W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: Clipboard API: remove dangerous formats from mandatory data types

From: Daniel Cheng <dcheng@google.com>
Date: Tue, 09 Jun 2015 19:15:15 +0000
Message-ID: <CAF3XrKoNC8MXGsWNOQkbSGtM95WK6KoJXM7U9z6-y1BGRy-vbQ@mail.gmail.com>
To: Olli Pettay <olli@pettay.fi>, public-webapps <public-webapps@w3.org>
I'm not against considering more formats to be dangerous. =)

In particular:
JS: I'm not support what context we'd ever want to support this, since we
go out of our way to try prevent XSS in HTML pastes.
XML: I wouldn't mind getting rid of this. XML parsers seem to have RCE bugs
on a semi-regular basis.

Daniel

On Tue, Jun 9, 2015 at 12:01 PM Olli Pettay <olli@pettay.fi> wrote:

> On 06/09/2015 09:39 PM, Daniel Cheng wrote:
> > Currently, the Clipboard API [1] mandates support for a number of
> formats. Unfortunately, we do not believe it is possible to safely support
> writing a
> > number of formats to the clipboard:
> > - image/png
> > - image/jpg, image/jpeg
> > - image/gif
> >
> > If these types are supported, malicious web content can trivially write
> a malformed GIF/JPG/PNG to the clipboard and trigger code execution when
> > pasting in a program with a vulnerable image decoder. This provides a
> trivial way to bypass the sandbox that web content is usually in.
> >
> > Given this, I'd like to propose that we remove the above formats from
> the list of mandatory data types, and avoid adding support for any more
> complex
> > formats.
> >
> > Daniel
> >
> > [1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
>
>
> Why would text/html, application/xhtml+xml, image/svg+xml,
> application/xml, text/xml, application/javascript
> be any safer if the program which the data is pasted to has vulnerable
> html/xml/js parsing?
>
>
> -Olli
>
>
Received on Tuesday, 9 June 2015 19:15:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC