I'm just thinking out loud here, but this problem is similar to one already faced by email clients, especially those which are web-based...

On Mon, 27 Jul 2015 15:03:40 -0400, Hallvord Reiar Michaelsen Steen <hst...@mozilla.com> wrote:

On Tue, Jun 9, 2015 at 8:39 PM, Daniel Cheng <dch...@google.com> wrote:

Currently, the Clipboard API [1] mandates support for a number of formats. Unfortunately, we do not believe it is possible to safely support writing a
number of formats to the clipboard:
- image/png
- image/jpg, image/jpeg
- image/gif

Hi Daniel,
I've been pondering this a bit and I think a first step is to split the
list of "mandatory data types" into two: one list for types you must
support reading from the clipboard, and one (smaller) for types you must
support writing to the clipboard. So PNG, JPG et al go in the "support
reading from clipboard" list, and the "support writing" starts out with
text/plain, text/html and text/uri-list - although it would be nice if CSV was also considered safe enough.

I'm not sure you should directly read image formats from the clipboard, especially if you don't know how they got there. You shouldn't write stuff there that can be dangerous, but you really shouldn't read it direct. So maybe what happens is that when stuff gets written, it goes through a process like painting it onto a canvas, and then being scraped back off as coloured pixels and "safe" metadata.

A use case for the latter is the fabled "embedded accessibility" that could have made longdesc obsolete in 1997 - although the more likely use case for most people is getting the right geospying in their photo stream, and proving to the world that their camera clock flashes like a video player from 1987.

So essentially we don't restrict what is in the clipboard, but we do put restrictions on what we will take out, and if you want to be well-behaved you would follow those restrictions before you put anything there. Can we safely implement a clean/dirty flag similar to canvas, to help avoid double-sanitizing? Is that worth worrying about?

It would also be good if we could come up with an API for safely writing
images to the clipboard. Just playing:
event.clipboardData.addImageFromCanvas(canvasElm, 'image/png')

Hot or not?

Safely DrawMeA(sheep) is certainly worth pondering. Is it more than syntactic sugar?


Using Opera's mail client: http://www.opera.com/mail/

Reply via email to