[Webkit-unassigned] [Bug 124391] text/rtf clipboard data is empty (makes TinyMCE and textbox.io require Flash)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 26 19:52:00 PST 2017


--- Comment #11 from Chris Dumez <cdumez at apple.com> ---
(In reply to comment #10)
> The issue here is that:
> 1. It can leak private data embedded in RTF from third party applications
> 2. IT can leak cross-origin content if the user had copied a range of
> content across an cross-origin iframe.
> We need to solve both of these problems in order to enable this feature.
> For 1, we probably need to paste RTF content into a document ourself, and
> then re-generate RTF out of the said document. For 2, we probably need to
> stop copying contents across an cross-origin iframe.

I am not sure I understand 1. I think it would be that third party app's responsibility to to put in the clipboard private data.

I understand 2. and it is the reason RTF was blacklisted in the first place as far as I can tell. I agree with your solution also it may be a little annoying to implement since AppKit does the RTF conversion for us.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170127/0c17acd8/attachment.html>

More information about the webkit-unassigned mailing list