I have recently begun receiving issue reports about my JavaScript library,
ZeroClipboard, not working in some common developer websites such as
JSFiddle, CodePen, etc. The common thread here is that the problematic
sites all host their snippets within sandboxed iframes... but ZeroClipboard
relies
On 12/2/14, 7:46 AM, James M. Greene wrote:
1. Is there any existing way or guidance for browser vendors on how to
confirm that a plugin can be "secured" and thus allowed to be instantiated
within a sandboxed iframe?
As far as I know, there is not. For Gecko there definitely is not.
2. I
OK, those answers are all about what I expected, particularly the note
about securing the API surface of Flash.
So, it sounds like sandboxed iframes will probably *never* support plugin
instantiation -- even if such a plugin were hosted on the same origin as
both the iframe page *and* top-level pa
On 12/2/14, 8:01 AM, James M. Greene wrote:
So, it sounds like sandboxed iframes will probably /never/ support
plugin instantiation -- even if such a plugin were hosted on the same
origin as both the iframe page /and/ top-level page.
For Gecko it depends.
For example, we plan to ship a PDF vie
>
> Actually, sandboxing iframes of your own site is one of the main sandbox
> use cases: ...
Oh, hehe.
... it allows limited user upload of content without creating security
> holes, in theory.
Then let us hope that such content creation/collection/uploading doesn't
require the use of Flash/J