On Mon, Aug 17, 2015 at 2:54 PM, Paul Libbrecht <p...@hoplahup.net> wrote:
> Hallvord, > > do you not want to split the writable types list in safe and non-safe ones > and let browsers how they deal with unsafe ones? > No, absolutely not. If we leave such things up to the browser we end up with implementations that do wildly different things and web developers suffering new levels of incompatibility pain. > Here's an idea: > > html, xml, and picture formats should be in the unsafe ones. > If we can help it, HTML should not be unsafe. It's the web's primary format, and if we class it as unsafe we basically prohibit scripts from being able to export formatted text to the clipboard. I do however know it takes a bit of a leap of faith to believe that it's safe enough, given that HTML parsing was a bit of a dark art for many years. Today we can at least hope a lot of software that consumes HTML has been updated to use HTML5 algorithms. > I guess json too (but both XML and JSON are too generic to my taste). > Why should JSON be unsafe? Parsing JSON should be pretty easy, so hopefully most parsers would be safe. > For the unsafe formats, the warning could say that the UA-implementors > should only support the flavour if they have a method to make this content > safe so that local applications (which do not expect untrusted content) > receive content they can trust when pasting. Methods to make the content > safe include the following: transcoding a picture, inlining all external > entities for html, xml, mathml, or rtf). > On Windows I believe images are transcoded to and from DIB - device independent bitmap format anyway. Is there any equivalent graphics interchange format on other platforms? Does mandating such transcoding help guarantee against payloads that might trigger vulnerabilities in target software? I expect it adds a significant hurdle against exploits, but I'd like input from Daniel Cheng and perhaps from people who have worked on image decoders.. -Hallvord
