Re: Clipboard API: Stripping script element

On Mar 29, 2013, at 4:21 PM, Paul Libbrecht <paul@hoplahup.net> wrote:

> Nice catch for this example you provide below.
> The "solution" to this issue would be to simply empty the script element instead of stripping it away. Right?

Unfortunately, that approach won't be backward compatible.  Also, it's somewhat dangerous to leave an empty script element in the document.

> In your original mail, however, you write:
>> It would be great to mention what kind of manipulations user agents are allowed to do to make the pasted content secure.
> 
> 
> I think this claim is exactly why Halvord has removed the sanitization section. It seems highly implementation dependent to decide on the security of a fragment of content. 
> I feel the section on the sanitization should be expressed with "should" expressing recommendations such as that of emptying script elements or replacing object  or embed elements by a corresponding images.  I'm pretty sure conservative approaches will start by doing a similar replacement with video elements, for example, but might include them after some other introspection (e.g. that it is not pulling from a streaming source).

The section was removed due to lack of implementations.  I'm fine with not having an explicit algorithm. However, there appears to be a significant interoperability issue if we were to not define what user agents may or may not do.

- R. Niwa

Received on Monday, 1 April 2013 18:43:38 UTC