On Mon, Aug 17, 2015 at 2:54 PM, Paul Libbrecht <p...@hoplahup.net> wrote:

> Hallvord,
> do you not want to split the writable types list in safe and non-safe ones
> and let browsers how they deal with unsafe ones?

No, absolutely not. If we leave such things up to the browser we end up
with implementations that do wildly different things and web developers
suffering new levels of incompatibility pain.

> Here's an idea:
> html, xml, and picture formats should be in the unsafe ones.

If we can help it, HTML should not be unsafe. It's the web's primary
format, and if we class it as unsafe we basically prohibit scripts from
being able to export formatted text to the clipboard.

I do however know it takes a bit of a leap of faith to believe that it's
safe enough, given that HTML parsing was a bit of a dark art for many
years. Today we can at least hope a lot of software that consumes HTML has
been updated to use HTML5 algorithms.

> I guess json too (but both XML and JSON are too generic to my taste).

Why should JSON be unsafe? Parsing JSON should be pretty easy, so hopefully
most parsers would be safe.

> For the unsafe formats, the warning could say that the UA-implementors
> should only support the flavour if they have a method to make this content
> safe so that local applications (which do not expect untrusted content)
> receive content they can trust when pasting. Methods to make the content
> safe include the following: transcoding a picture, inlining all external
> entities for html, xml, mathml, or rtf).

On Windows I believe images are transcoded to and from DIB - device
independent bitmap format anyway. Is there any equivalent graphics
interchange format on other platforms? Does mandating such transcoding help
guarantee against payloads that might trigger vulnerabilities in target
software? I expect it adds a significant hurdle against exploits, but I'd
like input from Daniel Cheng and perhaps from people who have worked on
image decoders..

Reply via email to