Re: [w3c/clipboard-apis] Make async clipboard APIs (read/write) to sanitize interoperably with setData/getData for text/html (#150) from snianu on 2021-07-29 (public-webapps-github@w3.org from July 2021)

From: snianu <notifications@github.com>
Date: Wed, 28 Jul 2021 17:00:10 -0700
To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/clipboard-apis/issues/150/888696684@github.com>

@rniwa  
> We only apply sanitization when the content is read or written across cross origin or cross applications, not when read or written within a single origin.

This means you trust the clipboard content during read? I think clipboard content should always be treated as untrusted. It doesn't matter if Safari wrote the html payload to the clipboard or some malicious or trusted native apps.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/150#issuecomment-888696684

Received on Thursday, 29 July 2021 00:00:22 UTC