W3C home > Mailing lists > Public > public-webapi@w3.org > February 2006

Re: Safe copy and paste with scripts

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 24 Feb 2006 15:06:36 -0800
Message-Id: <8C4552BD-4F5D-4551-A833-C5D4F8884F9B@apple.com>
Cc: public-webapi@w3.org
To: paul@activemath.org


On Feb 24, 2006, at 2:50 PM, Paul Libbrecht wrote:

>
> Hello,
>
> no-one really answered my question about sandboxing so I'll just  
> formulate things differently.
>
> My interest was to enable copy and paste of mathematical formulae  
> which are *presented* using HTML (or MathML-presentation) but  
> covers any application that wishes to copy something that is not  
> the presentation but a "data on the back". Looking around at APIs  
> about it one sees either:
> - access to the clipboard is denied by normal sandboxed  
> environments (Java Applets, Flash more or less, JavaScript)
> - or is granted to trusted applications
> This isn't practical: getting the trust should not be something of  
> everyday so that, basically, web-developers abandon copy and paste  
> although it is arguably the most usable transfer-paradigm.
> The problem is indeed to access the clipboard (e.g. an ad reading  
> your clipboard) but that could be avoided and still allow copy and  
> paste:
>
> An element or component could have methods to read content from and  
> write content to: the read would return the data in a set of  
> translatable content-types and the write would be presented a  
> choice of them and choose one.
> And these read and write operations can be, simply, triggered by  
> the *standard gestures* of the system (e.g. in an edit menu) which  
> should not be callable by the script code.

I would like copy/paste integration to be on the agenda. I believe  
these operations can be offered securely (and implemented in various  
nonstandard ways by IE, Firefox and in some cases Safari):

1) copy
2) cut (in an editable context)
3) event on copy that lets you prevent the default action and  
substitute other content
4) event on paste that lets you prevent the default action and  
substitite other content

I think the difficulties with 3) and 4) are defining identifiers for  
and contents of clipboard data formats in a cross-platform way.

The following operations cannot be securely offered to web applications:

- Programmatically trigger paste
- Examine current contents of clipboard

I hope the WG tackles clipboard integration at some point, once we  
get past some of the more basic specs on our current agenda.

> Is this unsecure ?

I think a secure version could be designed.

> Are we lacking, maybe, requirements about selection display ?

Not sure what you mean by this. CSS lets you control how the  
selection is decorated via the :selection pseudo-element. I think  
extending that would be out of scope for the Web API WG.

Regards,
Maciej



>
> paul
>
> PS: Changing the selection, and displaying it well, is, actually,  
> something that also needs special treatment in mathematics...
>
Received on Friday, 24 February 2006 23:06:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:53 GMT