W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: Clipboard API: remove dangerous formats from mandatory data types

From: Olli Pettay <olli@pettay.fi>
Date: Tue, 09 Jun 2015 21:58:15 +0300
Message-ID: <55773747.80905@pettay.fi>
To: Daniel Cheng <dcheng@google.com>, public-webapps <public-webapps@w3.org>
On 06/09/2015 09:39 PM, Daniel Cheng wrote:
> Currently, the Clipboard API [1] mandates support for a number of formats. Unfortunately, we do not believe it is possible to safely support writing a
> number of formats to the clipboard:
> - image/png
> - image/jpg, image/jpeg
> - image/gif
>
> If these types are supported, malicious web content can trivially write a malformed GIF/JPG/PNG to the clipboard and trigger code execution when
> pasting in a program with a vulnerable image decoder. This provides a trivial way to bypass the sandbox that web content is usually in.
>
> Given this, I'd like to propose that we remove the above formats from the list of mandatory data types, and avoid adding support for any more complex
> formats.
>
> Daniel
>
> [1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1


Why would text/html, application/xhtml+xml, image/svg+xml, application/xml, text/xml, application/javascript
be any safer if the program which the data is pasted to has vulnerable html/xml/js parsing?


-Olli
Received on Tuesday, 9 June 2015 18:58:57 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC