(Finally found some time to resume this old discussion - if you've all
forgotten the details by now the thread started here:
https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0819.html
)
cool!
>> But copying a fragment of HTML in the wild without reformulating it will
>> lead to
Daniel,
as far as I can read the post, copy-and-paste-interoperability would be
a "sub-task" of this.
It's not a very small task though.
In my world, E.g., there was a person who inventend a "math" protocol
handler. For him it meant that formulæ be read out loud (because his
mission is making the
Anders Rundgren wrote:
> Unless you work for a browser vendor or is generally "recognized" for
> some
> specialty, nothing seems to be of enough interest to even get briefly
> evaluated.
Maybe the right thing is assemble "user representative" groups and be
enough heard on such places as this
Hello Hallvord,
Hallvord Reiar Michaelsen Steen mailto:hst...@mozilla.com
27 août 2015 18:32
On Mon, Aug 17, 2015 at 2:54 PM, Paul Libbrecht p...@hoplahup.net
mailto:p...@hoplahup.net wrote:
do you not want to split the writable types list in safe and
non-safe ones and let browsers
Hallvord,
do you not want to split the writable types list in safe and non-safe
ones and let browsers how they deal with unsafe ones? Here's an idea:
html, xml, and picture formats should be in the unsafe ones. I guess
json too (but both XML and JSON are too generic to my taste).
Similarly, I'd
Hello all,
I think a good solution would then be that UAs do a transcoding, or?
(so the spec should recommend doing it)
I understand that the right-menu copy image function has the same
problem except if that one does transcoding (and it probably does, to
offer more native flavours).
That would
Daniel,
this does not make sense to me.
All these image parsers exploits can be triggered by an img tag, or?
Similarly for XML using an XHR or some particular XML formats (RSS, SVG,
XHTML, ...) in markup.
There's absolutely no difference in the mistrust we should have between
content brought by
On 9/06/15 23:08, Daniel Cheng wrote:
So the solution is to require that browsers that make known
media-types in the clipboard actually parse it for its value? That
sounds doable (and probably even useful: e.g. put other picture
flavours in case of a pictures).
I don't think
other picture flavours in case of a
pictures).
Paul
On 9/06/15 22:20, Daniel Cheng wrote:
On Tue, Jun 9, 2015 at 12:27 PM Paul Libbrecht p...@hoplahup.net
mailto:p...@hoplahup.net wrote:
Daniel,
this does not make sense to me.
All these image parsers exploits can be triggered
, but even valid data that some
decoders fail to handle gracefully.
On 9 June 2015 at 14:13, Paul Libbrecht p...@hoplahup.net
mailto:p...@hoplahup.net wrote:
On 9/06/15 23:08, Daniel Cheng wrote:
So the solution is to require that browsers that make known
media-types
On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
Would it be a possible compromise to let a script describe data as
RTF, and then put said data on the clipboard with the OS's correct RTF
data type labelling? And vice versa, if the script asks for RTF give
it any RTF contents from
On 31 janv. 2015, at 14:48, Hallvord Reiar Michaelsen Steen
hst...@mozilla.com wrote:
If yes, do any of the other mandatory types have gotchas like Windows HTML
Format - on any platform? The mandatory types currently are:
text/plain
text/uri-list
text/csv
text/css
text/html
On 16 sept. 2014, at 02:36, Brian Matthews (brmatthe) brmat...@cisco.com
wrote:
And again what about the naïve user that doesn’t even know what an extension
is or read
somewhere that they’re “bad”, or will even understand what happened when
their wife/husband/parent/child finds
While I do not know the Safari-Desktop-implementation right now, I know that
Apple's UTI has a URL type.
See here:
https://developer.apple.com/library/ios/documentation/miscellaneous/Reference/UTIRef/Articles/System-DeclaredUniformTypeIdentifiers.html
It would be interesting to see a
James,
I personally think it would be a really good idea. But I am not a browser
implementor.
Overall, I agree with you that writing to the clipboard, only within a click or
key event processing maybe?, is likely to be a non-concern on privacy. I would
love to hear others' feedback.
Is
Daniel,
I personally think it is not at all a good idea to populate the clipboard
when starting the drag!
It makes sense when a copy operation is triggered, as the application may be
vanishing.
Most desktop DnDs I have observed only operate the transformation when the drop
has occurred (hence
On 7 mai 2013, at 02:23, HU, BIN wrote:
Because nonce is needed to generate the appropriate digest, the 401
challenge is required.
So the lesson here is: any developer that intends to use authenticated XHR
should always start with an XHR that is a simple ping-like GET, then do the
real
Hey Paul,
nice to hear you raise this!
I fully agree it should be possible for some JS code such as MathJax to copy
MathML to clipboard.
The reason it is not listed as a mandatory data type, I believe, is that I, at
least, have been unable to demonstrate the zero risk of doing so.
I believe I
Nice catch for this example you provide below.
The solution to this issue would be to simply empty the script element
instead of stripping it away. Right?
In your original mail, however, you write:
It would be great to mention what kind of manipulations user agents are
allowed to do to make
Ian,
Could be slightly more formal?
You are speaking of hypocrisy but this seems like a matter of politeness,
right?
Or are you actually claiming that there's a license breach?
That there are different mechanisms at WHATWG and W3C is not really new.
Paul
Le 6 nov. 2012 à 02:42, Ian Hickson a
Le 10 avr. 2012 à 22:25, Karl Dubost a écrit :
A recent example from Canvas specification.
http://html5.org/tools/web-apps-tracker?from=7030to=7031
p class=noteThis specification does not define the precise
+ algorithm to use when scaling an image when the code
+
Le 19 févr. 2012 à 10:46, Anne van Kesteren a écrit :
On Sat, 18 Feb 2012 16:45:07 +0100, Hallvord R. M. Steen hallv...@opera.com
wrote:
Firing an event surely should be specified elaborately elsewhere. I
added another reference to DOM2-Events (though fire probably is used
without being
WHEN I registered a media-type on the ietf list I have been quite much hit as
the first comment one says media-type nowadays. And indeed MIME is meant for
email originally.
So I guess politically media-type is a requirement.
Should I dig for a formal requirement?
paul
Le 18 févr. 2012 à
WHEN I registered a media-type on the ietf list I have been quite much hit
as the first comment one says media-type
sorry for the capitalization
nowadays. And indeed MIME is meant for email originally.
So I guess politically media-type is a requirement.
Should I dig for a formal
of data in this
format is dropped on my window, I'll know what to do about it, and if you
drag this data *from* my window to another application on the system, I can
format and label it in a way the targe app will understand.
Paul Libbrecht wrote:
I have one concern: media-types
Le 18 févr. 2012 à 16:25, Hallvord R. M. Steen a écrit :
Does this include an ability for a page to say that a media-type is
supported?
(does it not appear natural?)
Hm.. you mean a page should be able to say Hello web browser, I just lve
processing application/pdf data from the
Hello Hallvord,
I think it is a very good idea if such a method would be available from the
point of view of a web-app author.
I have one concern: media-types are likely to be insufficient and flavour
names, whatever they are on the host platform should be allowed I think.
Almost arbitrary
Le 17 févr. 2012 à 19:23, Daniel Cheng a écrit :
Any MIME type support restrictions that apply to clipboard MIME types will
almost certainly apply to DnD MIME types as well. Therefore, it wouldn't make
sense to tie it to ClipboardEvent.
Not sure to understand what lie means.
Maybe you mean
Le 17 févr. 2012 à 19:25, Ryosuke Niwa a écrit :
On Fri, Feb 17, 2012 at 10:10 AM, Paul Libbrecht p...@hoplahup.net wrote:
I have one concern: media-types are likely to be insufficient and flavour
names, whatever they are on the host platform should be allowed I think.
Almost arbitrary
This discussion seems to raise the issue of what happens to URLs to images (or
other embedded objects) that are unresolved but become resolved when pasted.
E.g. file:///Users/anton/Library/AddressBook
(if that ever made sense)
Should these also be sanitized away so that they do not, suddenly
Ms2ger,
the same old issue with referencing a released spec or not... that was heavily
discussed!
Or am I wrong?
Is there any reason that makes that sentence obsolete in DOM 2?
I would have no issue that the clipboard document references both but it would
become unreleasable if it had to rely
Le 1 févr. 2012 à 20:03, Ian Hickson a écrit :
- a calendar client
There are lots of calendar clients written on the Web today.
- an IMAP client
There are lots of mail clients written on the Web today.
These are not web-apps that can work offline longer than 2 minutes.
Android's
Le 1 févr. 2012 à 21:03, Boris Zbarsky a écrit :
Android goes somewhat in this direction with its app-security model...
With all due respect, the app-security model on Android is a joke. Everyone
just clicks through the permissions grant without even reading what's being
requested,
Tab,
Le 23 janv. 2012 à 22:03, Tab Atkins Jr. a écrit :
We have repeated evidence that pretending these specs aren't obsolete
and useless hurts web implementors and authors. We're targeting the
web with our specs, so that's extremely relevant for us, more so than
non-web industries dealing
Le 7 sept. 2011 à 09:43, Hallvord R. M. Steen a écrit :
What helps average users is IMO mostly a UI question ;-)
I'd predict that this will be handled much like popup windows. They became a
nuisance for users, so UAs evolved to develop popup blocking, various types
of UI for opt-in
While the discussion about preventing abuse in clipboards is happening, allow
me to suggest something I recently found:
In the page below is a fairly simple script that succeeds in preventing the
user to select with the mouse, hence copy, in Firefox 6, Safari 5.1, and a few
others.
Le 5 sept. 2011 à 16:50, Glenn Maynard a écrit :
On Mon, Sep 5, 2011 at 6:13 AM, Hallvord R. M. Steen hallv...@opera.com
wrote:
Pretty much everything in this spec can be abused to cause nuisance.
Personally, I'm less than thrilled to see an API giving sites more ability to
mangle what I
Le 6 sept. 2011 à 00:51, Glenn Maynard a écrit :
On Mon, Sep 5, 2011 at 11:41 AM, Paul Libbrecht p...@hoplahup.net wrote:
Slowly, users start to see the disadvantages of a dirty web-page (e.g. flash
advertisement 100% cpu) and I am confident they will not that some pages
mingle
Le 19 mai 2011 à 02:11, João Eiras a écrit :
getData and setData must work outside clipboard events, like when clicking
paste/copy/cut buttons on a toolbar. The clipboardData object needs to be
exposed on the window, like in IE.
I fully disagree here.
This is exactly what has made the CnP
Hallvord,
you seem to have not included João Eiras' answer:
Le 5 mai 2011 à 04:34, João Eiras a écrit :
A synchronous XHR solves this use case and there are no magic locks.
Although I haven't explicitly tried to implement it and clearly feel it a
synchronous XHR can block the UI in an ugly
Hallvord,
The risks is latent but it should be possible for a user to accept that a given
site produces a given type. I do not think it is thinkable to avoid
platform-dependent code when going to a platform specific OS.
Everyone knows platform specific code is harder to maintain and should be
Le 17 mai 2011 à 06:23, Hallvord R. M. Steen a écrit :
To get a table started in the spec, could you give me a small list of (MIME)
types one should mandate the UA to be aware of and be able to roundtrip
to/from native clipboard types? Just off the top of your head? The typical
Web MIME
Le 17 mai 2011 à 09:21, Ryosuke Niwa a écrit :
On Tue, May 17, 2011 at 12:11 AM, Paul Libbrecht p...@activemath.org wrote:
Ryosuke,
why would sensitive information be readable or writable?
Because it has been available through clipboard. e.g. a popular productivity
application puts
Le 17 mai 2011 à 18:20, Ryosuke Niwa a écrit :
On Tue, May 17, 2011 at 12:26 AM, Paul Libbrecht p...@activemath.org wrote:
I agree it's a risk but since it's only when the user pastes intentionally, I
don't think it is a risk to be excluded.
I don't think it's okay. I didn't even save
Le 17 mai 2011 à 18:39, Boris Zbarsky a écrit :
On my mac, as far as I know, this can only happen if I copied the the
file explicitly (as a file, not as a content). Pasting in some web-page
means I want to transmit the information of the clipboard to the page.
You want to transmit the file
Le 17 mai 2011 à 19:06, Daniel Cheng a écrit :
I would like to add all of the 3 MathML flavors:
- application/mathml-presentation+xml
- application/mathml-content+xml
- application/mathml+xml
paul
I don't think we need all 3. Why not just application/mathml+xml?
Daniel,
you do mean
Le 17 mai 2011 à 19:14, Daniel Cheng a écrit :
I actually did implement reading arbitrary types from the clipboard/drop at
one point on Linux just to see how it'd work. When I copied a file in
Nautilus, the full path to the file was available in several different
flavors from the
Le 17 mai 2011 à 19:31, Daniel Cheng a écrit :
On Tue, May 17, 2011 at 10:18, Paul Libbrecht p...@hoplahup.net wrote:
Le 17 mai 2011 à 19:14, Daniel Cheng a écrit :
I actually did implement reading arbitrary types from the clipboard/drop at
one point on Linux just to see how it'd work
Le 17 mai 2011 à 20:05, Ryosuke Niwa a écrit :
So file-flavour is something special that should be always filtered??
(in DnD or in CnP), which should be warned against in the spec?
Ryosuke, can you confirm this is the only risk you were talking about?
No. There are some applications
Le 10 mai 2011 à 00:18, João Eiras a écrit :
I would just model the 'copy' (and 'cut') events exactly as a 'dragstart'
event, ideally so much so that you can literally use the same function for
both. (Canceling 'cut' would prevent the default deletion of the
selection, canceling 'copy' has
Le 10 mai 2011 à 09:13, Daniel Cheng a écrit :
I would expect scripts to want one of two things when they're preventing the
default action:
1. They want to set their own data in the clipboard instead of what the
browser would normally provide by default--for example, a document editor
Can you expand on what kind of protection this was?
Isn't it simply the same as a copy static content, copy text, or really
copy kind of command?
paul
Le 10 mai 2011 à 09:41, timeless a écrit :
Note that we only recently added protection for users against 'what
you see is not what you copy'
Le 3 mai 2011 à 12:20, Hallvord R. M. Steen a écrit :
Regarding simplifying the pasted html to remove stuff that could be
malicious, consider a rogue app that injects a script in the clipboard and
expects the user to hit paste on his bank site.
Well, I've never seen a bank site with a
Hello list,
As noted in the thread about security started by Halvord:
In many of the scenarios I have working for, the content to be put on the
clipboard would come from a luxury knowledge structure on the server, one
that has access to some semantic source and can infer useful
Ryosuke,
Le 3 mai 2011 à 21:15, Ryosuke Niwa a écrit :
Would it be thinkable to *lock* the copy event until either a timeout occurs
or an unlock is called?
No. We definitely don't want to lock a local system resource for some random
web service that may potentially fail to release the
Hallvord,
Le 2 mai 2011 à 09:00, Hallvord R. M. Steen a écrit :
I am not at all against your proposal but I tend to see two reasons
against it:
- I expect mostly the server to be providing the HTML, the javascript code
does probably not need to process it further (they trust each other!)
Is the process currently requesting us to publish a draft so that comments can
be gathered from the public?
paul
Le 29 mars 2011 à 13:37, Arthur Barstow a écrit :
This is a Call for Consensus to publish a new Working Draft of Hallvord's
Clipboard API and Events spec:
Well, so here are my comments:
---
I would reformulate:
MathML often needs to be transformed to be copied as plain text, for example
to make sure to the power of is shown with the caret ^ sign. Also, the
XML source could be placed in the clipboard with
Hello,
sorry to be slow.
Le 31 janv. 2011 à 11:39, Daniel Cheng a écrit :
Platform capabilities vary.
- Windows will be unhappy if you use up all the custom clipboard formats
(~65535 or so). There is no way to release formats once registered.
- Mac uses UTIs which are strings but not MIME
Le 31 janv. 2011 à 18:09, Ryosuke Niwa a écrit :
A website maker for, say, a shop for furnitures that knows they can go into
my home plan maker through the clipboard will want to be able to produce
and export a clipboard flavor that is unknown to both browser implementors
and spec makers
I am not sure I am entitled to any influence, except my registration to the
mailing-list but I would insist to not limit in this way.
The clipboard or drag-and-drop transfers are the way to go from the web into
something else.
They could maybe also be used to go from one site to another but
Oh boy... indeed it's a crab's nest!
I think it's rather a good idea to whitelist and blacklist and get it richer as
the browser makers' awareness grows into a catalog of tags, attributes, and
properties that need to be sanitized out or may be kept.
I'd rather suggest to start smallishly so
This would be really nice.
After a very quick read-through, here are three first reactions:
- this seems to support the insertion in the clipboard's data of other types
than what is currently commonly supported by browsers and the minimum quoted
there; this is good and important. I think, for
This would be really nice.
After a very quick read-through, here are three first reactions:
- this seems to support the insertion in the clipboard's data of other types
than what is currently commonly supported by browsers and the minimum quoted
there; this is good and important. I think, for
While re-reading the spec:
http://dev.w3.org/html5/spec/Overview.html#drag-and-drop-processing-model
I seem to understand that supply data immediately is the alternative
proposed currently by HTML5. Right?
If yes, then it's clear that most server-implementors will not be able
to
timeless,
So, erm, your conclusion should be we follow MicroSoft Windows copy-
and-paste?
I still find that the immediate-clipboard-data-delivery is a safer
mechanism.
It's funny to fall on such a dichotomy!
Le 23-août-09 à 15:47, timeless a écrit :
Le 14-août-09 à 10:00, timeless a écrit :
Paul Libbrecht wrote:
- drag and drop allows a precise visual target identification thus
may be
considered safer (and this is actually implemented so: you can faster
drag-and-drop URLs than copy and paste them).
this isn't true.
depending on how
Le 22-août-09 à 07:51, Ian Hickson a écrit :
copy-and-paste is aimed at long term storage: if you write to the
clipboard you have to write all the flavours you think a recipient
would
ever make use of! The clipboard often survives computer-restarts.
Drag-and-drop can also be for
Le 13-août-09 à 13:34, Ian Hickson a écrit :
So I'm saying is that, regardless of whether you use voice, keyboard,
touch or mouse... There are two distinct concepts at play here.
I disagree. The drag and drop model allows the user to drag to the
clipboard and paste from the clipboard. This
A few ideas:
- one of the dangers is that flavours may be damageable... so the
general practice would be that, unless we're in a de-sandboxed region
(anything else than file://?) all flavours should be sanitized (e.g.
no scripting, no relative reference, no embedding, except for pack-
Being external to it all, i.e. just reading the mailing-list with the
spec-title mentioned just about everytime, it clearly seems like a
good move to me: that specs starts to taste interesting whereas,
before, it seemed to be unrelated to my tasks!
;-)
paul
Le 13-janv.-09 à 17:50,
I would like to add the wish to add this file as a jar within a W3C
maven repository,
maven is a build system based on declarative dependencies marking.
The objective of a W3C maven repository would be to offer, in a way
transparent to people that just checkout souces, a linking to W3C
Ian,
Can you please respond to my request how to implement other flavour
names?
Also, I would like to see test-cases and reports for the
implementations you indicate here.
paul
Le 22-oct.-08 à 17:02, Ian Hickson a écrit :
On Wed, 22 Oct 2008, Charles McCathieNevile wrote:
Ian, how
Hello webapp-aficionados,
I've just proposed a clipboard-actions BOF table for today noon here
at the W3C Technical Plenary in Mandelieu where I suppose some of you
are.
It would be lovely to get some of the webapp folks there.
paul
smime.p7s
Description: S/MIME cryptographic signature
thanks Ian,
this section has matured a bit... that's good.
What the copy-and-paste says is what the drag-and-drop says, just
simpler, right?
I still have a hard time while reading to understand if content-
authors have a possibility to offer alternative data flavours to
users. I seem to
75 matches
Mail list logo