Re: [Clipboard] checking if implementation allows reading/writing a given type to the OS clipboard

On Fri, Feb 17, 2012 at 11:15 AM, Paul Libbrecht <> wrote:

> Le 17 févr. 2012 à 19:23, Daniel Cheng a écrit :
> Any MIME type support restrictions that apply to clipboard MIME types will
> almost certainly apply to DnD MIME types as well. Therefore, it wouldn't
> make sense to tie it to ClipboardEvent.
> Not sure to understand what "lie" means.

"tie", not "lie".

Also, what does it mean to be "supported"? In new versions of Chrome, any
> kind of MIME type is supported in the sense that you can set data for any
> arbitrary type, and it can be understood by any browser that uses the same
> native conventions (I'd be happy to work with any other developers
> interested in making sure this works across different browsers on the same
> computer).
> This sounds like a huge security leak. What if trusted web-site
> receives a paste of that just got hacked
> with a hack that a kind html containing a script that reads the cookie when
> executed?

In general, it's websites' responsibility to sanitize data they get from

On Fri, Feb 17, 2012 at 11:18 AM, Paul Libbrecht <> wrote:
> Le 17 févr. 2012 à 19:25, Ryosuke Niwa a écrit :
> Yes, it does happen: I think I know that in Windows the supported
>> flavour-names depend on the launched applications. On Mac it depends on the
>> applications whose descriptor has been loaded (by the Finder I think, it
>> might also be those that have been launched once). At least an
>> application download and launch can cause a change in the supported
>> media-types of the OS.
> Right. These will become problems if we decide to expose all platform
> types.
> However, would the browsers be informed of such a change? Would they be
>> able to consider a given type as being safe and not needing a sanitization?
> I don't think that's possible without some sort of pre-knowledge about how
> the data is processed. In practice, we always hard-code this kind of
> information somewhere so I'm even not sure if such an elaborate behavior
> can be implemented.
> If anyone is willing to consider trusted web-sites (and MSIE already
> does?) then it is worth included.

Yeah, I think it's worth paying attention to this case.

- Ryosuke

Received on Friday, 17 February 2012 19:25:39 UTC