W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: Clipboard API: Stripping script element

From: James Graham <jgraham@opera.com>
Date: Thu, 28 Mar 2013 12:42:48 +0100
Message-ID: <51542CB8.5010804@opera.com>
To: public-webapps@w3.org
On 03/28/2013 12:34 PM, Hallvord Reiar Michaelsen Steen wrote:
> On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
>>>> In particular, WebKit has been stripping script element from
>>>> the pasted content but this may have some side effects on CSS
>>>> rules.]
>
>>> AFAIK (without re-testing right now), WebKit's implementation
>>> is: * rich text content that is pasted into a page without JS
>>> handling it is sanitized (SCRIPT, javascript: links etc removed)
>>> * a paste event listener that calls getData('text/html') will get
>>> the full, pre-sanitized source
>>>
>>>
>>> If that's correct I can add a short description of this to the
>>> spec, in the informative section.
>>
>
>> Why would this be informative?
>
>
> Mainly because it seems like spec'ing it is a bit out of scope for
> this spec - I'm trying to spec how clipboard events should work as
> seen from the JS side. Implementation details like how data is pasted
> when there is no JS or event handling involved don't seem to belong
> here, and IMO the interop issues are far-fetched (though the XSS
> risks aren't).

I don't see why the interop issues are particularly far-fetched. The 
approach of not problems in spec A because they "ought" to be addressed 
some other hypothetical spec B is something we have tried before and it 
hasn't worked well yet, so I don't think we should do it again here. As 
the python doctrine goes, "practicality beats purity".
Received on Thursday, 28 March 2013 11:43:17 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 28 March 2013 11:43:18 UTC