Re: Clipboard API: remove dangerous formats from mandatory data types from Arthur Barstow on 2015-06-10 (public-webapps@w3.org from April to June 2015)

From: Arthur Barstow <art.barstow@gmail.com>
Date: Wed, 10 Jun 2015 08:55:30 -0400
To: Anne van Kesteren <annevk@annevk.nl>, Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
CC: WebApps WG <public-webapps@w3.org>
Message-ID: <557833C2.70301@gmail.com>

On 6/10/15 5:32 AM, Anne van Kesteren wrote:
> On Wed, Jun 10, 2015 at 11:22 AM, Hallvord Reiar Michaelsen Steen
> <hsteen@mozilla.com> wrote:
>> Developing web browsers and their specs means paranoia should be part of
>> your job description.
>> It is a concern and I'm not sure how to solve it.
> Well we should be able to allow some things here. Either we verify
> that it is an image or we only allow images that are exported from
> <canvas> or some such... But yeah, passing arbitrary bytes seems bad,
> there needs to be some amount of validation.

Are you suggesting/proposing new normative requirement(s) in the "spec 
proper" and/or new text in the security/privacy considerations [1]?

[1] 
https://w3c.github.io/clipboard-apis/#other-security-and-privacy-considerations

Received on Wednesday, 10 June 2015 12:56:05 UTC