(work in progress)
HTML5 defines a "sandbox" mode for <iframe>, which disables certain features, such as scripting, form submission, and plugins. For some of these, such as scripting, an opt-in feature is available, but there is none for plugins.
Existing Discussion and Documentation
HTML5 iframe element 
HTML WG discussion thread on public-html 
- It should be possible to find out whether the plugin knows about sandboxing as early as possible
- Q: not sure whether this needs to be possible before Initialization
- We need to be able to pass the various "opt-out" switches into the plugin instance
- Q: does this need to happen at instantiation, or is it sufficient to do that before content is loaded?
- Q: Do we need a more fine grained set of "sandbox flags" for plugins? Scripting? Network access? Other?