Re: safeguarding a live getData() against looping scripts? (was: Re: clipboard events) from Paul Libbrecht on 2012-02-10 (public-webapps@w3.org from January to March 2012)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Fri, 10 Feb 2012 22:45:00 +0100
To: Ian Hickson <ian@hixie.ch>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, Daniel Cheng <dcheng@chromium.org>, public-webapps@w3.org
Message-Id: <E71CF740-069D-497F-AA3C-9CA2C387085C@hoplahup.net>

This discussion seems to raise the issue of what happens to URLs to images (or other embedded objects) that are unresolved but become resolved when pasted.

E.g. file:///Users/anton/Library/AddressBook
(if that ever made sense)

Should these also be sanitized away so that they do not, suddenly become attempted?

Paul


Le 10 févr. 2012 à 22:36, Ian Hickson a écrit :

> On Fri, 10 Feb 2012, Hallvord R. M. Steen wrote:
>> 
>> Now, I don't think that was the question Daniel Cheng was asking. If you 
>> look at the HTML/XHTML specific instructions for the paste event (in the 
>> processing model section: 
>> http://dev.w3.org/2006/webapi/clipops/#processing-model ) you'll see 
>> that it specifies quite a bit of parsing and such. The goals are:
>> 
>> * Resolve URLs and links - the page script won't know the base URI to 
>> resolve against (on Windows this is in the CF_HTML format's meta data 
>> and the page script doesn't get access to it)
> 
> Well presumably all the URLs should be made absolute in the copy/drag 
> code, not the paste/drop code. The paste/drop code has no context.
> 
> No parsing needed for that though, the URLs are already resolved in the 
> DOM so it's just a matter of serialising them.
> 
> 
>> * Make it possible to paste HTML from a local application that embeds 
>> local resources (<img src="file://..">) and enable page scripts to 
>> process and upload said resources
> 
> How would you distinguish this case from a hostile app tricking the user 
> into copying HTML that has pointers to sensitive local files?
> 
> 
>> * Optionally do extra privacy or security-related filtering if the UA 
>> implementor considers it useful
> 
> I wouldn't do this via parsing, but DOM filtering. That's the semantic 
> layer. A whitelist DOM filter will ensure that only the stuff the browser 
> thinks is safe can get through.
> 
> 
>> So, I think the question Daniel is asking, is: why don't we process URLs and
>> local resources this way if HTML data is drag-and-dropped to a page? Should
>> this processing be moved to the DnD spec?
> 
> I guess we could say that HTML dragged from the page could have URLs 
> "absoluted" in the serialisation. The other stuff doesn't seem necessary.
> 
> -- 
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

Received on Friday, 10 February 2012 21:45:32 UTC