- From: Ryosuke Niwa <notifications@github.com>
- Date: Fri, 12 Jul 2019 17:41:35 -0700
- To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 13 July 2019 00:42:03 UTC
@garykac : FWIW, WebKit strips away all scripts and event handlers for any cross-origin & cross-app copy & paste for HTML, and don't expose any raw RTF / RTFD content. See [our blog post](https://webkit.org/blog/8170/clipboard-api-improvements/) for the details. In general, whenever we leave scripts or event handlers in the pasted HTML, we end up getting security bugs somewhere in our engine or XSS bugs on some websites so it's simply not unattainable to leave them in the pasted content. Furthermore, some native applications tend to put privacy & security sensitive information like the full physical address of the user and the path to app's privacy container in the system into the contents in the system pasteboard / clipboard, so some kind of sanitization step to remove any content that's not directly visible to the user is necessary from privacy perspective as well. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/clipboard-apis/issues/92#issuecomment-511072018
Received on Saturday, 13 July 2019 00:42:03 UTC