Re: Clipboard API: remove dangerous formats from mandatory data types from Paul Libbrecht on 2015-06-09 (public-webapps@w3.org from April to June 2015)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 09 Jun 2015 21:27:32 +0200
To: Daniel Cheng <dcheng@google.com>, Olli Pettay <olli@pettay.fi>, public-webapps <public-webapps@w3.org>
Message-ID: <55773E24.3030704@hoplahup.net>

Daniel,

this does not make sense to me.

All these image parsers exploits can be triggered by an img tag, or?
Similarly for XML using an XHR or some particular XML formats (RSS, SVG,
XHTML, ...) in markup.

There's absolutely no difference in the mistrust we should have between
content brought by an HTML page and content brought by a JavaScript, or?
Hence we should just not accept the reason of knowing of broken parsers
to be a reason to change the standards!

If, as a president, you need to decide to change the roads because a
particular car was built massively and needs a particularirty of your
roads, you would also find it nonsense, or? You're making me feel like
France which did this for a particular type of trains which required to
change all platforms because their ordered trains were already built too
wide....

Paul

On 9/06/15 21:15, Daniel Cheng wrote:
> I'm not against considering more formats to be dangerous. =)
>
> In particular:
> JS: I'm not support what context we'd ever want to support this, since
> we go out of our way to try prevent XSS in HTML pastes.
> XML: I wouldn't mind getting rid of this. XML parsers seem to have RCE
> bugs on a semi-regular basis.
>
> Daniel
>
> On Tue, Jun 9, 2015 at 12:01 PM Olli Pettay <olli@pettay.fi
> <mailto:olli@pettay.fi>> wrote:
>
>     On 06/09/2015 09:39 PM, Daniel Cheng wrote:
>     > Currently, the Clipboard API [1] mandates support for a number
>     of formats. Unfortunately, we do not believe it is possible to
>     safely support writing a
>     > number of formats to the clipboard:
>     > - image/png
>     > - image/jpg, image/jpeg
>     > - image/gif
>     >
>     > If these types are supported, malicious web content can
>     trivially write a malformed GIF/JPG/PNG to the clipboard and
>     trigger code execution when
>     > pasting in a program with a vulnerable image decoder. This
>     provides a trivial way to bypass the sandbox that web content is
>     usually in.
>     >
>     > Given this, I'd like to propose that we remove the above formats
>     from the list of mandatory data types, and avoid adding support
>     for any more complex
>     > formats.
>     >
>     > Daniel
>     >
>     > [1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
>
>
>     Why would text/html, application/xhtml+xml, image/svg+xml,
>     application/xml, text/xml, application/javascript
>     be any safer if the program which the data is pasted to has
>     vulnerable html/xml/js parsing?
>
>
>     -Olli
>

Received on Tuesday, 9 June 2015 19:28:12 UTC