Re: [w3c/editing] Security Review (#315)

> I propose instead that the specification should say that implementations MUST pickle any clipboard contents that they don't already sanitize. (And then you can remove the unsanitized field from the ClipboardItem constructor.)

If the web authors don't provide the MIME type to be pickled in the `ClipboardItemOptions`, then the formats wouldn't be inserted into the clipboard as unsanitized. If the MIME type is a standard format such as `text/html`, `text/plain` etc, then only the sanitized payload would be inserted into the clipboard. If the web authors provide a custom format (`text/custom` in the example) but "forget" to provide that custom format in `ClipboardItemOptions`, then we will throw a JS exception `Type text/custom not supported on write.`

> I don't see that it is equivalent to the unsanitized: true design alternative: it would be possible to distinguish sanitized from unsanitized clipboard contents, because we all know in advance what the sanitized MIME formats are. (Right?)

The sanitized MIME formats are known, but we aren't sure when the web authors also want an unsanitized version of it. For pickled formats, it is easy to detect, but for standard formats we basically have to read/write unpickled & pickled formats even if web authors only requested for the unpickled version in their sites. With `ClipboardItemOptions` the web authors have to explicitly specify the MIME type during read/write if they want the pickled version of the MIME types in the clipboard.

For the user gesture requirement, I agree with the concerns raised regarding user intent. We have a separate issue to discuss this to make it more explicit: https://github.com/w3c/clipboard-apis/issues/52

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/issues/315#issuecomment-879510283