[giow] (0) Define how sandboxing works with plugins in a hypothetical…

… world where plugins honour the sandbox. Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=13267 git-svn-id: http://svn.whatwg.org/webapps@6573 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Sep 23, 2011 · ddae877 · ddae877
1 parent 68e68b7
commit ddae877
Show file tree

Hide file tree

Showing 3 changed files with 204 additions and 162 deletions.
diff --git a/complete.html b/complete.html
@@ -3299,6 +3299,13 @@ <h4 id=plugins><span class=secno>2.1.5 </span>Plugins</h4>
   specification doesn't require user agents to support plugins at all.
   <a href=#refsNPAPI>[NPAPI]</a></p>
 
+  <p>A plugin can be <dfn id=concept-plugin-secure title=concept-plugin-secure>secured</dfn>
+  if it honors the semantics of the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
+  <p class=example>For example, a secured plugin would prevent its
+  contents from creating pop-up windows when the plugin is
+  instantiated inside a sandboxed <code><a href=#the-iframe-element>iframe</a></code>.</p>
+
   <div class=impl>
 
   <p class=warning>Browsers should take extreme care when
@@ -23831,7 +23838,7 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
   When the attribute is set, the content is treated as being from a
   unique <a href=#origin>origin</a>, forms and scripts are disabled, links
   are prevented from targeting other <a href=#browsing-context title="browsing
-  context">browsing contexts</a>, and plugins are disabled. The
+  context">browsing contexts</a>, and plugins are secured. The
   <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
   keyword allows the content to be treated as being from the same
   origin instead of forcing it into a unique origin, the <code title=attr-iframe-sandbox-allow-top-navigation><a href=#attr-iframe-sandbox-allow-top-navigation>allow-top-navigation</a></code>
@@ -23917,7 +23924,7 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
     <p>This flag prevents content from instantiating <a href=#plugin title=plugin>plugins</a>, whether using <a href=#sandboxPluginEmbed>the <code>embed</code> element</a>, <a href=#sandboxPluginObject>the <code>object</code> element</a>,
     <a href=#sandboxPluginApplet>the <code>applet</code>
     element</a>, or through <a href=#sandboxPluginNavigate>navigation</a> of a <a href=#nested-browsing-context>nested
-    browsing context</a>.</p>
+    browsing context</a>, unless those <a href=#plugin title=plugin>plugins</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
 
    </dd>
 
@@ -24404,41 +24411,13 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
   content</a>, any plugins instantiated for the element must be
   removed, and the <code><a href=#the-embed-element>embed</a></code> element represents nothing.</p>
 
-  <p id=sandboxPluginEmbed>If either:
-
-  <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
-   set on the <a href=#browsing-context>browsing context</a> for which the
-   <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
-   <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
-   created, or</li>
-
-   <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
-   parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
-   sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
-   <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
-
-  </ul><p>...then the user agent must render the <code><a href=#the-embed-element>embed</a></code> element
-  in a manner that conveys that the <a href=#plugin>plugin</a> was
-  disabled. The user agent may offer the user the option to override
-  the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
-  user invokes such an option, the user agent must act as if the
-  conditions above did not apply for the purposes of this element.</p>
-
-  <p class=warning>Plugins are disabled in sandboxed browsing
-  contexts because they might not honor the restrictions imposed by
-  the sandbox (e.g. they might allow scripting even when scripting in
-  the sandbox is disabled). User agents should convey the danger of
-  overriding the sandbox to the user if an option to do so is
-  provided.</p>
-
   <p>An <code><a href=#the-embed-element>embed</a></code> element is said to be <dfn id=concept-embed-active title=concept-embed-active>potentially active</dfn> when the
   following conditions are all met simultaneously:</p>
 
   <ul class=brief><li>The element is <a href=#in-a-document title="in a document">in a <code>Document</code></a>.</li>
    <li>The element's <code><a href=#document>Document</a></code> is <a href=#fully-active>fully active</a>.</li>
    <li>The element has either a <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute set or a <code title=attr-embed-type><a href=#attr-embed-type>type</a></code> attribute set (or both).</li>
    <li>The element's <code title=attr-embed-src><a href=#attr-embed-src>src</a></code> attribute is either absent or its value is the empty string.</li>
-   <li>The element is not in a <code><a href=#document>Document</a></code> whose <a href=#browsing-context>browsing context</a> had the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> set when the <code><a href=#document>Document</a></code> was created (unless this has been overridden as described above).</li>
    <li>The element's <code><a href=#document>Document</a></code> was not parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code> (unless this has been overridden as described above).</li>
    <li>The element is not a descendant of a <a href=#media-element>media element</a>.</li>
    <li>The element is not a descendant of an <code><a href=#the-object-element>object</a></code> element that is not showing its <a href=#fallback-content>fallback content</a>.</li>
@@ -24494,6 +24473,35 @@ <h4 id=the-embed-element><span class=secno>4.8.3 </span>The <dfn><code>embed</co
   <a href=#plugin>plugin</a> that had been instantiated for that element must
   be unloaded.</p>
 
+  <p id=sandboxPluginEmbed>When a <a href=#plugin>plugin</a> is to be
+  instantiated but it cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> and either:
+
+  <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
+   set on the <a href=#browsing-context>browsing context</a> for which the
+   <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> is the
+   <a href=#active-document>active document</a> when that <code><a href=#document>Document</a></code> was
+   created, or</li>
+
+   <li>the <code><a href=#the-embed-element>embed</a></code> element's <code><a href=#document>Document</a></code> was
+   parsed from a resource whose <a href=#content-type-sniffing-0 title="Content-Type
+   sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
+   <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+
+  </ul><p>...then the user agent must not instantiate the
+  <a href=#plugin>plugin</a>, and must instead render the <code><a href=#the-embed-element>embed</a></code>
+  element in a manner that conveys that the <a href=#plugin>plugin</a> was
+  disabled. The user agent may offer the user the option to override
+  the sandbox and instantiate the <a href=#plugin>plugin</a> anyway; if the
+  user invokes such an option, the user agent must act as if the
+  conditions above did not apply for the purposes of this element.</p>
+
+  <p class=warning>Plugins that cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a> are disabled in
+  sandboxed browsing contexts because they might not honor the
+  restrictions imposed by the sandbox (e.g. they might allow scripting
+  even when scripting in the sandbox is disabled). User agents should
+  convey the danger of overriding the sandbox to the user if an option
+  to do so is provided.</p>
+
   <p class=note>The <code><a href=#the-embed-element>embed</a></code> element is unaffected by the
   CSS 'display' property. The selected plugin is instantiated even if
   the element is hidden with a 'display:none' CSS style.</p>
@@ -24768,13 +24776,15 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
     <p>If the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code>
     attribute is present, and has a value that isn't the empty string,
     then: if the user agent can find a <a href=#plugin>plugin</a> suitable
-    according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>,
-    then that <a href=#plugin>plugin</a> <a href=#object-plugin>should be
-    used</a>, and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute, if any, should be
-    passed to the <a href=#plugin>plugin</a>. If no suitable
-    <a href=#plugin>plugin</a> can be found, or if the <a href=#plugin>plugin</a>
-    reports an error, jump to the last step in the overall set of
-    steps (fallback).</p>
+    according to the value of the <code title=attr-object-classid><a href=#attr-object-classid>classid</a></code> attribute, and either
+    <a href=#sandboxPluginObject>plugins aren't being sandboxed</a>
+    or that <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
+    <a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>,
+    and the value of the <code title=attr-object-data><a href=#attr-object-data>data</a></code>
+    attribute, if any, should be passed to the <a href=#plugin>plugin</a>. If
+    no suitable <a href=#plugin>plugin</a> can be found, or if the
+    <a href=#plugin>plugin</a> reports an error, jump to the last step in the
+    overall set of steps (fallback).</p>
 
     <!--
      case insensitive:
@@ -25118,8 +25128,8 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
        <dd>
 
         <p>If <a href=#sandboxPluginObject>plugins are being
-        sandboxed</a>, jump to the last step in the overall set of
-        steps (fallback).</p>
+        sandboxed</a> and the plugin that supports <var title="">resource type</var> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, jump to the last
+        step in the overall set of steps (fallback).</p>
 
         <p>Otherwise, the user agent should <a href=#object-plugin>use the plugin that supports <var title="">resource type</var></a> and pass the content of the
         resource to that <a href=#plugin>plugin</a>. If the
@@ -25239,13 +25249,12 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
 
    <li><p>If the <code title=attr-object-data><a href=#attr-object-data>data</a></code> attribute
    is absent but the <code title=attr-object-type><a href=#attr-object-type>type</a></code>
-   attribute is present, <a href=#sandboxPluginObject>plugins aren't
-   being sandboxed</a>, and the user agent can find a
-   <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, then that
+   attribute is present, and the user agent can find a
+   <a href=#plugin>plugin</a> suitable according to the value of the <code title=attr-object-type><a href=#attr-object-type>type</a></code> attribute, and either <a href=#sandboxPluginObject>plugins aren't being sandboxed</a> or
+   the <a href=#plugin>plugin</a> can be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>, then that
    <a href=#plugin>plugin</a> <a href=#object-plugin>should be used</a>. If
-   no suitable <a href=#plugin>plugin</a> can be found, or if the
-   <a href=#plugin>plugin</a> reports an error, jump to the next step
-   (fallback).</li>
+   these conditions cannot be met, or if the <a href=#plugin>plugin</a>
+   reports an error, jump to the next step (fallback).</li>
 
    <li><p>(Fallback.) The <code><a href=#the-object-element>object</a></code> element
    <a href=#represents>represents</a> the element's children, ignoring any
@@ -25269,7 +25278,8 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
   <a href=#plugin>plugin</a> is not a nested <a href=#browsing-context>browsing
   context</a>.</p>
 
-  <p id=sandboxPluginObject>If either:</p>
+  <p id=sandboxPluginObject>Plugins are considered sandboxed for the
+  purpose of an <code><a href=#the-object-element>object</a></code> element if either:</p>
 
   <ul><li>the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed plugins browsing context flag</a> was
    set on the <code><a href=#the-object-element>object</a></code> element's <code><a href=#document>Document</a></code>'s
@@ -25281,11 +25291,7 @@ <h4 id=the-object-element><span class=secno>4.8.4 </span>The <dfn><code>object</
    sniffing">sniffed type</a> as determined during <a href=#navigate title=navigate>navigation</a> is
    <code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
 
-  </ul><p>...then the steps above must always act as if they had failed to
-  find a <a href=#plugin>plugin</a>, even if one would otherwise have been
-  used.</p>
-
-  <p class=note>The above algorithm is independent of CSS properties
+  </ul><p class=note>The above algorithm is independent of CSS properties
   (including 'display', 'overflow', and 'visibility'). For example, it
   runs even if the element is hidden with a 'display:none' CSS style,
   and does not run <em>again</em> if the element's visibility
@@ -64849,7 +64855,8 @@ <h4 id=read-plugin><span class=secno>6.5.6 </span><dfn title=navigate-plugin>Pag
   <p class=note id=sandboxPluginNavigate>If the <a href=#sandboxed-plugins-browsing-context-flag>sandboxed
   plugins browsing context flag</a> was set on the <a href=#browsing-context>browsing
   context</a> when the <code><a href=#document>Document</a></code> was created, the
-  synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a>.</p>
+  synthesized <code><a href=#the-embed-element>embed</a></code> element will <a href=#sandboxPluginEmbed>fail to render the content</a> if the
+  relevant <a href=#plugin>plugin</a> cannot be <a href=#concept-plugin-secure title=concept-plugin-secure>secured</a>.</p>
 
 
   <h4 id=read-ua-inline><span class=secno>6.5.7 </span><dfn title=navigate-ua-inline>Page load processing model for inline content that doesn't have a DOM</dfn></h4>
@@ -95609,6 +95616,10 @@ <h4 id=the-applet-element><span class=secno>16.3.1 </span>The <dfn><code>applet<
   but it is disabled, the element <a href=#represents>represents</a> its
   contents.</p>
 
+  <!-- we assume here that the Java plugin can't be <span
+  title="concept-plugin-secure">secured</span>; if anyone does end up
+  securing one we can always change this -->
+
   <p>Otherwise, the user agent should instantiate a Java Language
   runtime <a href=#plugin>plugin</a>, and should pass the names and values of
   all the attributes on the element, in the order they were added to