W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: [clipboard events] seeking implementor feedback on using CID: URI scheme for pasting embedded binary data

From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Date: Mon, 20 Apr 2015 22:38:22 +0200
Message-ID: <CAE3JC2w3jHPK6bGHLNU80FuCj3e4Y=vC-tcs4PX7NEHj3+y_ag@mail.gmail.com>
To: Ben Peters <Ben.Peters@microsoft.com>
Cc: Daniel Cheng <dcheng@chromium.org>, public-webapps <public-webapps@w3.org>
> > In addition, from a security perspective, what stops a malicious website
> from embedding something like <img src="file:///etc/passwd"
> style="display:none"></img> in the markup?
> We disallow this on copy by stripping such references.

Hi Ben,
picking up this old thread..

So we need to add a "sanitize local references" step/algorithm somewhere
when JS writes data to clipboard? It would be great if you could have a
look at
and suggest some text - maybe even in the form of a GitHub pull request? :)
(I assume you strip *all* local references, not just specific blacklisted
stuff like /etc/passwd - this probably needs testing with various types of
slashes etc..)

Do you have any other safety measures when data is written to the clipboard?
Received on Monday, 20 April 2015 20:38:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC