W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: Clipboard API: remove dangerous formats from mandatory data types

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 11 Jun 2015 10:00:32 +0200
Message-ID: <CAOK8ODg87zcdMQOOoM5QXnWOazxCFkz_+zgUeVwq57ZO-cVMeQ@mail.gmail.com>
To: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Cc: Ashley Gullen <ashley@scirra.com>, Daniel Cheng <dcheng@google.com>, WebApps WG <public-webapps@w3.org>, Paul Libbrecht <paul@hoplahup.net>, Olli Pettay <olli@pettay.fi>
On a further note. If UAs (which are among the more prevalent applications
out there being used) intentionally disable declaring mime-types for some
classes of content, so that it can't be pasted into applications that might
not be equipped to handle those mimetypes, application programmers (such as
adobe, gimp etc.) will do something else:

   - The first 4 bytes of a PNG: \89PNG
   - Bytes 9 trough 13 of a JPEG: JFIF
   - etc.

Every notable non text format in common use today contains "magic" headers
that make it easy to identify what a file is without having the mimetype or
file extension.

Omission of metadata information is

   - not going to address your "security concern" since applications do
   routinely read in random bytes and figure out what they are
   - it's not going to make applications behave any more securely (or
   reliably) as it'll promote even more of them to resort to guessing because
   information is omitted
Received on Thursday, 11 June 2015 08:01:03 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC