[Webkit-unassigned] [Bug 124391] text/rtf clipboard data is empty (makes TinyMCE and textbox.io require Flash)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 26 20:39:18 PST 2017


--- Comment #14 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to comment #11)
> (In reply to comment #10)
> > The issue here is that:
> > 1. It can leak private data embedded in RTF from third party applications
> > 2. IT can leak cross-origin content if the user had copied a range of
> > content across an cross-origin iframe.
> > 
> > We need to solve both of these problems in order to enable this feature.
> > 
> > For 1, we probably need to paste RTF content into a document ourself, and
> > then re-generate RTF out of the said document. For 2, we probably need to
> > stop copying contents across an cross-origin iframe.
> I am not sure I understand 1. I think it would be that third party app's
> responsibility to to put in the clipboard private data.

No, we can't do that. Third party applications aren't expecting their RTF to be exposed to a random Web page.

This is why, for example, we don't expose raw HTML, which contain sensitive information such as local file path, real user name, etc... included in link/meta elements that aren't even visible in the page.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170127/3ac0113e/attachment.html>

More information about the webkit-unassigned mailing list