- From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
- Date: Mon, 13 Jun 2016 19:36:06 +0200
- To: Daniel Cheng <dcheng@chromium.org>
- Cc: "James M. Greene" <james.m.greene@gmail.com>, public-webapps <public-webapps@w3.org>, Ben Peters <Ben.Peters@microsoft.com>
On Mon, Apr 20, 2015 at 11:01 PM James M. Greene <james.m.greene@gmail.com> wrote: >> That behavior is really all I wanted, i.e. "don't let the browser >> discard/ignore valid RTF clipboard data". On Wed, May 6, 2015 at 8:18 PM, Daniel Cheng <dcheng@chromium.org> wrote: > I don't think I would feel comfortable with allowing web pages to place > unsanitized RTF in the system clipboard. This would allow webapps to trigger > exploits such as CVE-2014-1761. Just to conclude here: I've been convinced that the possibility of targeting exploits at local applications are too severe to allow JS to write stuff labelled as RTF to clipboards. The plan is that RTF will be considered a "custom" type so scripts can set (and get) RTF data, but native applications will not see said data if they look for "RTF" content on the clipboard. I have not entirely made up my mind on how exposing RTF that other applications have written to the clipboard to JS will work (the "paste" / "read from clipboard" use case), but I think we'll just expose it as usual in the items list with the RTF MIME type. -Hallvord
Received on Monday, 13 June 2016 17:37:04 UTC