- From: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
- Date: Tue, 9 Feb 2016 12:39:33 +0100
- To: WebApps WG <public-webapps@w3.org>
Hi,
some discussion of how browsers can try to safeguard security/privacy
while copying/pasting HTML got tangled into the "remove dangerous
formats from mandatory data types" thread [1]. I think it will be
easier to follow with a separate thread.
Context: we're talking copy from any normal public or local web page,
to paste formatted text into an online rich text editor. The questions
are about the code the UA itself would insert into the rich text
editor if no script processing took place - the source code you expose
via clipboardData.getData('text/html') may be handled differently.
So - implementors: do you do any of the following currently, and does
it happen when content is written to the clipboard (copy) or read
(paste)? Do you care if it's a cross-site paste or a same-origin
paste?
* Change IMG src to inline images as data: URLs?
* If yes, for all images or just local ones?
* Change link HREFs to remove potential embedded session IDs?
* Remove javascript: URLs from the code?
* Remove event listeners from the code?
* Inline external stylesheets
* Remove SCRIPT elements
* Any other special precautions or processing I haven't thought of?
(I know some of these would be somewhat odd or weird to do - just checking..)
(Also, this is not quite in scope for my spec, but I keep being asked
to figure it out.. ;))
-Hallvord R
[1] https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0819.html
Received on Tuesday, 9 February 2016 11:40:40 UTC