Re: Clipboard API: remove dangerous formats from mandatory data types

I'm just thinking out loud here, but this problem is similar to one  
already faced by email clients, especially those which are web-based...

On Mon, 27 Jul 2015 15:03:40 -0400, Hallvord Reiar Michaelsen Steen  
<hsteen@mozilla.com> wrote:

> On Tue, Jun 9, 2015 at 8:39 PM, Daniel Cheng <dcheng@google.com> wrote:
>
>> Currently, the Clipboard API [1] mandates support for a number of  
>> formats.
>> Unfortunately, we do not believe it is possible to safely support  
>> writing a
>> number of formats to the clipboard:
>> - image/png
>> - image/jpg, image/jpeg
>> - image/gif
>>
>
> Hi Daniel,
> I've been pondering this a bit and I think a first step is to split the
> list of "mandatory data types" into two: one list for types you must
> support reading from the clipboard, and one (smaller) for types you must
> support writing to the clipboard. So PNG, JPG et al go in the "support
> reading from clipboard" list, and the "support writing" starts out with
> text/plain, text/html and text/uri-list - although it would be nice if  
> CSV was also considered safe enough.

I'm not sure you should directly read image formats from the clipboard,  
especially if you don't know how they got there. You shouldn't write stuff  
there that can be dangerous, but you really shouldn't read it direct. So  
maybe what happens is that when stuff gets written, it goes through a  
process like painting it onto a canvas, and then being scraped back off as  
coloured pixels and "safe" metadata.

A use case for the latter is the fabled "embedded accessibility" that  
could have made longdesc obsolete in 1997 - although the more likely use  
case for most people is getting the right geospying in their photo stream,  
and proving to the world that their camera clock flashes like a video  
player from 1987.

So essentially we don't restrict what is in the clipboard, but we do put  
restrictions on what we will take out, and if you want to be well-behaved  
you would follow those restrictions before you put anything there. Can we  
safely implement a clean/dirty flag similar to canvas, to help avoid  
double-sanitizing? Is that worth worrying about?

> It would also be good if we could come up with an API for safely writing
> images to the clipboard. Just playing:
> event.clipboardData.addImageFromCanvas(canvasElm, 'image/png')
>
> Hot or not?

Safely DrawMeA(sheep) is certainly worth pondering. Is it more than  
syntactic sugar?

cheers

-- 
Using Opera's mail client: http://www.opera.com/mail/

Received on Tuesday, 28 July 2015 11:08:45 UTC