- From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
- Date: Mon, 20 Apr 2015 23:10:01 +0200
- To: public-webapps <public-webapps@w3.org>
- Cc: Daniel Cheng <dcheng@chromium.org>
Received on Monday, 20 April 2015 21:10:36 UTC
So, the E-mail to Ben Peters bounced - he's no longer at Microsoft? Is there anyone on the IE team present on the list who is able to comment on this? -Hallvord R On Mon, Apr 20, 2015 at 10:38 PM, Hallvord Reiar Michaelsen Steen < hsteen@mozilla.com> wrote: > > > In addition, from a security perspective, what stops a malicious website >> from embedding something like <img src="file:///etc/passwd" >> style="display:none"></img> in the markup? >> >> We disallow this on copy by stripping such references. >> > > Hi Ben, > picking up this old thread.. > > So we need to add a "sanitize local references" step/algorithm somewhere > when JS writes data to clipboard? It would be great if you could have a > look at > https://w3c.github.io/clipboard-apis/#dfn-writing-contents-to-the-clipboard > and suggest some text - maybe even in the form of a GitHub pull request? :) > (I assume you strip *all* local references, not just specific blacklisted > stuff like /etc/passwd - this probably needs testing with various types of > slashes etc..) > > Do you have any other safety measures when data is written to the > clipboard? > -Hallvord >
Received on Monday, 20 April 2015 21:10:36 UTC