Re: Clipboard API: remove dangerous formats from mandatory data types

Hallvord,

do you not want to split the writable types list in safe and non-safe
ones and let browsers how they deal with unsafe ones? Here's an idea:

html, xml, and picture formats should be in the unsafe ones. I guess
json too (but both XML and JSON are too generic to my taste).
Similarly, I'd like to add things such as MathML ones
(application/mathml-presentation+xml, application/mathml-content+xml,
application/mathml+xml) and rtf.

For the unsafe formats, the warning could say that the UA-implementors
should only support the flavour if they have a method to make this
content safe so that local applications (which do not expect untrusted
content) receive content they can trust when pasting. Methods to make
the content safe include the following: transcoding a picture, inlining
all external entities for html, xml, mathml, or rtf).

What do you think?

Paul

Hallvord Reiar Michaelsen Steen wrote:
> How does that sound?
>
> To those of you who want support for reading and writing many more
> formats (both common like RTF and esoteric ones): we're discussing
> what scripts from the world wild web should be allowed to do,
> basically without any permissions being granted (just something being
> clicked/touched in a page - a pretty low bar..). I understand that
> you're impatiently looking forward to all the great stuff you could do
> with full access to read and write whatever, but please have some
> patience while we work out just how scary (or not) various data types
> are..

Received on Monday, 17 August 2015 12:54:44 UTC