Re: [clipboard events] seeking implementor feedback on using CID: URI scheme for pasting embedded binary data from Hallvord Reiar Michaelsen Steen on 2015-04-20 (public-webapps@w3.org from April to June 2015)

From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Date: Mon, 20 Apr 2015 22:38:22 +0200
To: Ben Peters <Ben.Peters@microsoft.com>
Cc: Daniel Cheng <dcheng@chromium.org>, public-webapps <public-webapps@w3.org>
Message-ID: <CAE3JC2w3jHPK6bGHLNU80FuCj3e4Y=vC-tcs4PX7NEHj3+y_ag@mail.gmail.com>

> > In addition, from a security perspective, what stops a malicious website
> from embedding something like <img src="file:///etc/passwd"
> style="display:none"></img> in the markup?
>
> We disallow this on copy by stripping such references.
>

Hi Ben,
picking up this old thread..

So we need to add a "sanitize local references" step/algorithm somewhere
when JS writes data to clipboard? It would be great if you could have a
look at
https://w3c.github.io/clipboard-apis/#dfn-writing-contents-to-the-clipboard
and suggest some text - maybe even in the form of a GitHub pull request? :)
(I assume you strip *all* local references, not just specific blacklisted
stuff like /etc/passwd - this probably needs testing with various types of
slashes etc..)

Do you have any other safety measures when data is written to the clipboard?
-Hallvord

Received on Monday, 20 April 2015 20:38:59 UTC