On 06/09/2015 09:39 PM, Daniel Cheng wrote:
Currently, the Clipboard API [1] mandates support for a number of formats.
Unfortunately, we do not believe it is possible to safely support writing a
number of formats to the clipboard:
- image/png
- image/jpg, image/jpeg
- image/gif
If these types are supported, malicious web content can trivially write a
malformed GIF/JPG/PNG to the clipboard and trigger code execution when
pasting in a program with a vulnerable image decoder. This provides a trivial
way to bypass the sandbox that web content is usually in.
Given this, I'd like to propose that we remove the above formats from the list
of mandatory data types, and avoid adding support for any more complex
formats.
Daniel
[1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
Why would text/html, application/xhtml+xml, image/svg+xml, application/xml,
text/xml, application/javascript
be any safer if the program which the data is pasted to has vulnerable
html/xml/js parsing?
-Olli