- From: CSS Meeting Bot <notifications@github.com>
- Date: Fri, 12 Nov 2021 09:41:31 -0800
- To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/clipboard-apis/issues/150/967297138@github.com>
The Web Editing Working Group just discussed `Make async clipboard APIs (read/write) to sanitize interoperably`. <details><summary>The full IRC log of that discussion</summary> <Travis> topic: Make async clipboard APIs (read/write) to sanitize interoperably<br> <Travis> github: https://github.com/w3c/clipboard-apis/issues/150<br> <Travis> BoCupp: pull request open in chromium to write unsanitized to the clipboard (for well-known HTML format) AND reading with well-known format if unsanitized flag provided.<br> <whsieh> q+<br> <Travis> .. specific action for 150?<br> <Travis> anupam: we decided that reading unsanitized HTML, web authors can opt-in to unsanitized text/html using new option (that takes a list of mime-types to read unsanitized).<br> <Travis> BoCupp: That's the current plan for chromium<br> <Travis> .. from @rniwa last comment is that this isn't something we want standardized.<br> <Travis> ack whsieh<br> <Travis> whsieh: when we last discussed, @annevk noted an API that blink would implement, but webkit would implement (but perhaps as a no-op).<br> <Travis> .. we wanted unsanitized flag for compat with those who already adopted the read API.<br> <Travis> .. how widespread is the adoption?<br> <Travis> .. seems more sensible to move forward without sanitization for Blink?<br> <Travis> .. just have the clients use the unsanitzed data?<br> <Travis> anupam: I check the usage, it's 0.001 / 0.002<br> <Travis> BoCupp: read is giving an "insert-ready" content... if these sites were relying on the browser to sanitize, could create a XSS vuln that we are creating...<br> <Travis> whsieh: potential for XSS is present anyway (where there is no sanitization)<br> <Travis> BoCupp: but we're changing the contract; there's an expectation that they have to write a sanitizer.. when they switch to read, they may have been glad that sanitizer is provided by the browser.<br> <Travis> .. but if update the contract--nothing will signal to these people that they need to change to start sanitizing.<br> <Travis> .. agree with whsieh points... but tough to change from sanitized->unsanitized.<br> <Travis> whsieh: so does this need to be put into the spec?<br> <Travis> .. seems more of a problem just for an implementation (blink)<br> <Travis> .. maybe something that's not in the spec could be put in place for this case?<br> <Travis> BoCupp: does webkit ever return unsanitized?<br> <Travis> whsieh: copy/paste between same origin does this.<br> <Travis> BoCupp: Oh, I thought you always produced a sanitized read?<br> <Travis> whsieh: yes, that's for getData... we have a bug to do this for clipboard...<br> <Travis> BoCupp: so you might have the same concern for that when you make that future change?<br> <Travis> whsieh: in async clipboard, they always get sanitized.<br> <Travis> .. don't expect there to be huge problems with getting unsanitized data.<br> <Travis> BoCupp: we have a security review issue open; chromium security folks were saying we needed to be explicit. I think for read? or was it write?<br> <Travis> .. in any case, need to cross-review with security folks.<br> <johanneswilm> q+<br> <Travis> .. suspect perhaps might not fly<br> <Travis> whsieh: fwiw, that's webkit's stance.<br> <Travis> .. maybe just not something that's in the spec.<br> <Travis> BoCupp: there's a usefulness to this also--having the browser produce an "insert ready" fragment (like the default action for paste)<br> <Travis> .. there's no primitive that exposes the browser's default processing.<br> <Travis> .. Can get the clipboard data from a read today without needing complicated workarounds.<br> <Travis> ack johanneswilm<br> <Travis> johanneswilm: if usage is low, and text editing is happening in only a handful of libraries--could we check with them on if that's the major usage?<br> <BoCupp> q+<br> <Travis> .. the "they have to just put it in the DOM without thinking" is dangerous--leads to them allowing everything to go through--but tables could break editor scenarios... JS sanitiation is usually needed anyway.<br> <Travis> ack BoCupp<br> <Travis> BoCupp: The default browser behavior for paste is to just insert it into contenteditable<br> <Travis> .. agree with johanneswilm that the editor must be written to have a filter (for what can be edited)<br> <Travis> .. however, it's the current default behavior for paste!<br> <Travis> .. often we're exposing the internal of the browser... this is one more of those things.<br> <Travis> .. there is a sanitizer that we employ but we're not giving access to it. Maybe through a sanitizer API with configuration that allows it to work like the paste to contenteditable? (Could be interesting.)<br> <Travis> ... but we do something today that authors can't get today; additionally we have a web compat concern. So why not leave it?<br> <snianu> Base: https://github.com/w3c/clipboard-apis/pull/158<br> <snianu> Pickling: https://github.com/w3c/clipboard-apis/pull/162<br> <Travis> action: wait for snianu's PRs (base: https://github.com/w3c/clipboard-apis/pull/158 pickling: https://github.com/w3c/clipboard-apis/pull/162). (It re-writes the spec with better algorithmic language. Then there's some pickling work on top of that... Would like folks in the WG to read/review the upcoming PRs.<br> </details> -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/clipboard-apis/issues/150#issuecomment-967297138
Received on Friday, 12 November 2021 17:41:44 UTC