W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Wed, 08 Feb 2012 15:17:06 +0100
To: "Adam Barth" <w3c@adambarth.com>
Cc: public-webapps <public-webapps@w3.org>, "Daniel Cheng" <dcheng@chromium.org>, "Ryosuke Niwa" <rniwa@webkit.org>
Message-ID: <op.v9c5ysbta3v5gv@hr-desk>
Adam Barth <w3c@adambarth.com> skreiv Wed, 08 Feb 2012 00:05:54 +0100

>> FWIW, my main concern was the hidden data aspect because it can be  
>> abused
>> for cross-site request forgery if a malicious site by getting the user  
>> to
>> copy and paste gets access to form anti-CSRF tokens and such.
>
> That's certainly possible, but I don't think it's possible for us to
> protect against the long tail of risks here.  In these sorts of cases,
> it can be better for security to not implement a half-correct solution
> and instead decide not to try to mitigate a particular risk.

You are right here.

Also, on considering the abuse potential of getData('text/html'), I've  
realised that we are not introducing much new threat surface here, since a  
simple paste into a rich text editing-enabled element already inserts  
markup so that the target page can see much of what I proposed removing.

I've changed the spec from saying the implementation *must* apply the  
sanitization algorithm to saying the user agent *may* apply it, made it  
clear that it is merely a suggestion, removed some of the most draconian  
parts and marked it as informative. I think it still has some value as an  
informative section.

http://dev.w3.org/cvsweb/~checkout~/2006/webapi/clipops/clipops-source.html?rev=1.15;content-type=text%2Fhtml

Perhaps we should publish a new working draft now?

-- 
Hallvord R. M. Steen
Core tester, Opera Software
Received on Wednesday, 8 February 2012 14:20:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT