Re: further with transfers (Re: Clipboard actions BOF table at W3C TPAC)

(cross-posting to member-math and public-webapps, sorry if this bothers)

Interesting, meeting really helped,

Yesterday, discussion with Chris Wilson and Adrian Bateman, of MSIE  
team, revealed that allowing arbitrary flavours would be a big  
security hole for Windows at least (I believe this is Windows only but  
can't confirm yet).

So it seems the list of safe encodings is something that would need to  
be worked out.
A safer approach may be to require that the browsers make sure the  
things sipped into the clipboard/drag-content are only safe things.

Safe things include html without scripts, all picture formats  
(postscript as well?)  and most media, but not html with scripts, not  
windows metafiles, not OLE or MS-office documents.

Adrian indicated method to convert html to safe-html seem to be there  
in MSIE 8 already. Sanitization is probably the right term here.

paul


Le 22-oct.-08 à 17:02, Ian Hickson a écrit :

> On Wed, 22 Oct 2008, Charles McCathieNevile wrote:
>>
>> Sorry, I missed this - I was otherwise occupied at lunch (I am here,
>> BTW).
>>
>> Having hopefully pretty much shifted Progress Events off my plate, I
>> hope to move back to the clipboard API stuff now - and the HTML5  
>> draft
>> is indeed an important reference...
>>
>> Ian, how stable do you think this bit of the HTML5 spec is? (I  
>> haven't
>> looked yet...)
>
> Drag and drop is very stable, it's implemented in three browsers now.
> There's some outstanding feedback, but not much. The implementation of
> copy and paste in terms of drag and drop (a design motivated  
> primarily by
> accessibility and security concerns) is not widely implemented,  
> though I
> have no pending feedback regarding changes to that.
>
> -- 
> Ian Hickson               U+1047E                ) 
> \._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _ 
> \  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'-- 
> (,_..'`-.;.'

Received on Thursday, 23 October 2008 08:12:52 UTC