W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: Clipboard API: remove dangerous formats from mandatory data types

From: Paul Libbrecht <paul@hoplahup.net>
Date: Sat, 13 Jun 2015 08:02:56 +0200
Message-ID: <557BC790.9050609@hoplahup.net>
To: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>, Daniel Cheng <dcheng@google.com>
CC: public-webapps <public-webapps@w3.org>
Hello all,

I think a good solution would then be that UAs do a transcoding, or?
(so the spec should recommend doing it)

I understand that the right-menu "copy image" function has the same
problem except if that one does transcoding (and it probably does, to
offer more native flavours).

That would work fine against attacking pictures that would overflow some
older picture processors.
For those graphic freaks which need the exact bytes (e.g. with a
particular profile etc), I think they can expect the web-app to offer a
download for which there's enough dialogs and protection.

Whether an unfiltered picture file should be expected by copy after some
security-dialog-confirmed process, I do not know. Maybe using
octet-stream is the solution?

thanks

Paul

On 11/06/15 08:31, Hallvord Reiar Michaelsen Steen wrote:
> On Tue, Jun 9, 2015 at 8:39 PM, Daniel Cheng <dcheng@google.com
> <mailto:dcheng@google.com>> wrote:
>
>     Currently, the Clipboard API [1] mandates support for a number of
>     formats. Unfortunately, we do not believe it is possible to safely
>     support writing a number of formats to the clipboard:
>     - image/png
>     - image/jpg, image/jpeg
>     - image/gif
>
> copying images to the clipboard is an important use case. Do you have
> any suggestions for how we could meet this use case in a safer way?
> For example, would it be safe and easy to add a little bit of "magic"
> to make
>
> clipboardData.items.add(canvasElement)
>
> put a PNG on the clipboard? Perhaps copying a rendered imgElement
> should work too?
> -Hallvord



Received on Saturday, 13 June 2015 06:03:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC