Re: [w3c/editing] clarifications for the pickling design proposal (Issue #393)

Apologies for missing today's editing WG meeting.  Looking at the minutes it seems there was some confusion over the impact of the proposed cap of 100 simultaneous custom formats described [here in the explainer](https://github.com/w3c/editing/blob/gh-pages/docs/clipboard-pickling/explainer.md#os-interaction-format-naming).  I'm looking at this particular comment from the minutes:

> <Travis> annevk: one origin takes all 100 formats, then another tries to use a custom format and is denied.
> <Travis> .. Then the first origin can know which formats were attempted based on which ones had been added previously.
> <Travis> (editor's note: Sorry didn't capture that very well)
> <Travis> Annevk: suggests looking over: https://xsleaks.dev/
> <Travis> whsieh: Yep, this is why Webkit blocks cross-origin custom pasteboard access.

What the explainer says is that a UA should reserve up to 100 generically named slots in which to store custom clipboard content from web apps in order to work around OS limitations on Windows and Linux (and possibly other platforms).  Additionally, it goes on to say that a Web Custom Format Map entry (also on the clipboard) will contain a mapping of mime-type to the corresponding generic clipboard slot into which the UA stored the clipboard contents for that mime-type.  In this way, no matter what custom mime-type is written to the clipboard by the author, there's always a fixed cap on the system resources the browser can consume for the web custom format feature.

Code examples...

Site A does:

```JavaScript
const map = {}
for (let i = 0; i < 100; i++) {
  map[`text/custom${i}`] = `clipboard content of text/custom${i}`
}
navigator.clipboard.write([new ClipboardItem(map)])
```

This produces 101 clipboard entires on Windows.  100 of the clipboard entries are named "Web Custom Format 0..N", each of which contain a text value "clipboard content of text/custom0..N". The 101st entry is named "Web Custom Format Map" and contains JSON as follows:

```JSON
{
  "text/custom0" : "Web Custom Format0",
  "text/custom1" : "Web Custom Format1",
  "text/custom2" : "Web Custom Format2"
  ...
  "text/custom99": "Web Custom Format99"
}
```

When site B writes similar code but with different mime-types, for example `foo/bar0..N`, they will still be using the same system clipboard slots previously reserved named "Web Custom Format0..N"; no new clipboard format name registrations take place with the system even though different custom mime-types are being placed on the clipboard, and no exhaustion of system resources occurs.  Further, there should be no side channel attack where an attacker discovers a previously written mime-type by another origin, since the name of the mime-type never triggers a rejection.  The only rejection would come if an author simultaneously tried to write more than 100 custom clipboard formats to the clipboard all at once.

Tagging @annevk and @whsieh since it was your comments which drew my attention in the minutes.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/issues/393#issuecomment-1064751823
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/editing/issues/393/1064751823@github.com>

Received on Friday, 11 March 2022 04:08:06 UTC