Re: [w3ctag/design-reviews] Raw Clipboard Access API (#406) from Darwin Huang on 2019-10-31 (public-webapps-github@w3.org from October 2019)

From: Darwin Huang <notifications@github.com>
Date: Thu, 31 Oct 2019 15:46:10 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/406/548598577@github.com>

Thank you for the review. 

Re: privacy concerns via user activation (@torgo): 

Yes, we have discussed user activation requirements, and recognize that user activation could lock down that abuse case. The Chrome team has been actively investigating [mentioned](https://github.com/w3ctag/design-reviews/issues/222#issuecomment-379436560) mitigations, including an expiring/ephemeral permission and user activation requirements, and has implemented and helped specify the [document focus requirement](https://www.w3.org/TR/clipboard-apis/#privacy-async). That said, there are several use cases ([remote desktop](https://github.com/w3c/clipboard-apis/issues/75) applications and [custom context menus](https://github.com/w3c/clipboard-apis/issues/52#issuecomment-385725169)) that would break with a user activation requirement, so we think it would be overly restrictive to require this. I’ll also place some responses in the tagged issues.

Re: security concerns and native exploits (@hober)

We’ve seen significant user and developer demand on the web for interoperability with native applications’ clipboards, and would like to provide a safe mechanism to do so. Pickling unfortunately does not meet these compatibility requirements with legacy native applications ([explainer section](https://github.com/dway123/raw-clipboard-access/blob/master/explainer.md#alternative-consistent-mime-types-without-re-encoding--pickling)). That said, pickling is probably worth pursuing in parallel to address separate use cases, but we currently find it to be lower priority, and the raw clipboard access API design shouldn’t preclude pickling.

Raw clipboard access opens up a similar surface as Downloads, where data may touch legacy native surfaces without sanitization. We are interested in pursuing this approach despite more difficult security implications due to expressed demand, and we should be able to secure the Clipboard in a similar way as Downloads. We are exploring the use of a [clipboard mark of the web](https://github.com/dway123/clip-motw/blob/master/explainer.md) ([TPAC minutes](https://lists.w3.org/Archives/Public/public-editing-tf/2019Oct/0004.html)), safe browsing, and other familiar protections used in Downloads.

We’ve also filed some potential concerns as [issues](https://github.com/dway123/raw-clipboard-access/issues) in the repository. Is there any feedback on those concerns? Thanks!


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/406#issuecomment-548598577

Received on Thursday, 31 October 2019 22:46:12 UTC