Adam Barth <w...@adambarth.com> skreiv Wed, 08 Feb 2012 00:05:54 +0100
FWIW, my main concern was the hidden data aspect because it can be
abused
for cross-site request forgery if a malicious site by getting the user
to
copy and paste gets access to form anti-CSRF tokens and such.
That's certainly possible, but I don't think it's possible for us to
protect against the long tail of risks here. In these sorts of cases,
it can be better for security to not implement a half-correct solution
and instead decide not to try to mitigate a particular risk.
You are right here.
Also, on considering the abuse potential of getData('text/html'), I've
realised that we are not introducing much new threat surface here, since a
simple paste into a rich text editing-enabled element already inserts
markup so that the target page can see much of what I proposed removing.
I've changed the spec from saying the implementation *must* apply the
sanitization algorithm to saying the user agent *may* apply it, made it
clear that it is merely a suggestion, removed some of the most draconian
parts and marked it as informative. I think it still has some value as an
informative section.
http://dev.w3.org/cvsweb/~checkout~/2006/webapi/clipops/clipops-source.html?rev=1.15;content-type=text%2Fhtml
Perhaps we should publish a new working draft now?
--
Hallvord R. M. Steen
Core tester, Opera Software
