W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Thu, 2 Feb 2012 22:14:19 -0800
Message-ID: <CABNRm60-KmfHKfSO0ebcJ=ZVHoZMpchjzEXXN_1VPSxpWprsTQ@mail.gmail.com>
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
Sorry for the extremely slow reply. It slipped through hundreds of emails :(

On Mon, May 16, 2011 at 8:41 PM, Hallvord R. M. Steen <hallvord@opera.com>wrote:
>
>  To me, it doesn't make sense to remove the other elements:
>> - OBJECT: Could be used for SVG as I understand.
>>
>
> OBJECT is considered a form element, so it might have hidden data
> associated with it. It can also contain plugin content that could inject
> scripts and be used for XSS attacks. It may be too far-fetched or draconian
> to remove it though. (SVG is rich enough to be its own can of worms by the
> way..)


Given the improved support for inline SVG and MathML, it's probably okay to
strip it. However, we should add EMBED to the list since it's a plugin
element.

 - INPUT (non-hidden, non-password): Content is already available via
>> text/plain.
>>
>
> An input's @name attribute is basically hidden data the user will not be
> aware of pasting. I'm not sure how much of a threat this is, but we should
> give it some thought.
>

You mean <input name="~">? I don't think that'll expose much information.
I'd prefer not removing these attributes as I've seen bugs filed against
WebKit for "form control" editors; apparently some people would like to
create form control editors using contenteditable.

- Ryosuke
Received on Friday, 3 February 2012 06:15:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT