W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: Clipboard API: remove dangerous formats from mandatory data types

From: James M. Greene <james.m.greene@gmail.com>
Date: Thu, 11 Jun 2015 07:33:58 -0500
Message-ID: <CALrbKZg+MsrnP-MzxYLjbmCbGpt6zyqdo-EMuFzi5aEWRT5_6w@mail.gmail.com>
To: Florian Bösch <pyalot@gmail.com>
Cc: Paul Libbrecht <paul@hoplahup.net>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@google.com>, Ashley Gullen <ashley@scirra.com>, Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>, Olli Pettay <olli@pettay.fi>
I can make a plugins for legitimate text/image editors that would override
default behavior for paste operations to instead execute arbitrary
processes (e.g. recursively delete the entire working directory) unless the
parent application is well sandboxed.

Unless the vendors that establish a lightning fast sanity check for a
subset of binary data types, I really don't believe this is a positive

While we're on it, how about the good ole harbinger of the unknown:
"application/octet-stream"? Where do we reasonably draw the line? Will that
MIME type be blocked? Doesn't seem like there would be any reasonable way
to scrub it.

   James M. Greene
On Jun 11, 2015 3:14 AM, "Florian Bösch" <pyalot@gmail.com> wrote:

> Oh, also while you're on crippling things, please also exclude copying any
> text that contains "http://:" cause that borks skype.
Received on Thursday, 11 June 2015 12:34:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC