Re: Clipboard API: remove dangerous formats from mandatory data types from Daniel Cheng on 2015-06-09 (public-webapps@w3.org from April to June 2015)

From: Daniel Cheng <dcheng@google.com>
Date: Tue, 09 Jun 2015 21:08:01 +0000
To: "James M. Greene" <james.m.greene@gmail.com>
Cc: public-webapps <public-webapps@w3.org>, Olli Pettay <olli@pettay.fi>
Message-ID: <CAF3XrKpMBX5TZoghB3nXj_bZgJ=h9MrUKoB0k+-4iB-9Jg1atA@mail.gmail.com>

On Tue, Jun 9, 2015 at 1:17 PM James M. Greene <james.m.greene@gmail.com>
wrote:

> Why we would exclude any data formats that the browsers currently already
> support copying today? Definitely not a fan of that idea offhand.
>
> Is it not possible for a malicious image to be displayed (or display as
> broken) in Chrome and allow a user to choose "Copy Image" from that
> element's context menu?
>
See my earlier reply.

> If not, how is that protection/prevention achieved today? Could the same
> process to applied to outgoing copy/cut operations and incoming paste
> operations?
>
> Sincerely,
>    James M. Greene
>

Incoming paste isn't the problem, it's just outgoing copy/cut.

Can an implementation really claim to support GIF/JPG/PNG if it has to
decode it to a bitmap and then (potentially lossily) convert it back? Image
encoding is not free either; Chrome has a very poor implementation today to
expose image/png, and you'll find if you try to paste a very large bitmap
(several dozen megapixels), the renderer will stop responding for a period
of time.

Daniel


> On Jun 9, 2015 2:19 PM, "Daniel Cheng" <dcheng@google.com> wrote:
>
>> I'm not against considering more formats to be dangerous. =)
>>
>> In particular:
>> JS: I'm not support what context we'd ever want to support this, since we
>> go out of our way to try prevent XSS in HTML pastes.
>> XML: I wouldn't mind getting rid of this. XML parsers seem to have RCE
>> bugs on a semi-regular basis.
>>
>> Daniel
>>
>> On Tue, Jun 9, 2015 at 12:01 PM Olli Pettay <olli@pettay.fi> wrote:
>>
>>> On 06/09/2015 09:39 PM, Daniel Cheng wrote:
>>> > Currently, the Clipboard API [1] mandates support for a number of
>>> formats. Unfortunately, we do not believe it is possible to safely support
>>> writing a
>>> > number of formats to the clipboard:
>>> > - image/png
>>> > - image/jpg, image/jpeg
>>> > - image/gif
>>> >
>>> > If these types are supported, malicious web content can trivially
>>> write a malformed GIF/JPG/PNG to the clipboard and trigger code execution
>>> when
>>> > pasting in a program with a vulnerable image decoder. This provides a
>>> trivial way to bypass the sandbox that web content is usually in.
>>> >
>>> > Given this, I'd like to propose that we remove the above formats from
>>> the list of mandatory data types, and avoid adding support for any more
>>> complex
>>> > formats.
>>> >
>>> > Daniel
>>> >
>>> > [1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
>>>
>>>
>>> Why would text/html, application/xhtml+xml, image/svg+xml,
>>> application/xml, text/xml, application/javascript
>>> be any safer if the program which the data is pasted to has vulnerable
>>> html/xml/js parsing?
>>>
>>>
>>> -Olli
>>>
>>>

Received on Tuesday, 9 June 2015 21:08:42 UTC