Re: [clipboard] Sanitizing HTML content for security/privacy on copy or paste?

[Chaals McCathie Nevile]

On Tue, 09 Feb 2016 12:39:33 +0100, Hallvord Reiar Michaelsen Steen  
 wrote:



Hi,
some discussion of how browsers can try to safeguard security/privacy
while copying/pasting HTML got tangled into the "remove dangerous
formats from mandatory data types" thread [1]. I think it will be
easier to follow with a separate thread.


See also discussions on this in webappsec, with threads starting from
http://www.w3.org/mid/56b8565e.4080...@mozilla.com a few days ago, and
https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0113.html  
from January.


cheers


Context: we're talking copy from any normal public or local web page,
to paste formatted text into an online rich text editor. The questions
are about the code the UA itself would insert into the rich text
editor if no script processing took place - the source code you expose
via clipboardData.getData('text/html') may be handled differently.

So - implementors: do you do any of the following currently, and does
it happen when content is written to the clipboard (copy) or read
(paste)? Do you care if it's a cross-site paste or a same-origin
paste?

* Change IMG src to inline images as data: URLs?
* If yes, for all images or just local ones?
* Change link HREFs to remove potential embedded session IDs?
* Remove javascript: URLs from the code?
* Remove event listeners from the code?
* Inline external stylesheets
* Remove SCRIPT elements
* Any other special precautions or processing I haven't thought of?

(I know some of these would be somewhat odd or weird to do - just  
checking..)


(Also, this is not quite in scope for my spec, but I keep being asked
to figure it out.. ;))
-Hallvord R

[1]  
https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0819.html





--
Charles McCathie Nevile - web standards - CTO Office, Yandex
 cha...@yandex-team.ru - - - Find more at http://yandex.com

[clipboard] Sanitizing HTML content for security/privacy on copy or paste?

[Hallvord Reiar Michaelsen Steen]

Hi,
some discussion of how browsers can try to safeguard security/privacy
while copying/pasting HTML got tangled into the "remove dangerous
formats from mandatory data types" thread [1]. I think it will be
easier to follow with a separate thread.

Context: we're talking copy from any normal public or local web page,
to paste formatted text into an online rich text editor. The questions
are about the code the UA itself would insert into the rich text
editor if no script processing took place - the source code you expose
via clipboardData.getData('text/html') may be handled differently.

So - implementors: do you do any of the following currently, and does
it happen when content is written to the clipboard (copy) or read
(paste)? Do you care if it's a cross-site paste or a same-origin
paste?

* Change IMG src to inline images as data: URLs?
* If yes, for all images or just local ones?
* Change link HREFs to remove potential embedded session IDs?
* Remove javascript: URLs from the code?
* Remove event listeners from the code?
* Inline external stylesheets
* Remove SCRIPT elements
* Any other special precautions or processing I haven't thought of?

(I know some of these would be somewhat odd or weird to do - just checking..)

(Also, this is not quite in scope for my spec, but I keep being asked
to figure it out.. ;))
-Hallvord R

[1] https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0819.html