23436 – You are FAILING HARD by not including allow-plugins in the iframe sandbox attribute spec. Sites have ads, and advertisers use Flash. The HTML5 spec was supposed to be responsive to the features in m [...]

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23436 - You are FAILING HARD by not including allow-plugins in the iframe sandbox attribute spec. Sites have ads, and advertisers use Flash. The HTML5 spec was supposed to be responsive to the features in m [...]

Summary: You are FAILING HARD by not including allow-plugins in the iframe sandbox att...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-04 04:25 UTC by contributor
Modified:	2013-10-04 19:46 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description contributor 2013-10-04 04:25:30 UTC

Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html
Multipage: http://www.whatwg.org/C#the-iframe-element
Complete: http://www.whatwg.org/c#the-iframe-element
Referrer: http://www.whatwg.org/specs/web-apps/current-work/multipage/

Comment:
You are FAILING HARD by not including allow-plugins in the iframe sandbox
attribute spec.  Sites have ads, and advertisers use Flash.  The HTML5 spec
was supposed to be responsive to the features in most browsers, and most
browsers have plugins.	Without allow-plugins, ad-supported sites have to
remove the sandbox attribute from their iframed ads entirely, putting their
site and their users at risk.  If you think dissing Flash is more important
than making the web safer, you are part of the problem, not the solution.

Posted from: 63.146.68.50
User agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Iron/29.0.1600.1 Chrome/29.0.1600.1 Safari/537.36

Comment 1 Simon Pieters 2013-10-04 08:56:02 UTC

There isn't a way yet for the browser to tell the plugin that it should be sandboxed, so the plugin would be able to break out of the sandbox, which would put users at risk while the author has a false sense of security. *That* would be "FAILING HARD".

First step here needs to be for the Flash plugin to support sandboxing, and for NPAPI and Pepper to support telling the plugin to sandbox. Only then does it make sense to add allow-plugins to the spec.

Comment 2 Ian 'Hixie' Hickson 2013-10-04 19:46:29 UTC

You don't need allow-plugins because actually plugins are never disabled (unless they can't be secured, as Simon mentions). If you have a plugin that can be secured, then it won't be disabled by the sandbox="" attribute.

See:
   http://whatwg.org/html#concept-plugin-secure
   http://whatwg.org/html#sandboxPluginEmbed
   http://whatwg.org/html#sandboxed-plugins-browsing-context-flag