Re: Clipboard API: remove dangerous formats from mandatory data types from Hallvord Reiar Michaelsen Steen on 2015-06-13 (public-webapps@w3.org from April to June 2015)

From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Date: Sat, 13 Jun 2015 12:57:20 +0200
To: Wez <wez@google.com>
Cc: Daniel Cheng <dcheng@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <CAE3JC2w5CwbUAdPv9+Kjf9fWFmYDJLZ+y8o2=5TjzspLQbVNow@mail.gmail.com>

On Thu, Jun 11, 2015 at 7:51 PM, Wez <wez@google.com> wrote:

> Hallvord,
>
> The proposal isn't to remove support for copying/pasting images, but to
> restrict web content from placing compressed image data in one of these
> formats on the clipboard directly - there's no issue with content pasting
> raw pixels from a canvas, for example, since scope for abusing that to
> compromise the recipient is extremely limited by comparison to JPEG, PNG or
> GIF.
>

Well, but as far as I can tell we don't currently *have* a way JS can place
pixels from a canvas on the clipboard (except by putting a piece of data
labelled as image/png or similar there). So if you're pushing back against
the idea that JS can place random data on the clipboard and label it
image/png, how exactly would you propose JS-triggered copy of image data to
work? Say, from a CANVAS-based image editor?
-Hallvord

Received on Saturday, 13 June 2015 10:57:48 UTC