- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Wed, 08 Feb 2012 15:17:06 +0100
- To: "Adam Barth" <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>, "Daniel Cheng" <dcheng@chromium.org>, "Ryosuke Niwa" <rniwa@webkit.org>
Adam Barth <w3c@adambarth.com> skreiv Wed, 08 Feb 2012 00:05:54 +0100
>> FWIW, my main concern was the hidden data aspect because it can be
>> abused
>> for cross-site request forgery if a malicious site by getting the user
>> to
>> copy and paste gets access to form anti-CSRF tokens and such.
>
> That's certainly possible, but I don't think it's possible for us to
> protect against the long tail of risks here. In these sorts of cases,
> it can be better for security to not implement a half-correct solution
> and instead decide not to try to mitigate a particular risk.
You are right here.
Also, on considering the abuse potential of getData('text/html'), I've
realised that we are not introducing much new threat surface here, since a
simple paste into a rich text editing-enabled element already inserts
markup so that the target page can see much of what I proposed removing.
I've changed the spec from saying the implementation *must* apply the
sanitization algorithm to saying the user agent *may* apply it, made it
clear that it is merely a suggestion, removed some of the most draconian
parts and marked it as informative. I think it still has some value as an
informative section.
http://dev.w3.org/cvsweb/~checkout~/2006/webapi/clipops/clipops-source.html?rev=1.15;content-type=text%2Fhtml
Perhaps we should publish a new working draft now?
--
Hallvord R. M. Steen
Core tester, Opera Software
Received on Wednesday, 8 February 2012 14:20:34 UTC