Re: Clipboard API: remove dangerous formats from mandatory data types from Elliott Sprehn on 2015-06-11 (public-webapps@w3.org from April to June 2015)

From: Elliott Sprehn <esprehn@chromium.org>
Date: Thu, 11 Jun 2015 11:57:39 -0700
To: Wez <wez@google.com>
Cc: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>, Daniel Cheng <dcheng@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <CAO9Q3iLE6m5fc3v66GfDGA1smEMT2j-10rBX022G5aAKSTK15A@mail.gmail.com>

On Thu, Jun 11, 2015 at 10:51 AM, Wez <wez@google.com> wrote:

> Hallvord,
>
> The proposal isn't to remove support for copying/pasting images, but to
> restrict web content from placing compressed image data in one of these
> formats on the clipboard directly - there's no issue with content pasting
> raw pixels from a canvas, for example, since scope for abusing that to
> compromise the recipient is extremely limited by comparison to JPEG, PNG or
> GIF.
>
> The UA is still at liberty to synthesize these formats itself, based on
> the raw imagery provided by the content, to populate the clipboard with
> formats that other applications want.
>
>
>
I don't think the clipboard should forbid inserting image data, there's so
many ways to compromise desktop software. ex. pasting text/html into
Mail.app might even do it. This API shouldn't be trying to prevent that.

- E

Received on Thursday, 11 June 2015 18:58:51 UTC