Iframe sandbox disables plugins. This leads to the following interop problem: some browsers (like Chrome) implement PDF rendering via a plugin and therefore PDF might not render in a sandboxed iframe (or in pop-ups opened from a sandboxed iframe).

Brainstorming some ideas for how the spec can help interoperability here:

• Maybe the spec can introduce a mechanism for more granular sandboxing of plugins (e.g. so that a parent frame may allow its subframe to embed plugins handling application/pdf but not application/x-shockwave-flash). This doesn't seem to help interop, because for backcompatibility, the default behavior would have to block all plugins (and so the default behavior would remain not interoperable)

• Maybe the spec can give browsers some leeway in what plugins are blocked. For example - Chrome's PDF rendering restricts which APIs are exposed to PDFs (e.g. Net.* methods are not implemented) and maybe such restriction means that sandboxed frames should be allowed to embed PDF plugin.

• In the long term high-profile plugins like Flash and PNaCl will be deprecated (Flash by 2020 although AFAIK PNaCl remains supported for Chrome Apps for foreseeable future). Maybe this means that browsers shouldn't render PDF via a plugin?

Other notes:

• This is a follow-up to https://crbug.com/866292