Remove the notion of "secured plugins"

[domenic]

Instead, sandboxed iframes are just never allowed to display plugins. (Which, in the modern world, just means PDFs.)

Closes #3958. Helps with #6003.

• At least two implementers are interested (and none opposed):
  • Mozilla per Interop: pdf might or might not render in a sandboxed iframe (depending on a browser) #3958 (comment) and @annevk's confirmation below.
  • Chrome does not have this notion.
  • Safari displays nothing on (a fixed version of) http://wpt.live/html/semantics/embedded-content/the-iframe-element/sandbox_004-manual.htm so probably does not have this notion either.
• Tests are written and can be reviewed and commented upon at:
  • Fix and make automatic sandboxed plugins test web-platform-tests/wpt#29951
• Implementation bugs are filed:
  • Chrome: N/A
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1724924
  • Safari: N/A

(See WHATWG Working Mode: Changes for more details.)

---

/browsing-the-web.html ( diff )
/iframe-embed-object.html ( diff )
/infrastructure.html ( diff )
/origin.html ( diff )

[domenic]

I found the issue with http://wpt.live/html/semantics/embedded-content/the-iframe-element/sandbox_004-manual.htm; it was missing a Content-Type header. (Which is good news as it implies only Firefox looks at the file extension!)

I've updated the OP to reflect the results of the testing.

[annevk]

Yeah, this seems fine. It would be great if @mikewest could double check this as he got it added at some point in the past, I think.

[domenic]

Mike's OOO until the 16th, but I guess there's no rush. Setting a reminder to ping him next week.

[mikewest]

Mike's OOO until the 16th, but I guess there's no rush. Setting a reminder to ping him next week.

Mike's working his way through his inbox. :)

Practically, we aren't implementing a "secured plugin" concept in Chromium yet, so removing it from the spec is reasonable. Philosophically, PDFium being implemented as a plugin in Chromium is an implementation detail that's somewhat unfortunate from a spec perspective. On the one hand, I don't want HTML to turn into a PDF-rendering spec. On the other, I think it would be quite useful for us to be able to interoperably render PDFs in a sandbox, and we're becoming more capable of doing so as PDFium is growing more integration points to other bits and pieces of Chromium.

So, maybe this concept can come back at some point? I think this more or less matches what @annevk suggested in #3958 (comment).

[domenic]

Yeah, that makes sense to me. Overall the goal is to move toward a world where "plugins" as a concept no longer exists, but "PDF viewer documents" do. (Preferably with an opaque origin; see #6947.) Then in the future if all browsers feel that it's safe to embed PDF documents inside sandboxed iframes, we can just remove the prohibition on them. (And also remove the allow-plugins keyword since it will no longer have any effect.)