Re: [w3ctag/design-reviews] Pickling for Async Clipboard API (#636) from Kenneth Rohde Christiansen on 2021-05-25 (public-webapps-github@w3.org from May 2021)

From: Kenneth Rohde Christiansen <notifications@github.com>
Date: Tue, 25 May 2021 01:54:53 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/636/847684684@github.com>

Hi there, @torgo, @LeaVerou and I looked at this today.

One concern - say a web site creates a custom format - then other web sites start to adopt this - then it becomes widespread without sanitization. Is this being restricted to a domain name?  People reverse-engineer formats, and this could lead to a lot of unsanitized content in clipboards.

Example, I am Figma and I allow people to paste say JavaScript because it's in my format. Now someone creates an app that can read and write this format and provide some features not in Figma. This could lead users to use both apps and copy/paste between them. But maybe the second app adds malicious JS (or just triggers an untested code path in Figma) which will be executed in figma if people paste it in there. 

There doesn't even seem to be a way for sites to see where the pasted content originates (like origin) so do their own sanitation.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/636#issuecomment-847684684

Received on Tuesday, 25 May 2021 08:55:06 UTC