="#sandboxPluginNavigate">navigation</a> of their <span>nested browsing context</span>,
unless those <span data-x="plugin">plugins</span> can be <span
data-x="concept-plugin-secure">secured</span>.</p></dd>
href="#sandboxPluginNavigate">navigation</a> of their <span>nested browsing
context</span>.</p></dd>


<dt>The <dfn export>sandboxed origin browsing context flag</dfn></dt>
Expand Down Expand Up @@ -87836,8 +87816,7 @@ new PaymentRequest(&hellip;); // Allowed to use

<p class="note" id="sandboxPluginNavigate">If the <code>Document</code>'s <span>active sandboxing
flag set</span> has its <span>sandboxed plugins browsing context flag</span> set, the synthesized
<code>embed</code> element will <a href="#sandboxPluginEmbed">fail to render the content</a> if
the relevant <span>plugin</span> cannot be <span data-x="concept-plugin-secure">secured</span>.</p>
<code>embed</code> element will <a href="#sandboxPluginEmbed">fail to render the content</a>.</p>


<h4 id="read-ua-inline"><dfn data-x="navigate-ua-inline">Page load processing model for inline
Expand Down

0 comments on commit ef166a5

Please sign in to comment.