Re: [w3ctag/design-reviews] Raw Clipboard Access API (#406) from hober on 2019-12-18 (public-webapps-github@w3.org from December 2019)

From: hober <notifications@github.com>
Date: Wed, 18 Dec 2019 13:59:44 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/406/567231414@github.com>

@dway123 wrote:

> We’ve decided that we may start with a more restrictive API surface, and later reconsider opening things up.

Great. This sounds really promising!

> As such, we’ll likely gate API use on user activation, via the [user activation API](https://groups.google.com/a/chromium.org/d/msg/blink-dev/nkTDR8AUlwM/xsPcojA5BAAJ), and are taking a deeper look at [Pickling](https://github.com/WICG/raw-clipboard-access/blob/master/explainer.md#alternative-consistent-mime-types-without-re-encoding--pickling). We will send out an explainer for Pickling, either as an alternative to Raw Clipboard, or as a supplement.

I encourage you to pursue a pickling solution first, as it's [more likely to see cross-browser adoption](https://github.com/w3ctag/design-reviews/issues/406#issuecomment-542310250), and then perhaps revisit raw access later.

> Regarding abuse cases, we did mention this in our [design document](https://docs.google.com/document/d/1XDOtTv8DtwTi4GaszwRFIJCOuzAEA4g9Tk0HrasQAdE/edit#heading=h.wfp7lhinseox), which was intended as a longer, more technical (and sometimes Chromium-specific) version of the easy-to-digest explainer, but which unfortunately wasn’t linked at the top of my explainer.

Thanks for this; this is a really interesting document. There are documents linked from it that sound tantalizing but unfortunately aren't public, e.g. the document linked in the sentence beginning ["there are concerns regarding this lack of explicit user activation"](https://docs.google.com/document/d/1VvjgZPT2uzBj9sysGUKNNtXNTCJqyr-PdKtGOYDTrzU/edit).

> I originally opted to exclude longer discussions of security and privacy from the explainer and TAG process as the [TAG explainer explainer](https://github.com/w3ctag/w3ctag.github.io/blob/master/explainers.md), which while very helpful, did omit a Security and Privacy section, and was [clear](https://github.com/w3ctag/w3ctag.github.io/blob/master/explainers.md#tips-for-effective-explainers) that this document should be “brief and easy”,

I think that's fair. The explainer explainer does say this:

> As your work progresses, the explainer can help facilitate multi-stakeholder discussion and consensus-building by making clear:[…]
* accessibility, security and privacy implications which have been considered as part of the design process.

... but it could go a lot farther, and should more strongly encourage explainer authors to elaborate on the privacy and security thoughts that have gone into the design. I've filed w3ctag/w3ctag.github.io#21 to track this.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/406#issuecomment-567231414

Received on Wednesday, 18 December 2019 21:59:46 UTC