When an iframe is sandboxed, WebKit is setting the "plugins browsing context flag", as per the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#sandboxed-plugins-browsing-context-flag). However, no option is being offered for the user to override the flag. According to the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#the-embed-element), if the sandboxed plugin flag is set: "The user agent may offer the user the option to override the sandbox and instantiate the plugin anyway; if the user invokes such an option, the user agent must act as if the conditions above did not apply for the purposes of this element." The absence of this option renders several plugin-based sites unusable, such as those with embedded YouTube videos (see example URL: http://173.203.83.120/sandbox-bug). (Alternatively, perhaps WebKit can offer another sandbox option, like "allow-plugins"?)
(In reply to comment #0) > When an iframe is sandboxed, WebKit is setting the "plugins browsing context flag" ... > > However, no option is being offered for the user to override the flag. According to the HTML5 doc (http://www.whatwg.org/specs/web-apps/current-work/#the-embed-element), if the sandboxed plugin flag is set: > > "The user agent may offer the user the option to override the sandbox and instantiate the plugin anyway; if the user invokes such an option, the user agent must act as if the conditions above did not apply for the purposes of this element." > > The absence of this option renders several plugin-based sites unusable, such as those with embedded YouTube videos (see example URL: http://173.203.83.120/sandbox-bug). It doesn't render the site unusable. It renders the site unusable from within a sandboxed iframe. Why not visit YouTube directly? > (Alternatively, perhaps WebKit can offer another sandbox option, like "allow-plugins"?) This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
The "allow-scripts" option makes sense and would suit my needs, but I wonder if asking the user would be useful for other applications. I don't see why not; it's already in the HTML5 specs. Can anyone chime in on the possible issues with "allow-scripts"? (In reply to comment #1) > > This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
I meant "allow-plugins", of course. (In reply to comment #2) > The "allow-scripts" option makes sense and would suit my needs, but I wonder if asking the user would be useful for other applications. I don't see why not; it's already in the HTML5 specs. > > Can anyone chime in on the possible issues with "allow-scripts"? > > > (In reply to comment #1) > > > > This is possible, and when learning about sandboxing very recently, I was surprised it *wasn't* an option. Perhaps poking WhatWG and Hixie about this would be worthwhile.
I believe the issue is that plugins don't understand @sandbox and therefore could be used to defeat its security properties. The working group has discussed this issue, and I think the conclusion was that we should hold off on adding this feature until at least one plugin understands the sandbox security model.
Plugins are gone - so is this applicable in any other context?