From ef166a565bfe5e82556e9018ef5601beddeae985 Mon Sep 17 00:00:00 2001
From: Domenic Denicola
A plugin can be secured if it honors the semantics of
- the sandbox
attribute.
For example, a secured plugin would prevent its contents from creating popups
- when the plugin is instantiated inside a sandboxed iframe
.
Browsers should take extreme care when interacting with external content @@ -31602,20 +31596,11 @@ interface HTMLEmbedElement : HTMLElement { active stops being potentially active, any plugin that had been instantiated for that element must be unloaded.
-When a plugin is to be instantiated but it cannot be secured and the sandboxed plugins browsing context
- flag is set on the embed
element's node document's active
- sandboxing flag set, then the user agent must not instantiate the plugin, and
- must instead render the embed
element in a manner that conveys that the
- plugin was disabled. The user agent may offer the user the option to override the
- sandbox and instantiate the plugin anyway; if the user invokes such an option, the
- user agent must act as if the conditions above did not apply for the purposes of this element.
Plugins that cannot be secured are - disabled in sandboxed browsing contexts because they might not honor the restrictions imposed by - the sandbox (e.g. they might allow scripting even when scripting in the sandbox is disabled). User - agents should convey the danger of overriding the sandbox to the user if an option to do so is - provided.
+When a plugin is to be instantiated but the
+ sandboxed plugins browsing context flag is set on the embed
element's
+ node document's active sandboxing flag set, then the user agent must
+ not instantiate the plugin, and must instead render the embed
element
+ in a manner that conveys that the plugin was disabled.
The embed
element potentially delays the load event.
If the classid
attribute is present, and has a
value that isn't the empty string, then: if the user agent can find a plugin
suitable according to the value of the classid
- attribute, and either plugins aren't being sandboxed or that
- plugin can be secured, then that
+ attribute, and plugins aren't being sandboxed, then that
plugin should be used, and the value of the data
attribute, if any, should be passed to the
plugin. If no suitable plugin can be found, or if the
@@ -32124,9 +32108,8 @@ interface HTMLObjectElement : HTMLElement {
then it must be discarded and then set
to null.
If plugins are being sandboxed and the plugin that - supports resource type cannot be secured, jump to the step below labeled fallback.
+If plugins are being sandboxed, then jump to the step + below labeled fallback.
Otherwise, the user agent should use the plugin that supports resource type and pass the content of the resource to that @@ -32211,15 +32194,13 @@ interface HTMLObjectElement : HTMLElement {
If the data
attribute is absent but the type
attribute is present, and the user agent can find a
plugin suitable according to the value of the type
attribute, and either plugins aren't being sandboxed or the plugin can be
- secured, then that plugin should be used. If these conditions cannot be met, or if the
- plugin reports an error, jump to the step below labeled fallback. Otherwise
- return; once the plugin is completely loaded, queue an element task on the
- DOM manipulation task source given the object
element to fire an event named load
at
- the element.
object
element to fire an event
+ named load
at the element.
Fallback: The object
element represents the element's
children, ignoring any leading param
element children. This is the element's
@@ -82485,9 +82466,8 @@ interface BarProp {
This flag prevents content from instantiating plugins,
whether using the embed
element, the object
element, or through navigation of their nested browsing context,
- unless those plugins can be secured.
embed
element will fail to render the content.