Sandbox NPAPI

Ivan Krstić ike at
Tue Feb 1 15:20:48 PST 2011

Hi Adam,

On Jan 20, 2011, at 11:10 PM, Adam Barth wrote:
> Does the QuickTime plugin use other operating system concepts besides
> files, for example HWNDs or hardware video decoding?  I guess the main
> thing I don't understand about this proposal is how the plug-in is
> allowed to interact with the operating system once it enables the
> sandbox (e.g., for OS resources other than files).

These are good questions. I haven't found a way to reconcile the differences between different OS architectures — and their sandbox primitives — to the point where the API could give a precise answer to what the plugin is allowed to do after entering the Sandbox.

As a result, the approach I've taken is to work backwards from the things I'm trying to protect. My strongest concern is protecting access to the user's files, which incidentally lend themselves reasonably well to having their behavior characterized across platforms. That's why the API deals with files explicitly, while leaving the remaining restrictions up to the implementors under the "implementations may additionally choose to restrict..." clause. I know what the set of restrictions would need to look like on Mac OS X, and presumably folks working on other platforms would know what their OS has to restrict so as to make it impossible for plugins to steal, corrupt or delete the user's files without authorization.

If you have ideas on how to make the API more unambiguous about its protection model remaining applicable to different platforms, I'd love to hear them.


More information about the plugin-futures mailing list