- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Wed, 08 Feb 2012 15:17:06 +0100
- To: "Adam Barth" <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>, "Daniel Cheng" <dcheng@chromium.org>, "Ryosuke Niwa" <rniwa@webkit.org>
Adam Barth <w3c@adambarth.com> skreiv Wed, 08 Feb 2012 00:05:54 +0100 >> FWIW, my main concern was the hidden data aspect because it can be >> abused >> for cross-site request forgery if a malicious site by getting the user >> to >> copy and paste gets access to form anti-CSRF tokens and such. > > That's certainly possible, but I don't think it's possible for us to > protect against the long tail of risks here. In these sorts of cases, > it can be better for security to not implement a half-correct solution > and instead decide not to try to mitigate a particular risk. You are right here. Also, on considering the abuse potential of getData('text/html'), I've realised that we are not introducing much new threat surface here, since a simple paste into a rich text editing-enabled element already inserts markup so that the target page can see much of what I proposed removing. I've changed the spec from saying the implementation *must* apply the sanitization algorithm to saying the user agent *may* apply it, made it clear that it is merely a suggestion, removed some of the most draconian parts and marked it as informative. I think it still has some value as an informative section. http://dev.w3.org/cvsweb/~checkout~/2006/webapi/clipops/clipops-source.html?rev=1.15;content-type=text%2Fhtml Perhaps we should publish a new working draft now? -- Hallvord R. M. Steen Core tester, Opera Software
Received on Wednesday, 8 February 2012 14:20:34 UTC