Comments (11)
Proposal: https://docs.google.com/document/d/1sMcajoYAQ_M_VOIn1RLokG1sVB7skjoeviqt9aZOcDk/edit
Basically, document the Pickle format so that native apps can extract custom data types.
from clipboard-apis.
The implementation reason that Chrome doesn't allow unrestricted access to custom native types is because merely reading a type requires registering an atom on both Windows and Linux. On Windows, the string is registered in an internal atom table, but there is no way to release this atom. Exhausting the internal atom table leads to systemwide DoS issues.
Similarly, on Linux, the target type of a selection is also an atom. Like Windows, there is no way to remove an atom from the atom table once registered. Chrome would like to avoid leaking arbitrarily large amounts of unrecoverable memory =)
As a result, Chrome never even investigated other security and privacy implications of allowing this. @rniwa, perhaps it'd be useful to document the issues on here as well?
Note that the clipboard API, as implemented in Chrome, still lets you write any custom MIME type you want: it's just that the resulting data is pickled in a custom way (i.e. it's not a 1:1 mapping with native clipboard types). The resulting data can still be read by anything on the web (or presumably any native app that wanted to parse the custom data itself).
from clipboard-apis.
We're going to change WebKit's behavior in STP42 to match more or less what Firefox & Chrome are doing. There are two issues with exposing custom types and letting websites write arbitrary custom types.
- Other applications in the system tends to place privacy sensitive information such as the location of the device & user's full name and local file paths into the system clipboard. This means that letting websites read data of an arbitrary type is a privacy concern.
- Other applications in the system are not equipped to deal with potentially harmful content being placed into the system clipboard. e.g. image decoders of a photo editing app isn't designed to defend itself against from decoding a malicious content in the system clipboard. This means that letting websites write data of an arbitrary type is a security concern.
from clipboard-apis.
I'm about to change WebKit's behavior to restrict the access.
from clipboard-apis.
@rniwa just edited my previous comment to clarify that access to custom MIME types is something we'd actually want to have! :)
from clipboard-apis.
Well, unfortunately, for privacy & security reasons, we're about to restrict that.
from clipboard-apis.
@rniwa that's why this issue is only about reading. @danburzo covered the diff between read & write in the original summary here.
from clipboard-apis.
Even then 1 applies. And gating that on a permission still leaves the user with a choice they're not really equipped to make.
from clipboard-apis.
We were actually using the access to json data in Safari - for Adobe XD and from Sketch. Chrome/Firefox filters all available json on the clipboard. What are the security implications here, and it's essentially a text data transfer format. The more limited the clipboard becomes, the less web apps can interop with native applications for legitimate use cases.
from clipboard-apis.
Raw Clipboard Access proposal is also related:
https://github.com/dway123/raw-clipboard-access/blob/master/explainer.md
from clipboard-apis.
Web custom format support has been shipped in Chromium. Please refer to this issue for any additional concerns/feedback
from clipboard-apis.
Related Issues (20)
- Feature detection for supported clipboard formats HOT 12
- Replacing no-break spaces when converting HTML to plain text upon clipboard export HOT 4
- ā¸āšā¸˛ā¸
- What are the mandatory data types for Asynchronous Clipboard API? HOT 2
- The MIME type checking should ignore the "web " prefix HOT 2
- Should reading the clipboard throw DataError or empty clipboard items? HOT 6
- Async clipboard read and race conditions. HOT 6
- Interoperability issue: `navigator.clipboard.write()` and `navigator.clipboard.writeText()` user gesture requirement HOT 18
- Shared clipboard across devices
- Cross-device Shared clipboard
- Undefined behaviour when handling data promise resolved value HOT 2
- Why does the Clipboard interface extends EventTarget?
- Broken references in Clipboard API and events
- Web Platform tests using "clipboard-read" HOT 2
- Async Clipboard API take more time compared to DataTransfer API to read/write data in System Clipboard HOT 1
- Read Blob data for the supported formats on-demand during getType. HOT 11
- Start and End fragment tags in text/html format on Windows HOT 1
- Add method `match` (`clipboard.match(regex)`) to check clipboard for pattern matching before reading - as it is done in iOS HOT 1
- Optional data types description seems wrong HOT 1
- Feature detection of web custom format support HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clipboard-apis.