Re: [w3ctag/design-reviews] Pickling for Async Clipboard API (#636) from Grisha Lyukshin on 2021-06-12 (public-webapps-github@w3.org from June 2021)

From: Grisha Lyukshin <notifications@github.com>
Date: Fri, 11 Jun 2021 17:22:52 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/636/859967433@github.com>

Thanks, @torgo for sharing TAG consensus!

Correct me if I am wrong but its sounds like security scenarios presented are applicable to not just pickling but any format used by async clipboard api. Pickling format in itself doesn't create any additional vectors of attack in this case.

We are reaching out to security reviewers that have reviewed async clipboard api before it was shipped, to better understand rational behind the current API design. 

P.S. We took your feedback about "sticky" activation and moved to requiring "[transient](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation)" activation for reading and writing to the clipboard.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/636#issuecomment-859967433

Received on Saturday, 12 June 2021 00:23:19 UTC