Re: [w3c/editing] Should we modify the clipboard API spec to match Safari's behavior for HTML-referenced media? (#285)

> How do we know that the file referenced in the html markup is from a native application and not from a source that is "untrusted"? e.g. if the html markup has `<html><img src="file:///etc/passwd"></html>` how do we ensure that we shouldn't provide access to this file if this was inserted into the clipboard by some malicious website and not from a native application?

FWIW, in WebKit's implementation, we never access external resources. First off, this sanitization step only runs for cross-origin content and from other applications. If the content is coming from the same origin, then we don't do any processing for JS API to get the clipboard data. So, for all other content, either everything referenced by HTML should be in the system clipboard / pasteboard or else we wouldn't convert them to blobs.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/issues/285#issuecomment-811502552

Received on Wednesday, 31 March 2021 22:18:17 UTC