RESOLVED WONTFIX 39219
Offer user option to override sandbox plugin flag 
https://bugs.webkit.org/show_bug.cgi?id=39219
Summary Offer user option to override sandbox plugin flag
Artur
Reported 2010-05-17 08:23:48 PDT
When an iframe is sandboxed, WebKit is setting the "plugins browsing context flag", as per the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#sandboxed-plugins-browsing-context-flag). However, no option is being offered for the user to override the flag. According to the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#the-embed-element), if the sandboxed plugin flag is set: "The user agent may offer the user the option to override the sandbox and instantiate the plugin anyway; if the user invokes such an option, the user agent must act as if the conditions above did not apply for the purposes of this element." The absence of this option renders several plugin-based sites unusable, such as those with embedded YouTube videos (see example URL: http://173.203.83.120/sandbox-bug). (Alternatively, perhaps WebKit can offer another sandbox option, like "allow-plugins"?)
Attachments
Add attachment proposed patch, testcase, etc.
Brady Eidson
Comment 1 2010-05-19 11:10:20 PDT
(In reply to comment #0) > When an iframe is sandboxed, WebKit is setting the "plugins browsing context flag" ... > > However, no option is being offered for the user to override the flag. According to the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#the-embed-element), if the sandboxed plugin flag is set: > > "The user agent may offer the user the option to override the sandbox and instantiate the plugin anyway; if the user invokes such an option, the user agent must act as if the conditions above did not apply for the purposes of this element." > > The absence of this option renders several plugin-based sites unusable, such as those with embedded YouTube videos (see example URL: http://173.203.83.120/sandbox-bug). It doesn't render the site unusable. It renders the site unusable from within a sandboxed iframe. Why not visit YouTube directly? > (Alternatively, perhaps WebKit can offer another sandbox option, like "allow-plugins"?) This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
Artur
Comment 2 2010-05-19 11:29:05 PDT
The "allow-scripts" option makes sense and would suit my needs, but I wonder if asking the user would be useful for other applications. I don't see why not; it's already in the HTML5 specs. Can anyone chime in on the possible issues with "allow-scripts"? (In reply to comment #1) > > This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
Artur
Comment 3 2010-05-28 08:40:28 PDT
I meant "allow-plugins", of course. (In reply to comment #2) > The "allow-scripts" option makes sense and would suit my needs, but I wonder if asking the user would be useful for other applications. I don't see why not; it's already in the HTML5 specs. > > Can anyone chime in on the possible issues with "allow-scripts"? > > > (In reply to comment #1) > > > > This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
Adam Barth
Comment 4 2010-05-28 10:35:16 PDT
I believe the issue is that plugins don't understand @sandbox and therefore could be used to defeat its security properties. The working group has discussed this issue, and I think the conclusion was that we should hold off on adding this feature until at least one plugin understands the sandbox security model.
Ahmad Saleem
Comment 5 2023-07-26 15:05:48 PDT
Plugins are gone - so is this applicable in any other context?
Note You need to log in before you can comment on or make changes to this bug.