Re: [w3c/editing] Security Review (#315) from snianu on 2021-10-26 (public-webapps-github@w3.org from October 2021)

From: snianu <notifications@github.com>
Date: Tue, 26 Oct 2021 13:50:11 -0700
To: w3c/editing <editing@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/editing/issues/315/952314531@github.com>

@quidity 

> is this format documented, why do we think existing system apps won't try to parse it?

The JSON map(`Web Custom Format Map` on Windows) that tracks the mapping of the `web custom format` to its corresponding MIME type is described [here](https://github.com/w3c/editing/blob/gh-pages/docs/clipboard-pickling/explainer.md#os-interaction-format-naming). It only gives you the native format that you can then use to query the native clipboard and get access to the content, but it doesn't tell you what the actual content is -- It could be in a binary format, raw characters or something that only the reader-writer of the format know how to parse it in their site/native app.

> How is Chrome making sure that unsanitized data doesn't get to system apps? (i.e. how is Chrome going to write the clipboard data on Windows, on other platforms?)

The formats that are written without any sanitization to the clipboard, are custom defined by the web author/native app developer. It is not the [system defined formats](https://docs.microsoft.com/en-us/windows/win32/dataxchg/standard-clipboard-formats) that any native apps on Windows have access to. The native app or the site needs to know the custom format name and how to parse the content of the format, in order to make sense of it. e.g. an HTML format has a standard format `CF_HTML` defined in the system clipboard format. If this type is available on the clipboard, then native apps can read it and parse the content as described [here](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767917(v=vs.85)#overview-of-cf_html). But the custom format (that has the unsanitized payload of the HTML format) is not defined by the system, so the consumer wouldn't know how to parse the content of the custom HTML format -- the HTML content could be a full HTML document or a fragment or just the DOM element that the producer/consumer is interested in.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/issues/315#issuecomment-952314531

Received on Tuesday, 26 October 2021 20:50:24 UTC