W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: [clipboard events] seeking implementor feedback on using CID: URI scheme for pasting embedded binary data

From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Date: Mon, 20 Apr 2015 23:10:01 +0200
Message-ID: <CAE3JC2wELL0AdJkr-2EaeNxwasPqO6gCxoFuMX9F9rXv4fTTNg@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
Cc: Daniel Cheng <dcheng@chromium.org>
So, the E-mail to Ben Peters bounced - he's no longer at Microsoft? Is
there anyone on the IE team present on the list who is able to comment on
this?
-Hallvord R

On Mon, Apr 20, 2015 at 10:38 PM, Hallvord Reiar Michaelsen Steen <
hsteen@mozilla.com> wrote:

>
> > In addition, from a security perspective, what stops a malicious website
>> from embedding something like <img src="file:///etc/passwd"
>> style="display:none"></img> in the markup?
>>
>> We disallow this on copy by stripping such references.
>>
>
> Hi Ben,
> picking up this old thread..
>
> So we need to add a "sanitize local references" step/algorithm somewhere
> when JS writes data to clipboard? It would be great if you could have a
> look at
> https://w3c.github.io/clipboard-apis/#dfn-writing-contents-to-the-clipboard
> and suggest some text - maybe even in the form of a GitHub pull request? :)
> (I assume you strip *all* local references, not just specific blacklisted
> stuff like /etc/passwd - this probably needs testing with various types of
> slashes etc..)
>
> Do you have any other safety measures when data is written to the
> clipboard?
> -Hallvord
>
Received on Monday, 20 April 2015 21:10:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC