- From: Dan Burzo <notifications@github.com>
- Date: Wed, 23 Aug 2017 17:15:51 -0700
- To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/clipboard-apis/issues/48@github.com>
Section [§9.2. Writing to the clipboard](https://w3c.github.io/clipboard-apis/#writing-to-clipboard) currently states:
> These data types must be placed on the clipboard with a corresponding native type description if added to a DataTransfer object during copy and cut events.
text/plain
text/uri-list
text/csv
text/html
image/svg+xml
application/xml, text/xml
application/json
> Warning! The data types that untrusted scripts are allowed to write to the clipboard are limited as a security precaution. Untrusted scripts can attempt to exploit security vulnerabilities in local software by placing data known to trigger those vulnerabilities on the clipboard.
Is the spirit of this description that it is desirable to make this data (in a subset of _known as safe_ data types) available outside the browser's sandbox? Is it, in fact, mandatory that browsers relay data set through `copyEvent.clipboardData.setData(format, data)` — where `format` is one of the items in the list — be available to other applications? (In particular, web browsers)
Firefox, Chrome, and Safari are currently limiting access to the data they set through `setData('application/json')` and I wanted to get an opinion before I log bugs in their respective issue trackers.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/48
Received on Thursday, 24 August 2017 00:16:15 UTC