Re: [clipboard] Sanitizing HTML content for security/privacy on copy or paste? from Chaals McCathie Nevile on 2016-02-09 (public-webapps@w3.org from January to March 2016)

From: Chaals McCathie Nevile <chaals@yandex-team.ru>
Date: Tue, 09 Feb 2016 15:26:31 +0100
To: public-webapps@w3.org
Message-ID: <op.yckk2hy2s7agh9@widsith.local>

On Tue, 09 Feb 2016 12:39:33 +0100, Hallvord Reiar Michaelsen Steen  
<hsteen@mozilla.com> wrote:

> Hi,
> some discussion of how browsers can try to safeguard security/privacy
> while copying/pasting HTML got tangled into the "remove dangerous
> formats from mandatory data types" thread [1]. I think it will be
> easier to follow with a separate thread.

See also discussions on this in webappsec, with threads starting from
http://www.w3.org/mid/56B8565E.4080404@mozilla.com a few days ago, and
https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0113.html  
 from January.

cheers

> Context: we're talking copy from any normal public or local web page,
> to paste formatted text into an online rich text editor. The questions
> are about the code the UA itself would insert into the rich text
> editor if no script processing took place - the source code you expose
> via clipboardData.getData('text/html') may be handled differently.
>
> So - implementors: do you do any of the following currently, and does
> it happen when content is written to the clipboard (copy) or read
> (paste)? Do you care if it's a cross-site paste or a same-origin
> paste?
>
> * Change IMG src to inline images as data: URLs?
> * If yes, for all images or just local ones?
> * Change link HREFs to remove potential embedded session IDs?
> * Remove javascript: URLs from the code?
> * Remove event listeners from the code?
> * Inline external stylesheets
> * Remove SCRIPT elements
> * Any other special precautions or processing I haven't thought of?
>
> (I know some of these would be somewhat odd or weird to do - just  
> checking..)
>
> (Also, this is not quite in scope for my spec, but I keep being asked
> to figure it out.. ;))
> -Hallvord R
>
> [1]  
> https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0819.html
>


-- 
Charles McCathie Nevile - web standards - CTO Office, Yandex
  chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Tuesday, 9 February 2016 14:27:06 UTC