Re: [w3c/editing] Remove write and add more details on read. (PR #456) from Sanket Joshi on 2023-10-31 (public-webapps-github@w3.org from October 2023)

From: Sanket Joshi <notifications@github.com>
Date: Tue, 31 Oct 2023 14:17:20 -0700
To: w3c/editing <editing@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/editing/pull/456/review/1707252277@github.com>

@sanketj requested changes on this pull request.



> +<body>
+<!--StartFragment--><head><script>alert('hello');</script><style> p {font-color: red; background-color: blue;}</style></head> <body><p>html text</p></body><!--EndFragment-->
+</body>
+</html>
+
+```
+After `read()` was called with the default sanitizer, the HTML markup returned was:
+
+```js
+<p style="background-color: blue; color: rgb(0, 0, 0); font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">html text</p>
+
+```
+
+In the above example, `script`, `style` tags were removed and style associated with `<p>` element was inlined.
+
+These problems mean that web developers may not get the same HTML paste quality and performance with the async clipboard `read` API as they do with the DataTransfer object's `getData` method. This proposal aims to solve these problems so that the `read` can work just as well as `getData` when pasting HTML content.

It's not clear how stripping scripts and inlining styles causes fidelity loss. Is it because meta tags get stripped, or because not all styles are inlined?

> @@ -248,6 +191,9 @@ This requirement is now enforced for the Async Clipboard API overall. It may be
 ### Permissions
 Due to concerns regarding permission fatigue and comprehensibility, and due to the limited utility of a permission, no new permission would be implemented for unsanitized clipboard. Given that Clipboard API read and write are already permitted, unsanitized clipboard read and write will be permitted as-is.
 
+## Alternatives considered 
+Web custom formats can be used to exchange unsanitized HTML if both source and target apps have support for it, but there are many native apps that don't have support for web custom formats, so contents copied from these apps in the HTML format would have to go through the Browser sanitizer in `read()` that would result in loss of fidelity.

```suggestion
Web custom formats can be used to exchange unsanitized HTML if both source and target apps have support for it, but there are many native apps that don't have support for web custom formats, so contents copied from these apps in the HTML format would have to go through the browser's sanitizer in `read()` that would result in loss of fidelity.
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/pull/456#pullrequestreview-1707252277
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/editing/pull/456/review/1707252277@github.com>

Received on Tuesday, 31 October 2023 21:17:26 UTC