Re: Clipboard API: remove dangerous formats from mandatory data types from Hallvord Reiar Michaelsen Steen on 2015-08-16 (public-webapps@w3.org from July to September 2015)

From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Date: Sun, 16 Aug 2015 20:12:35 +0200
To: Daniel Cheng <dcheng@google.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <CAE3JC2xOp5UUdPX6G7MA95KfNSR6frUoYfTyYjvYiCRc12UHhg@mail.gmail.com>

On Tue, Jun 9, 2015 at 8:39 PM, Daniel Cheng <dcheng@google.com> wrote:

> Currently, the Clipboard API [1] mandates support for a number of formats.
> Unfortunately, we do not believe it is possible to safely support writing a
> number of formats to the clipboard:
> - image/png
> - image/jpg, image/jpeg
> - image/gif
>
> If these types are supported, malicious web content can trivially write a
> malformed GIF/JPG/PNG to the clipboard and trigger code execution when
> pasting in a program with a vulnerable image decoder. This provides a
> trivial way to bypass the sandbox that web content is usually in.
>

Hi Daniel,
I've split the data type list (as suggested earlier) into one for reading
and one for writing. Please review and tell me what you think:
https://w3c.github.io/clipboard-apis/#mandatory-data-types-1

To support the "copy images to clipboard" use case, I'd like to extend the
DataTransferItemList.add() method.
https://html.spec.whatwg.org/multipage/interaction.html#dom-datatransferitemlist-add

Two suggestions, one slightly less verbose but with slightly more "magic":
let add() take an element, prepare writing an image to the clipboard if the
element is IMG or CANVAS:

event.clipboardData.items.add(myHTMLCanvasElement);
event.clipboardData.items.add(myHTMLImgElement);

A more verbose way (but perhaps easier to understand) is to make add()
accept dataTransferItem objects and add a .toDataTransferItem() method to
IMG and CANVAS:

event.clipboardData.items.add(myHTMLCanvasElement.toDataTransferItem());
event.clipboardData.items.add(myHTMLImgElement.toDataTransferItem());

In either case, running the above two lines of code should end up with two
new items added to the DataTransfer item list, with kind set to file, type
string set to image/png or image/jpeg depending on what the source was
and/or what the UA transcoded the data to, and with data set to the image
data.

How does that sound?

To those of you who want support for reading and writing many more formats
(both common like RTF and esoteric ones): we're discussing what scripts
from the world wild web should be allowed to do, basically without any
permissions being granted (just something being clicked/touched in a page -
a pretty low bar..). I understand that you're impatiently looking forward
to all the great stuff you could do with full access to read and write
whatever, but please have some patience while we work out just how scary
(or not) various data types are..

-Hallvord

Received on Sunday, 16 August 2015 18:13:06 UTC