From ef166a565bfe5e82556e9018ef5601beddeae985 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Mon, 9 Aug 2021 15:54:55 -0400 Subject: [PATCH] Remove the notion of "secured plugins" Instead, sandboxed iframes are just never allowed to display plugins. (Which, in the modern world, just means PDFs.) Closes #3958. Helps with #6003. --- source | 57 ++++++++++++++++++--------------------------------------- 1 file changed, 18 insertions(+), 39 deletions(-) diff --git a/source b/source index 0d30dee88fe..3abedb3e22a 100644 --- a/source +++ b/source @@ -1849,12 +1849,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute built-in support for certain types. Indeed, this specification doesn't require user agents to support plugins at all.

-

A plugin can be secured if it honors the semantics of - the sandbox attribute.

- -

For example, a secured plugin would prevent its contents from creating popups - when the plugin is instantiated inside a sandboxed iframe.

-

Browsers should take extreme care when interacting with external content @@ -31602,20 +31596,11 @@ interface HTMLEmbedElement : HTMLElement { active stops being potentially active, any plugin that had been instantiated for that element must be unloaded.

-

When a plugin is to be instantiated but it cannot be secured and the sandboxed plugins browsing context - flag is set on the embed element's node document's active - sandboxing flag set, then the user agent must not instantiate the plugin, and - must instead render the embed element in a manner that conveys that the - plugin was disabled. The user agent may offer the user the option to override the - sandbox and instantiate the plugin anyway; if the user invokes such an option, the - user agent must act as if the conditions above did not apply for the purposes of this element.

- -

Plugins that cannot be secured are - disabled in sandboxed browsing contexts because they might not honor the restrictions imposed by - the sandbox (e.g. they might allow scripting even when scripting in the sandbox is disabled). User - agents should convey the danger of overriding the sandbox to the user if an option to do so is - provided.

+

When a plugin is to be instantiated but the + sandboxed plugins browsing context flag is set on the embed element's + node document's active sandboxing flag set, then the user agent must + not instantiate the plugin, and must instead render the embed element + in a manner that conveys that the plugin was disabled.

The embed element potentially delays the load event.

@@ -31839,8 +31824,7 @@ interface HTMLObjectElement : HTMLElement {

If the classid attribute is present, and has a value that isn't the empty string, then: if the user agent can find a plugin suitable according to the value of the classid - attribute, and either plugins aren't being sandboxed or that - plugin can be secured, then that + attribute, and plugins aren't being sandboxed, then that plugin should be used, and the value of the data attribute, if any, should be passed to the plugin. If no suitable plugin can be found, or if the @@ -32124,9 +32108,8 @@ interface HTMLObjectElement : HTMLElement { then it must be discarded and then set to null.

-

If plugins are being sandboxed and the plugin that - supports resource type cannot be secured, jump to the step below labeled fallback.

+

If plugins are being sandboxed, then jump to the step + below labeled fallback.

Otherwise, the user agent should use the plugin that supports resource type and pass the content of the resource to that @@ -32211,15 +32194,13 @@ interface HTMLObjectElement : HTMLElement {

  • If the data attribute is absent but the type attribute is present, and the user agent can find a plugin suitable according to the value of the type attribute, and either plugins aren't being sandboxed or the plugin can be - secured, then that plugin should be used. If these conditions cannot be met, or if the - plugin reports an error, jump to the step below labeled fallback. Otherwise - return; once the plugin is completely loaded, queue an element task on the - DOM manipulation task source given the object element to fire an event named load at - the element.

  • + data-x="attr-object-type">type attribute, and plugins + aren't being sandboxed, then that plugin should be + used. If these conditions cannot be met, or if the plugin reports an error, + jump to the step below labeled fallback. Otherwise return; once the plugin is completely + loaded, queue an element task on the DOM manipulation task source + given the object element to fire an event + named load at the element.

  • Fallback: The object element represents the element's children, ignoring any leading param element children. This is the element's @@ -82485,9 +82466,8 @@ interface BarProp {

    This flag prevents content from instantiating plugins, whether using the embed element, the object element, or through navigation of their nested browsing context, - unless those plugins can be secured.

    + href="#sandboxPluginNavigate">navigation of their nested browsing + context.

    The sandboxed origin browsing context flag
    @@ -87836,8 +87816,7 @@ new PaymentRequest(…); // Allowed to use

    If the Document's active sandboxing flag set has its sandboxed plugins browsing context flag set, the synthesized - embed element will fail to render the content if - the relevant plugin cannot be secured.

    + embed element will fail to render the content.

    Page load processing model for inline