[w3c/editing] Delayed clipboard rendering TAG feedback (Issue #459) from Martin Thomson on 2024-02-05 (public-webapps-github@w3.org from February 2024)

From: Martin Thomson <notifications@github.com>
Date: Mon, 05 Feb 2024 13:47:34 -0800
To: w3c/editing <editing@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/editing/issues/459@github.com>

@plinss, @hober, and I discussed the feature in pursuance of [our design review issue](https://github.com/w3ctag/design-reviews/issues/925). This seems fairly reasonable on the surface, but https://github.com/w3c/editing/issues/439 is particularly concerning.

It seems like there is an inherent privacy issue here in that the target application reveals something about itself when pasted into. The suggestions that have been made in the issue, which involve resolving the clipboard items on a timer, would seem to undermine the key advantage of the deferral and do not provide protection within the timer.

The key thing to realize is that the clipboard is a communication medium between the copied content and the application that receives a paste. This is unavoidable given our current model where a website can put whatever it pleases on the clipboard (with the only condition being that they receive an interaction of some sort). That communication is currently one-way and websites don't necessarily get to know about the destination or control it. That makes the channel less effective as a means of learning things about people. The delayed rendering creates a potential bidirectional channel, with the destination choosing from a multiple choice selection. The site learns what choice is made. The choice itself carries novel private information. The timing of the paste is also revealed.

There are other approaches:

1. Render all formats when paste occurs. This still reveals timing, but would not reveal the choice of format.
1. A variant of this would be to generate the requested format and a randomized subset of the other formats (differential privacy)
2. At copy time, produce a single format from which all others can be produced. Let the destination application perform format translation.
1. As an option, if the single format is not supported at the destination, sites could provide a worklet that can perform translation into different formats. This worklet would be denied access to any communication, so the source site would not have any means of learning the choice of format.
3. Finally, we could define a new media type that carries a URL. That URL, when resolved, provides the destination application with information in whatever form it desires.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/editing/issues/459
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/editing/issues/459@github.com>

Received on Monday, 5 February 2024 21:47:41 UTC