On 12/2/14, 8:01 AM, James M. Greene wrote:
So, it sounds like sandboxed iframes will probably /never/ support
plugin instantiation -- even if such a plugin were hosted on the same
origin as both the iframe page /and/ top-level page.
For Gecko it depends.
For example, we plan to ship a PDF viewer plugin (based on pdf.js) that
we may decide to allow in sandboxed iframes. Will need to audit it a bit.
For third-party plug-ins, I suspect the "never" answer is a good
assumption for now.
This mostly makes sense to me as you would only infrequently want to
sandbox an iframe of your own site
Actually, sandboxing iframes of your own site is one of the main sandbox
use cases: it allows limited user upload of content without creating
security holes, in theory.
-Boris
