Re: Clipboard API: remove dangerous formats from mandatory data types from James M. Greene on 2015-06-11 (public-webapps@w3.org from April to June 2015)

From: James M. Greene <james.m.greene@gmail.com>
Date: Thu, 11 Jun 2015 07:33:58 -0500
To: Florian Bösch <pyalot@gmail.com>
Cc: Paul Libbrecht <paul@hoplahup.net>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@google.com>, Ashley Gullen <ashley@scirra.com>, Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>, Olli Pettay <olli@pettay.fi>
Message-ID: <CALrbKZg+MsrnP-MzxYLjbmCbGpt6zyqdo-EMuFzi5aEWRT5_6w@mail.gmail.com>

I can make a plugins for legitimate text/image editors that would override
default behavior for paste operations to instead execute arbitrary
processes (e.g. recursively delete the entire working directory) unless the
parent application is well sandboxed.

Unless the vendors that establish a lightning fast sanity check for a
subset of binary data types, I really don't believe this is a positive
change.

While we're on it, how about the good ole harbinger of the unknown:
"application/octet-stream"? Where do we reasonably draw the line? Will that
MIME type be blocked? Doesn't seem like there would be any reasonable way
to scrub it.

Sincerely,
   James M. Greene
On Jun 11, 2015 3:14 AM, "Florian Bösch" <pyalot@gmail.com> wrote:

> Oh, also while you're on crippling things, please also exclude copying any
> text that contains "http://:" cause that borks skype.
>

Received on Thursday, 11 June 2015 12:34:27 UTC