Friendly ping to Yoav's question. I would also like to see some sort of hook in the spec that made this mechanism explicit. I think this is a reasonable change to ship, I just want to ensure we lock in reasonable behavior at the spec level. Is that something y'all can take care of?
Thanks! -mike On Wed, Aug 18, 2021 at 11:19 PM Yoav Weiss <[email protected]> wrote: > Changing the spec to explicitly say that no sanitization is to be done on > input would be good. I agree that aligning behavior with other implementers > is the right thing to do, but we need to document that behavior. Can y'all > please file a spec PR to that effect? > > On Wed, Aug 18, 2021 at 10:53 PM Marijn Kruisselbrink <[email protected]> > wrote: > >> While I agree that it would be nice for the clipboard API to better >> specify what sanitization is and isn't done, do note that this change >> merely brings us in line with other existing implementations. I.e. both >> Safari and Firefox already ship the behavior we're proposing to ship with >> here as well. https://w3c.github.io/clipboard-apis/#image-transcode >> would probably be the most relevant section in the spec as it stands today, >> although it only addresses writing images to the clipboard, not reading >> images from the clipboard. >> >> So I don't think changes to the spec are needed for this intent, as the >> spec arguably already matches our proposed new behavior. Nowhere (except >> for some subset of pasting HTML) does it mention any sanitization on >> reading from the clipboard, while it does explicitly mention sanitizing >> data as it is being written to the clipboard. I think what we're proposing >> here is fully in line with that behavior (and our previous/current behavior >> is not spec compliant). >> >> On Fri, Aug 13, 2021 at 9:27 AM Anupam Snigdha < >> [email protected]> wrote: >> >>> I don't see a spec linked in the I2S. Are we planning to make changes in >>> the Clipboard API <https://www.w3.org/TR/clipboard-apis/> at some point >>> in the future? I think it would be nice to document what unsanitized >>> content means and the security/privacy concerns related to it. >>> >>> -Anupam >>> >>> On Thu, Aug 12, 2021 at 12:55 PM Alex Russell <[email protected]> >>> wrote: >>> >>>> LGTM1 with caveats: >>>> >>>> - this sanitization behavior was previously discussed with the TAG, >>>> and not updating them on it is a mistake. Please file a non-blocking FYI >>>> with them >>>> - the explainer was less clear than the bug, requiring the OWNERs >>>> to read all the linked threads in detail. Ideally, an Explainer should >>>> clarify what is changing, why, and who it helps. >>>> - Please post explainers as GH markdown files rather than google >>>> docs >>>> >>>> Thanks! >>>> >>>> On Friday, August 6, 2021 at 10:47:04 AM UTC-7 Austin Sullivan wrote: >>>> >>>>> *Contact emails* >>>>> [email protected], [email protected] >>>>> >>>>> Explainer >>>>> >>>>> https://docs.google.com/document/d/1qZonN0xhfkuAOV58WOAMcPXjOB7uCfms3tf_ZDXNDks/edit?usp=sharing >>>>> >>>>> Specification >>>>> >>>>> Summary >>>>> >>>>> Read unsanitized PNGs from the system clipboard. This will apply to >>>>> both DataTransfer and the Async Clipboard API >>>>> (navigator.clipboard.read()). >>>>> >>>>> >>>>> Motivation >>>>> Currently, reading PNGs from the system clipboard involves sanitizing >>>>> the image by stripping its metadata. There is a strong argument that >>>>> images >>>>> from the system clipboard should not be sanitized on read, and this >>>>> behavior is inconsistent with other major browser vendors and other forms >>>>> of importing images, such as <input type="file">. See >>>>> https://crbug.com/1177229 for further explanation. >>>>> >>>>> Additionally, this significantly reduces the cost of pasting images >>>>> from the clipboard in the vast majority of use cases (14x speed-up reading >>>>> very large PNGs in limited testing). >>>>> >>>>> Blink componentBlink>DataTransfer >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EDataTransfer> >>>>> >>>>> TAG review >>>>> >>>>> TAG review statusNot applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> This change will put us in line with other browser vendors. >>>>> >>>>> >>>>> Gecko: Shipped/Shipping >>>>> >>>>> WebKit: Shipped/Shipping >>>>> >>>>> Web developers: Strongly positive (https://crbug.com/698793) >>>>> >>>>> Security >>>>> >>>>> This change is a net win for security on Android, since we will no >>>>> longer be using an unsafe bitmap decoder. >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> N/A >>>>> >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>> ?No >>>>> >>>>> Flag nameClipboardReadPng >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bughttps://crbug.com/1201018 >>>>> >>>>> Estimated milestonesM94 >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5629962485760000 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://www.chromestatus.com/>. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/244c6375-b991-4015-89ba-954295062d68n%40chromium.org >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/244c6375-b991-4015-89ba-954295062d68n%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2Bm%3DdJpYJLoY7zsuHP_Rg5oX-_mK%2BpwvQLjdqEXbffQXDwMBWQ%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2Bm%3DdJpYJLoY7zsuHP_Rg5oX-_mK%2BpwvQLjdqEXbffQXDwMBWQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BOSsVaZ4nUQDqy_gZ_7HTUSLVgt5qUtoAFDj8P6C%2BJQO08f%3DQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BOSsVaZ4nUQDqy_gZ_7HTUSLVgt5qUtoAFDj8P6C%2BJQO08f%3DQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUDSNk2yGOwzNyjuW%3D60BhSfUkHNTXETdCKEawZ9eHcYg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUDSNk2yGOwzNyjuW%3D60BhSfUkHNTXETdCKEawZ9eHcYg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdYvEeuODrpMa-0JdG%2BD8un1P%2B1ffWHzcSw%3DKEMYjjuoQ%40mail.gmail.com.
